Monday, February 9, 2015

[Windows]: OTT Explains – What is Port Forwarding and What is It Used For?

OTT Explains – What is Port Forwarding and What is It Used For?


Most people live their lives not having any idea what port forwarding is and what it can do for them. I recently bought a Foscam IP camera that connects to my wireless network and records everything to my Synology NAS (network attached storage) device. What’s cool about an IP camera is that you can view the camera from outside of your local network, say when you leave the house for a two-week vacation and want to check on things.
You could spend hundreds or even thousands of dollars hiring a company to install cameras and set everything up for you or you could spend $70 on Amazon for a camera and do it yourself! I was pleasantly surprised with my purchase and the relatively easy setup that is required. Unfortunately, if you don’t know anything about port forwarding, you wouldn’t be able to do this yourself.
In this article, I’m going to explain what port forwarding is and how you can use it to access your local devices like cameras, NAS devices, printers, etc from outside your local home or office network. Once you know how to forward a port, you could setup remote desktop and access your computer from anywhere.
Before we get into port forwarding, you first have to understand a little bit about what a router does on your local network.

Internet, Router and NAT

Small network
Most home networks are like the image above: you have your devices like a smartphone, tablet, computer, TV, etc connected either directly or wirelessly to your router, which is connected to the Internet. However, if you think about it, you only have one IP address for your connection, which is unique across the Internet, so how do all those devices connect and use only that one address?
That’s where your router comes in. Your router basically allows devices on your local network to talk to devices on the Internet via NAT (Network Address Translation). So what is NAT? I won’t go into super detail in this post, but basically all of the IP addresses on your local network are private or reserved addresses. This means that they can only be used in private networks. Example of private addresses include 10.x.x.x, 192.x.x.x, etc.
Each device on your network gets assigned a private address by the router via a service called DHCP. This is basically a network protocol that configures devices on the network with addresses so that they can communicate with each other.
So that’s one side or interface to your router. The second interface connects to the Internet. On this interface, your router has an IP address assigned by your ISP, which is unique. It looks like something below:
Broadband ip
As you can see, the IP address here starts with something completely different (99.108.x.x). Now here is where NAT comes into play. If a computer on your local network were to try and send data across the Internet, nothing would happen since traffic is non-routable. Any traffic from a private address is dropped on the Internet is dropped. So instead, your computer sends the data to the router, which then “translates” that data and sends it across the Internet. Externally, it looks as if one computer with one IP address is sending out all the data even though multiple computers and devices are actually behind the router.
To explain it a little more, let’s say a computer inside your network wants to connect to a computer on the Internet, i.e. connecting to Google.com from your web browser. That request gets passed on to the router, which is the default gateway. If you ever run the IP configuration for your computer, you’ll see a line called Default Gateway or Router. The default gateway is where data is sent when the IP address doesn’t match anything locally.
Now the router simple takes that data and changes the source address from the local private IP to the public IP of the router. It also makes an entry into the NAT table that this computer made a request on a particular port for that Internet resource. When the external server responds, it will send data back to the router. The router will then check against it’s table and see which computer had initiated that connection. It will then forward that data to the port on the local computer that requested it.

Port Forwarding

So this works all fine and dandy for browsing the web and sending emails, etc, because those are pre-defined in email clients and web browsers and it’s outgoing traffic. For example, HTTP traffic always go over port 80. That’s defined by the IANA and everyone has to follow it. SMTP, which is used for sending email,uses port 25 by default. However, what happens when someone tries to connect to your router from the Internet on port 80, for instance?
By default, if you don’t have port forwarding setup and your firewall is enabled, that connection will simply be terminated. If you want to run a web server on your local network, you’ll have to forward traffic coming in on port 80 to the local IP address of the machine running the web server. Another example would be if you are running a game server on your local network and you want other friends to be able to join in. A game server might accept new connections on port 55202, which means you have to forward the data coming into port 55202 on your router to the game server IP address on your local network. An IP camera might use a port like 5000 for incoming connections.
Port foward
As you can see above, forwarding a port is not so complicated. You give it a name (NetCam, RDP, etc), then tell it the Start and End port numbers. Usually these two are the same. This means data coming in on port 5000 from outside the network will be directed to port 5000 on the local computer inside your network. Once you choose the port numbers, you simply type in the IP address of the device that is going to be expecting data on that port number.
If you can’t figure out how to do it on your router, you can read my previous post on how to forward portsusing a free software called Simple Port Forwarding.

Complications

If this was so easy, everyone would be doing it, right? There is a reason why it’s a little hard to set this up properly. The biggest reason is that your unique public IP address assigned to your home Internet connection constantly changes! So if you try to connect from outside the network, it might work once or twice, but it’ll stop working once the public IP address changes.
This is where you have to setup dynamic DNS. This will allow you to create a unique domain name that is automatically updated with the current IP address of your Internet connection via a tool you have to download and install on a computer inside the network. You can read more about setting up dynamic DNS on a previous post on OTT.
The other issue is security. By default, your router is the only device exposed to the Internet. Once you start forwarding ports, those computers are now vulnerable to attacks from the Internet on that port number. There are lots of malicious hackers that routinely scan computers over the Internet looking for open ports on computers. So you have to be careful of which ports you open. It’s always a good idea to choose a port above 1024. Actually, a lot of ISPs won’t even allow incoming traffic on ports like 80 because of spam and hackers.
When setting up my Foscam, I had to change the port from 80 to something in the 8000 range in order to be able to connect. I also made sure I put a password so that no snooping individual who happens to find that open port on my IP address can suddenly see what’s going on in my house without at least knowing the password.
Hopefully this article will make you more comfortable with the concept of port forwarding and how you can use it to access devices on your local network from anywhere in the world. 

- By Ravindra Yadav 

Enjoy!

No comments:

Post a Comment