Fundamentals of communication and networking: Port forwarding
With NAT we have discussed the translation table which allows an Internet bound packet to create a translation of a private IP address to a public IP address. This translation is used by the returning packet to ensure it heads back to the original source. What would happen if a IP packet came to from the Internet to the router and there was no outbound recorded translation ? The answer is it would be blocked ! The NAT process has inadvertently created a firewall. Outbound requests create a 'temporary' hole through which replies are allowed to pass. However inbound traffic, initiated from the Internet, will not be allowed in.
NAT with a SOHO network
For the majority of SOHO users this is not a problem. All internet traffic is initiated from inside the network on a users device. When we 'surf' the web, send or check our email or watch TV, we initiate the conversation. Some applications which appear to allow inbound requests actually poll the servers frequently, so again are initiating the conversations.
However there are increasingly situations where it may be required to permit an IP exchange to be initiated from the Internet.
- Users are increasingly using NAS devices which they wish to be able to access when away from home.
- Games consoles are requiring Internet initiated traffic to be allowed into the console.
- Businesses and homes are increasing using IP cameras and want access to these from the Internet.
- Businesses want to be able to 'remote desktop' to their work PCs from anywhere.
For such situations we must be able to allow external connections in to a range of devices, but using the same one public IP address.
In the TCP or UDP header we have addresses which are used to indicate the application we wish to access. These 'addresses' are called ports. Each well know protocol has its well known port or range of ports. HTTP is on port 80. We can use this port number to get round the problem of only having one public IP address but wishing to offer a access to a range of internal devices.
We simply specify a different port number for each internal device and then create a static translation on the router to map that port to a specific internal IP addresses, and a given port. This static translation is called 'Port Forwarding' . It is configured directly on the router and thus is always there. When an IP packet comes in it is compared to the translation, and if it matches, it is translated and allowed in.
Imagine a scenario where we have a NAS device on 192.168.1.10 and an IP camera on 192.168.1.20. Both have a web interface and can be accessed internally on port 80. Our external public IP addresses is 22.214.171.124
We now agree the following :-
|Device||Internal IP addresses||Internal Port||External IP addresses||External Port|
Thus externally on the Internet if we send a web request to 126.96.36.199 on port 16000, it will be translated to 192.168.1.10 port 80 and hit the NAS's web server.
Similarly if we send a web request to 188.8.131.52 on port 16001, it will be translated to 192.168.1.20 port 80 and hit the IP camera's web server.
Uses of Port Forwarding
Port forwarding as shown above, is a way of connecting devices on a network to the wider internet, port forwarding has a variety of uses for example if you were hosting a server on your personal PC, and other computers outside of your network wished to connect to this server then they would require your public IP address along with a specified port that you have opened. Port forwarding sees a large amount of use from server hosting companies, these are companies where you pay money for them to host your server. They will always provide you with an IP and a port to the server, this way you and other people can connect to the server you have paid for.
STATIC NAT on larger networks
(On larger networks we don't need port forwarding).
In the same way SOHO networks require Internet access to some devices, the call for this in larger companies is even greater. Large companies may require access to business servers for remote employees of associated companies. They may run their own web and mail servers which need to be accessed by the public. Whilst NAT overload can be used, it is more common in such scenarios to dedicate some of the NAT pool for externally accessible devices. ( Remember larger companies may have a class C address or a sub division of it. Thus they have a pool of addresses to use for Internet access.)
Imagine a business has a class C public address 184.108.40.206 and has 4 internal servers that it wishes to be publically accessible. It is using 172.17.0.0 as an internal private Class B address
|Device||Internal IP address|
|Customer Accounts server||172.17.16.200|
|Remote Workers Customer Relations Server||172.17.185.32|
Rather than give the whole range 220.127.116.11 - 18.104.22.168 to the dynamic NAT pool, we reserve the first 9 addresses for internal devices and start the pool at 22.214.171.124.
We then configure the following static NAT mappings. Hence this is called Static NAT.
|Device||Internal IP address||Mapped public addresses|
|Customer Accounts server||172.17.16.200||126.96.36.199|
|Remote Workers Customer Relations Server||172.17.185.32||188.8.131.52|
Thus anyone wanting the web server will send a request to 184.108.40.206. This will be translated to 172.17.230.2 and hit the internal web server.