Thread: Understanding Port Forwarding

What is Port Forwarding? A Beginner's Understanding

The Basics

Although I am a medium to heavy downloader, I have not dabbled too much on torrents and torrent clients such as BitTorrent or µTorrent. And I do not play online games at all. So when I started poking around with torrents, I first came across the term and the nightmare called port forwarding.

Initially my DSL modem was setup in bridge mode and I discovered that in bridge mode all ports are automatically forwarded. Later on, I configured my modem to PPPoE mode. This is when I started having problems with my torrents. I got low speeds and µTorrent reported that the port it was using was not open (there was a yellow exclamation mark in the status bar).

So my port forwarding experiments began. I was naturally referred to the excellent site – Portforward.com. But in spite of being computer savvy, I could not crack it. Finally, I managed to figure it out and all from Portforward.com.

But hang on! Some basic details first.

Ports
In the TCP/IP world, computers recognize each other by means of the IP address. This is true in case of internet (public network) or intranet (private network). But to actually pass signals from one computer to another, ports come into picture. This is not much different that real life ports (seaports or airports).

In a computer there are 65536 ports in total. These are from 0 to 65535. Some of the ports are reserved for special purposes (Port 0 to Port 1023), e.g.,

Port 21 = FTP
Port 23 = Telnet
Port 80 = Web server pages (http)

Some games use specific ports. For example, the game Battlefield Vietnam uses the port 14567.

Port Security
In our real life, we have immigrants to every country - some of them are illegal. Out of the illegal immigrants some are harmless - just seeking for a better life at some other place while some have deadly intention. On real life ports, there are guards (immigration and customs) who protect what comes in or goes out to/from the country. Security forces also patrol the boundaries of the nation.

Similarly in case of computers, ports are protected by some hardware or software – these are called firewalls. When we connect to the internet, the firewall protects our computers from external attacks.

In the above diagram, the internet is the free open space cloud. All sorts of informations (and a bit of it malicious) is sitting out there to be accessed, downloaded, read/executed/written, etc. The router makes it possible to access this information. A firewall behind the router protects the computer from direct attacks.

The typical firewall as shown above allows the computers in the intranet zone to access each other. The firewall can be configured to allow some or all computers to access the internet. It can allow/restrict the users to certain previleges. For instance, it may allow the users to access a website but prevent downloading or uploading of files.

In out home, our humble router also has a simple firewall. It allows unrestricted access to the internet but blocks any attempt by outsiders to access our own machine. And this is where the problems with torrents start.

Note: The firewall is only a first line of defense and not the complete line of defence. We have the secondary line of defence such as AV software, Internet Security programs, Malicious s/w removal tools, etc.

Concepts on Torrents

How torrents work?
In a typical web service, our PCs are clients whereas the URL that we type is a server. We request something from a server such as a web page, information or a complete file. Sometimes we also send information to the server to be processed. This is a typical client-server environment.

Torrent downloads are completely different. When we are downloading from torrents, this is not a typical client-server environment. There is no central server that is attending and serving the download requests. The torrent network is a peer-to-peer (or user to user) network. This is similar to an intranet in many respects.

All connected computers share files. Some computers are uploading (seeding) while others are downloading (leeching). A file is made up of many blocks and the file is downloaded or uploaded, block by block. When someone starts a fresh download, that client starts with zero. It finds other computers in the P2P network that have the file to share (seeds). The download (leeching) starts block by block. A central information center computer keeps track of who has what and how much. This is the torrent host.

When the download completes, the same computer is now ready to share. Now the leech becomes the seed.

Some points to be noted:

• A file may be seeded by 10 peers. When someone is downloading, the file blocks are downloaded from any seed and not necessarily from the same peer.
• A leech becomes a 100% seed at the end of the file download. However, as soon as you have some blocks downloaded, you are ready to seed (share) them
• So even while downloading (leeching), uploading (seeding) is also going on

Why port forward?
As explained above, a firewall protects our computers from the outside world. The firewall allows only such traffic that is a request or reply to a request that is originated from the computer inside the private network. Even then, if the firewall feels that such requests/replies are a potential threat to the security, they are denied.

In a P2P network, your computer must be able to communicate directly with other computers. For this direct communication to be as fast as possible, ports must be opened. Torrent downloads and Online gaming is via P2P networks. Many online games have dedicated ports. Torrent clients allow ports to be selected.

DMZ
The simple firewalled installation as illustrated above is not sufficient or rather not suitable for a corporate network. A corporate network has to access other computers/systems or let others access their systems on a regular basis. E-mail is the best example. If there is a roadblock (firewall), then such information exchange will be impacted.

At the same time, if the firewall port is opened for such programs, clever hackers can write code to access such a port and either steal information or inject hazardous material in the network.

Hence corporates install two or more firewalls. The area/zone between the first fireall and the second firewall is known as DMZ.

DMZ stands for De-Militarized Zone. The term comes from the geographic buffer zone that was set up between North Korea and South Korea following the UN "police action" in the early 1950s. It is also known as the 38th parallel.

