Port Forwarding - The Basics

I get a lot of hits on my Magnia guide to port forwarding, so this article is for those that landed there looking for information on port forwarding in general.

Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime -- Chinese Proverb

This is not the be-all, end-all. It is, instead, an overview of the concepts. You need to understand them to apply to your particular router.

The first concept we need to understand is the idea of a unique identifier. Network devices cannot communicate with each other unless they can tell one another apart. A typical device connected to a network has two: a Media Access Control ( MAC ) address and an Internet Protocol ( IP ) Address.

  • The MAC address is a unique serial number for the network interface. It is hexadecimal and in six groups of two digits like so: 01:23:45:67:89:ab - you don't usually ( and can't usually ) change this identifier. Analogy: a cell phone has a unique serial # that allows it to work on the service provider's network, but this is not the phone #.

  • The IP address is an assigned location on a network, and is only unique on the device's local network. It is sometimes called a dot-quad because it is four numbers separated by periods like so: 101.102.103.104 - this is the identifier which will be routed. Analogy: this would be the cell phone's number. When you're in area code 813 and dial 555-1212 you'll get a different phone than when you're in area code 217 and dial 555-1212.

When a device is connected to a network, it must either ask for ( Dynamic or DHCP - auto set ) or declare ( Static - manually set ) a unique IP address for that network. If the device does not have a unique address, traffic cannot be routed to it.

In a simple home high-speed internet connection there will be a modem provided by the service provider and one computer connected to it. This is something that should never be done - the computer's "local" network is the internet! Since most home computers run Windows the machine will actually offer to share its resources with anyone on the network - which, again, is the entire internet.

You most likely have a router, since you're here. -relief-

It is important to keep in mind, however, that you may have a modem/router combination from your service provider. This may totally throw you off, as you'll have to forward ports through theirs AND yours.

So what, exactly, is a router? A router is a device which connects two separate networks and routes traffic between them.

A typical consumer router is a device with multiple Ethernet ports for connecting local computers, a port for the modem / internet connection ( from the service provider ), and often a built-in wireless access point for wireless devices. Again it is important to note that many service providers now combine their modem with a router and a wireless access point in a single box.

If the boxes were all separate they would look like this:

Typical

You most likely have your wireless inside your router - and you possibly have BOTH inside your modem ( and perhaps even telephony as well ).

The WAN - Wide Area Network - is the network you are connected TO and is likely the internet.

The LAN - Local Area Network - is the private network created by the router. Just like the "simple" network first discussed, the router connects to the service provider ( through the modem ) as its local network. This type of connection only allows for one device, however ( so most people have a router simply so they can have more than one device connected at the same time ). The router then provides a local network for the multiple devices on that network.

Most consumer routers provide a local network with IP addresses like:

  • 192.168.0.1
  • 192.168.1.1
  • 10.0.0.1

( these are the most common LAN subnets )

So the process so far works like so:

  1. The router connects to the service ( internet ) and is assigned an IP address of 61.62.63.64
  2. A computer connects to the router and is assigned an IP address of 192.168.1.101
  3. A notebook connects to the wireless and is assigned an IP address of 192.168.1.102

Both the computer and the notebook can reach the internet ( WAN ) through the router. They can also talk to each other – since they're on the same local network ( LAN ). As a security precaution ( and because nobody on the internet knows the correct LAN address ) devices on the WAN cannot talk directly to devices on the LAN – by default a router will route requested traffic back to the local device that requested it, but what if it's incoming traffic that was not requested?

This is why we're here – we need to establish a way for the router to route traffic that was NOT requested. How do you access your computer, or camera, or DVR or whatever when you are not home?

So why don't we just skip all this WAN / LAN stuff and get separate IP addresses for everything?  Four reasons:

  1. There simply aren't enough addresses.
  2. Who would keep track of them all?  It would be incredibly complicated.
  3. Easier routing: we can group networks and route traffic by the group instead of searching constantly for individual addresses.
  4. Security. Network connections are designed for sharing, we need a way to isolate shares in groups.

The first step in forwarding port[s] is logging into your router.  Open a browser and connect.  If you need help with this there are basic instructions here.

Note the IP address you've used to connect - the first three parts should be common to every device on your LAN.  So if your router's administration is at http://192.168.1.1 then every IP address on your LAN should start with 192.168.1 - just the last three digits will be unique and every device but the router will be between 2 and 252.

Now for actual port forwarding.

Let's say you have a security DVR or camera on your network, and you want to be able to see it from work.  You know that when you are at home you can go to http://192.168.1.25 and see the camera[s]. You know that you need to forward a port ( or you wouldn't be here ). You might have even forwarded one but it doesn't work ( or you wouldn't be here ).

First, you need to know that almost all service providers block port 80 ( the default port for web browsing ), so you can't use it. Most people at this point set their DVR or camera to a different port - which is just crazy! Now you have to type http://192.168.1.25:8001 or whatever on your local network.

You can forward from one port to another - you don't need to change the port on the device.  All we do is tell the router to forward incoming traffic on a non-blocked port ( 8001 in our example here ) to port 80 on 25 ( the 192.168.1 part is redundant in most router menus ).  Did you follow that?

Incoming port 8001 forwarded to port 80 on 192.168.1.25

Yes, it really is that simple.  There's options for TCP / UDP - you can just select both if you want, although it's likely TCP.

When you are on your local network you go to http://192.168.1.25, when you are at work you go to http://YOUR-WAN-IP:8001 where YOUR-WAN-IP is the IP address assigned to you by your service provider. How do you know what this is? From home you can follow the above link and it will tell you what your WAN IP is. You can also log into your router and view its status page.

It's important to note that you usually can't test this from your home connection - you would be looping back on yourself.

Great! It worked for a day and stopped....

This is likely because your service provider changed your IP address. Many providers do this regularly. It is also possible that your device is no longer on 192.168.1.25 but some other address.  How to overcome this?

For the service provider:

  1. You could pay extra and get a STATIC address. Then you'll always have the same one and the problem is gone.
  2. You can set up a dynamic DNS service - many are free - and then you'd go to http://myname.dyn-dns.org:8001 or whatever.
  3. You can set up something that keeps your internet traffic always active - some routers have this option - so that the service provider doesn't time you out and require a re-connection ( and new IP address ).

For the device:

You need to change the device to STATIC rather than DYNAMIC ( DHCP ) for its network configuration. The common settings would be:

  • IP Address: 192.168.1.25
  • Subnet Mask: 255.255.255.0
  • Gateway: 192.168.1.1
  • DNS: 192.168.1.1

Where 192.168.1 is your LAN address part. ( the 255.255.255.0 subnet will almost always work ) and 25 is an address outside the router's own DHCP range.

What does that mean? There will be a configuration setting in the router that tells it what IP addresses to hand out.  For example the standard router setup used in this example is set to hand out addresses from 100 to 250 - so I would set the device to any address between 2 and 99.  If your router is actually set to hand out from 2 to 252 then change 252 to 200 and set your device to any address between 201 and 252. ( don't forget to change your forwarded port destination IP )

Summary:

Summary

View camera locally: go to http://192.168.1.25

View camera remotely: go to http://61.62.63.64:8001

 

Lather, rinse, repeat for other devices / ports :-)

Top