Port forwarding is a network address translation issue. If you want to allow incoming connections through your WiFi router, you are going to need to know about this technique. Fortunately, it’s easy to implement, it’s perfectly legal, and it won’t damage your router. However, understanding what port forwarding does and why you might need to do it takes quite a lot of explaining, so bear with me while I take you through the technology behind port forwarding.
- 1 Unique IP addresses
- 2 Network address translation
- 3 What is a port number?
- 4 Port numbers in NAT
- 5 Port address translation
- 6 Address translation management
- 7 The need for port forwarding
- 8 What is port forwarding?
- 9 Implementing port forwarding
- 10 Dynamic addresses
- 11 Port forwarding and VPNs
- 12 Remapping the Internet
Unique IP addresses
The IP address is a key part of the Internet. The processes that make the Internet work are defined in the Internet Protocol and that’s what IP stands for. An IP address has to be unique. So, every device connected to the Internet has to have a unique IP address. However, that uniqueness applies per “address space,” so within a private network, addresses only have to be unique there.
Your network connects to the internet through a gateway. This is a special type of router and it is the function that your WiFi hub performs.
In this scenario, the computers on your network keep their own address space and the router acts as a representative on the Internet. The router has an IP address that is unique on the private network and another one that is unique on the Internet. Thus, that single IP address on the Internet represents many devices that stand behind the gateway on the private network.
Network address translation
If computers A, B, and C are all represented by the same IP address, how does anyone outside know how to direct messages to one of the specific devices? They don’t; only the gateway knows. This is a great security feature and has reduced the possibility of hackers just sending malware over the Internet. However, it also prevents other torrenters from getting to your computer for a slice of a file and it means you won’t get anyone connecting to that game server you set up.
Gateways use network address translation (NAT) to sort out which incoming message is intended for which computer on the network. Remember computers A, B, and C? They are all accessing the internet and contacting remote computers X, Y, and Z. All of those outgoing connection requests have to pass through the gateway.
First, a message comes into the gateway from computer A that is going to computer Z. The gateway says, “Right, I know if I get a response in from computer Z, I need to send it to computer A because no one else on this network is talking to Z. I’ll make a note of that.”
Next, computer B wants to open a connection to remote computer X and computer C wants to connect to remote computer Y. The gateway notes those actions down, too.
The gateway receives responses from X, Y, and Z and knows where to send them by looking at its notes. This is NAT in operation. A, B, and C send messages back and forth to X, Y, and Z. Everyone is happy … until B wants to connect to Z, which is where A is already connected. When a response comes in from Z, where does it go, to A or B?
The gateway knows exactly where to send that message from Z because I have left out an important element in the description of NAT: port numbers.
What is a port number?
“Port” is confusing in networking because it can mean two things. Some people refer to the holes in a computer that you plug cables into as ports – “USB port,” “COM Port 1.” The ports used in network addressing have nothing at all to do with those plug holes.
A network port is an identifier for a protocol. A protocol is a standard or a set of rules that communicating programs have to follow in order to work.
When you install new software on your computer that is going to communicate over the network or the Internet, one of the suite of programs is called a daemon. This is a program that loops round and round and never stops until you turn the computer off. In each run through the loop, it checks on incoming traffic for a message that has a specific number on it. This is the port number.
A port number is an address for a daemon. When the daemon sees its address on an incoming packet, it diverts that data to its associated software. So, when Skype is running, its daemon will be looking for all incoming traffic with the port number 23399; your browser will be relying on its daemon to catch HTTP traffic, which is identified by port number 80. The full address on a data packet that travels over a network or across the Internet is the IP address followed by a port number.
Port numbers in NAT
Network address translation systems use port numbers to identify individual computers. Do you remember that when A sent a message to Z, the gateway made a note of that relationship? The note it made involved the use of a port number.
This is an oversimplification, but it will do for now. When A sends a message to Z, the gateway inserts a port number into the header of the outgoing packet as part of the return address. The gateway writes an entry in a network address translation table that notes A = <IP address>:<port number>. When B sends a message to Z, the gateway makes another entry in the NAT table with a different port number.
For illustration, the IP address of A is 192.168.0.7 and the IP address of B is 192.168.0.12. The gateway has an Internet-wide IP address of 126.96.36.199. Packets coming from A and B have their return address on them but as those packets pass through the gateway, those coming from computer A get the address 188.8.131.52:52108 and the packet from computer B gets the address 184.108.40.206:52109. The gateway writes in its NAT table:
All traffic traveling over the Internet with the IP address 220.127.116.11 gets sent to the network gateway. When a packet arrives, the gateway looks at the address, sees that it is 18.104.22.168:52108, checks the NAT table, and forwards the packet on to 192.168.0.7, which is computer A.
Port address translation
All computers know that a full address is the IP address followed by a port number. Servers use that system and require incoming connection requests to use them. Remember that the daemon for an application that sends out a connection request is looking for a specific port number, so that needs to be on the return address. When computer A’s browser sends a request to a Web server for a Web page. It puts its return address as 192.168.0.7:80.
An address can’t have two port numbers on it. So, if the gateway dropped off the 80 to create the address 22.214.171.124:52108, that packet will get to the right computer but it won’t get through the computer up to the browser because the daemon is only looking for packets addressed to port 80.
