IX. NAT Related Features

How do I make a local server accessible from the Internet?

Products:
Vigor 2820
Keywords:
NAT
Open Ports
Port Forwarding

When running NAT (Network Address Translation) the Vigor router takes the single public IP address, allocated by your ISP and automatically passes data between it and the local PCs on your private local network. However, with only one address visible to the outside world, external users cannot address specific local PCs inside your network.

Therefore, an 'unsolicited' TCP/IP packet to your Internet IP address would arrive at your router but then the router wouldn’t know who (or what), locally, the packet is intended for.

In order to run a local server, for example a web server which is visible to the outside world, you have to set up a port forward rule whereby an incoming packet on a particular TCP/UDP port is kept open and forwarded to a specific local PC. Each service (http, ftp, smtp etc.) uses a different port number. This procedure is commonly used if you are running an internal SMTP mail server to which your ISP sends email to.

Once you have set up this type of 'port forwarding' rule. External users, i.e. people elsewhere on the internet can then access your internal server via your public ip address. In the case of a web server, for example, they can enter http:\\213.103.123.11 into their browser, if that was your public IP address. If you are using a Dynamic DNS service (see earlier) then this would work with the port forwarding too.

From the main router menu, select the NAT Setup menu (under Advanced Setup) and then Open Ports Setup and the screen shown below will appear. It is important that you only open the ports that you need to, rather than open/forward all ports, as otherwise you compromise the NAT intrinsic security.

Open Ports Setup

The above method uses 'Open Ports Setup' in which an external port number is redirected to the same port number on an internet LAN PC. In some circumstances you might want to translate from one port to another, in which case you can use Port Redirection instead. This redirects a single port, as shown below. You can use the same port number in both boxes, in which case the facility is equivalent to Open Ports, giving you more capacity.

Port Redirection


Forwarding protocols other than UDP/TCP

When using NAT, you have only one public IP address. This means that incoming data which is not in response to an outgoing request from a local client does not know where to go. Port Forwarding can be used to direct UDP/TCP traffic on particular ports to specified internal clients. However other IP protocols, for example Protocols 50 (ESP) and 51 (AH) do not have port numbers so there is no unique detail to decide which local client to forward the data to.

In situations like this, the Vigor has a facilility called DMZ. In the DMZ setup, you can specify a single local client (private IP address) to which ALL unsolicited data on all protocols should be forwarded. Regular web browsing and other such actitivty from other clients will continue to work.

With a DMZ, the inherrent security properties of NAT are somewhat bypassed, so you may want to consider adding addional filter rules or a secondary firewall.

Another important point is that although a DMZ will pass all data through, some protocols are still not NAT friendly. The 'AH' extension to IPSec is designed in such a way that it prevents Network Address Translation - the header encodes the source IP address, which in this case would be your private IP address. The receiving end will see the packet as having come from your public IP address and thus reject the packet. AH protocol therefore will not work. ESP is more tolerant.


What is the difference between Port Mapping, Open Ports and DMZ ?

In the previous section, we discussed port mapping to allow internal network devices (e.g. servers) to be accessible from the Internet. The Vigor router actually supports three variants of port mapping methods, as follows :

  1. Port Redirection - The packet is forwarded onto a specific local PC if the port number matches that defined. You can also translate the port to another port locally.
  2. Open Ports - As Port Redirection (above) but allows you to define a range of ports.
  3. DMZ Host - This opens up a single PC completely. All incoming packets will be forwarded onto the PC with the local IP address you set. The only exceptions are packets received in response to outgoing requests from other local PCs or incoming packets which match rules in the other two methods.

When using combinations of these three systems, there is a priority structure; i.e. if a rule in one method co-incides with a rule in another method, then there is strict precidence, so that the result should be predictable. The precidence is as follows :

Port Redirection > Open Ports > DMZ

For example, if an incoming packet's port number matches a rule in both 'Port Redirection' and 'Open Ports' then the packet will be forwarded onto the local address defined in 'Port Redirection'.


Avoid Port Clashes with the Router's own Web Interface

As the router has its own built-in web server for the configuration screens, if you want access to that router remotely (from the WAN side) and to a web server behind that router, you will have to change the router's http 'port' to something other than the default (which is Port 80). You can change the admin port from the Management Setup menu:
Management ports on router
You might choose port 8080 instead; you must then access the admin screens by suffixing the normal IP address with :8080 (e.g. http://192.168.1.1:8080).

How do you rate this article?

1 1 1 1 1 1 1 1 1 1