The solution to this problem is port address translation (PAT). When the gateway processes an outgoing message, it writes both the IP address and port number of the source address into the NAT table and then its own IP address and a new port number to represent that combination. So, the NAT table is really a PAT table and it will have entries like:
The port numbers that are in regular use by protocols are fixed by a central organization called the Internet Assigned Names Authority (IANA). These can’t be used for any other purposes, so port 21 is always used for FTP and port 110 is always used for the email system, POP3. However, there are thousands of port numbers that are left unused. The port numbers between 49152 and 65535 are known as dynamic ports and can be used by NAT systems.
Address translation management
Although there are more than 15,000 port numbers available for address translation in the dynamic range, those numbers are going to run out sooner or later. It wouldn’t be possible to keep a permanent translation of addresses on any but very small networks.
Whenever one of the computers on the network makes a first attempt to connect to a computer in the outside world for a specific activity, the home hub assigns a dynamic port number and writes an entry into the NAT table. That record remains in the table until the connection it relates to is closed. At that point, the record gets deleted and the port number is returned to the pool for reuse.
The need for port forwarding
There is another problem to deal with when constructing an address translation scenario. Those translation tables get populated when a computer from within the network wants to establish a connection with a remote computer. If an outside computer wants to connect to a device on the private network, there is no established relationship written into the NAT table to enable that.
For decades, the architecture of networking has been based on the client-server model. The client requests a service and the server responds. Under this system, household users of the internet will always start a connection and commercial systems respond. Therefore, it is assumed that a connection request going to a domestic IP address is suspicious, likely to be a malware attack or a hacker action, and should be blocked.
Peer-to-Peer architecture blows that assumption apart. This encompasses torrenting, some VoIP services, such as Skype, media sharing systems, such as Plex and Popcorn Time, and games platforms that operate a lobby system, such as Call of Duty. Worse still there are other systems that require the home-based computer to act as a server. This includes remote desktop systems, some games systems, such as multi-player games hosted on Xbox or PSN, private file servers, like OwnCloud, and small, home Web hosting.
So, there are many new things that you want to do with your home computer and internet service that don’t fit into the way the Internet service industry operates. Port forwarding solves that problem.
What is port forwarding?
Port forwarding is a work-around that lets you insert a permanent entry in that address translation table that your WiFi hub maintains. Your port forwarding record will give your computer on the home network a permanent identity on the internet.
Your computer’s IP address can’t change once it has been advertised in a system such as Call of Duty or a torrent tracker file. If you rely on being able to access the files on your computer from your mobile device while you are away on vacation or operating your own small business outside the house, the app on your phone needs to be set up with the address of your home computer that won’t change.
Implementing port forwarding
Port forwarding has to be set up on your router. Unfortunately, the exact instructions to do that are different according to the brand of WiFi hub that you have because the menu structure is slightly different on each model. However, the outline of what you need to do is set up an entry in your hub’s NAT table that will not change and will not get deleted.
In the example of computers A, B, and C above, you will notice that there are different entries in the NAT table for different types of activities. This is a security advantage because it means that traffic will still be blocked from getting into your computer unless it is of a protocol that you allow to connect. However, it does mean that you need to set up port forwarding records for each type of activity.
The distribution of your permanent address for specific traffic will be handled by the application that you use for sharing activities. For example, Mule will block you if you don’t set up port forwarding, but that issue is managed through the Mule client that you run on your computer. Similarly, if you have Skype, the Skype app will sort out letting those on your contact list have the IP address and port number combo that gets through your router.
There is one more problem to sort out. Your computer needs to maintain the same address. That means a permanent entry in the NAT table that has your computer’s network IP address in it. However, networks are organized so that you get assigned a different IP address each time you connect to the network. This also applies to mobile devices connecting to the home WiFi.
The system that manages home network addresses is called the Dynamic Host Configuration Protocol (DHCP) and you need to stop that system applying to your computer if you want to use port forwarding. To do this, you need to specify that your computer will be assigned a permanent address, which is called Static, as opposed to Dynamic.
To do this in Windows, follow these instructions:
- Type cmd into the Start search field and select Command Prompt from the results.
- In Command Prompt, type ipconfig and press RETURN. Note down the IPv4 Address and Default Gateway values in the Wireless LAN adapter section. Type exit and press RETURN to close the window.
- Click on the network icon in your system tray (where you choose which WiFi to connect to) and click on Network and internet settings at the bottom of the list. A Status screen appears. Click on Properties.
- Scroll down to IP assignment and click on the Edit button.
- Change the setting to Manual.
- In Edit IP settings, switch on IPv4.
- In the new screen that appears, enter the IP address you noted down from ipconfig. Enter 24 for the Subnet prefix length and enter the Default Gateway value from ipconfig in the Gateway field.
- Click Save.
This makes the IP address that your computer has currently been assigned permanent. You can now use this IP address in the settings for port forwarding in your router.
To set up port forwarding on your router, look up your router model on the Port Forward website and follow the instructions there.
Port forwarding and VPNs
If you use a VPN, that system changes the IP address that represents your home network. So, in order to get inbound connections to your computer, you need to investigate the address allocation system that your VPN provider uses. If you are running a home Web server or your own game server, you should also look into getting a static IP address from your VPN provider.
Remapping the Internet
The instructions in this guide might seem a little complicated. Hopefully, now you understand how routers manage IP addresses, it will be easier to see why port forwarding is necessary.
Unfortunately, the entire Internet service industry for home internet has been set up with the assumption that private users will never need to accept incoming connections. They were wrong. Port forwarding is a relatively simple trick but it overturns the entire internet.