In computer networks, a DMZ (demilitarized zone) is a computer host or small network inserted as a "neutral zone" between a company's private network and the outside public network. It prevents outside users from getting direct access to a server that has company data. A DMZ is an optional and more secure approach to a firewall and effectively acts as a proxy server as well.

Users of the public network outside the company can access only the DMZ host. The DMZ may typically also have the company's Web pages so these could be served to the outside world. However, the DMZ provides access to no other company data. In the event that an outside user penetrated the DMZ host's security, the Web pages might be corrupted but no other company information would be exposed.

The following diagram explains a typical DMZ.



... but we have digressed from the topic a bit. So back to track ...

Port Forwading Basics

Which ports to use for Torrent Clients?
The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the Dynamic and/or Private Ports.

The Well Known Ports are those from 0 through 1023. Well Known ports SHOULD NEVER be used.

The Registered Ports are those from 1024 through 49151. Many applications and games use the ports in this range. The application an port number should be registered with Internet Assigned Numbers Authority (IANA). The IANA is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources. DCCP Registered ports SHOULD NOT be used without IANA registration.

The Dynamic and/or Private Ports are those from 49152 through 65535. These are available. So use any port from 49152 to 65535. These are still quite a large number. After all you need only one.

Where is port forwarding done?
Port forwarding is always done on the router. If the router is configured as a bridge, then there is no need to port forward as all ports are forwarded by default.

How to port forward?
This is extensively covered by the excellent site – Portforward.com. Although the principle is the same, the configuration method for each router is different. The site mentioned explains the step-by-step method for most common and popular routers - and that is nearly all of them.

If have patiently read all of the above and reached this point and understood the principles, it should not be too difficult now.

What information is required for port forwarding?
You basically require the following information:

• The Private IP Address of your modem - This is something like 192.168.1.1 for 99% of the modems at home. Please note that this is not the ip address provided by the ISP. The IP address provided by the ISP is the public IP address and is usually dynamic, i.e. changes very time you connect to the computer afresh.
• The Port Number (to forward).

Sometimes, other information such as Application name is also required.

Which is the IP address to be used in port forwarding?

The diagram above is a typical (home) network with a single router.

When this router connects to the internet, it gets a public or external IP address, e.g. 117.195.96.123. This router also has an internal IP address 192.168.1.1. The Network Address Translation (NAT) service inside the router translates the external address to the internal address and vice versa.

This router may have one or more networked devices attached to it via USB or Ethernet. There networked devices could be computers, printers, scanners, etc. or just about anything that can be networked.

Each networked device will get a private or internal IP address. This internal IP address is assigned by the DHCP server inside the router. All these networked devices will have the same default gateway, viz., the router. Hence the default gateway address is 192.168.1.1.

Now consider the diagram above. It is a picture of a (home) network with two routers. The second router could be a wireless router also. In this scenario there is one more NAT layer as defined by the second router. Thus there are two private networks in this case.

Scenarios
Case I:
Consider the third picture above (simpe home network with one router only). In this case, the IP address to be used in port forwarding is the private IP address of the computer, viz., 192.168.1.3.

Implications: Port forwarding in available on 192.168.1.3 only. If there are more computers in the network, these will also need to be configured separately, if port forwarding is needed on those.

Case II:
In the second case (last picture of home network with routers), the PC is the second private network. Here port forwarding become tricky and depends upon which router is configured in PPPoE mode.

Assume that the first router (internal IP address = 192.168.1.1) is configured in PPPoE mode, while the second router (internal IP address = 192.168.2.1) is configured in bridge mode. In this case port forwarding is to be done on the first router (because in bridge mode all ports are forwarded automatically). Since the port forwarding in to be configured on the first router, the IP address to be used is external IP address of the second router, viz., 192.168.1.5.

Implications: Port forwarding in done on all computers in the second private network.

Case III:
In the same context (fourth picture), now assume that the first router (internal IP address = 192.168.1.1) is configured in bridge mode, while the second router (internal IP address = 192.168.2.1) is configured in PPPoE mode. In this case port forwarding is to be done on the second router. Since the port forwarding in to be configured on the second router, the IP address to be used is internal IP address of the PC, viz., 192.168.2.100.

Implications: Port forwarding in available on 192.168.2.100 only. If there are more computers in the network, these will also need to be configured separately, if port forwarding is needed on those.

Hi,

Appreciate your way of explanation!!
Having knowing all these, I think you will be able to help me out.
I will post the issues, as soon as I get the next response from you.

This is the scenario. I bought an ip camera, planning to monitor my home lobby. (This is where my router is..since I will have to connect it to the LAN as this is a wired one.)
So, now since I have the dynamic ip address, I registered with DynDns and I have the update client for both DynDns and TZ0 in my Linksys WAN 160N router. Now, I enabled the "dyndns" in the linksys setup page, along with my registered username/pass/link...

Before continuing to my second question, tell me this..
My ip camera has also got a set up page, like a router and this too has the option of Dyndns update client. This is where I get puzzeled!!

Which is the device that is suppoesed to "update" the dynamic ip? Is it the router or the camera?. In my opinion it should be the router, since router is the one which gets the public ip directly from the ISP, right? So why does all these ip camera have this ddns option in their setup pagee... This doesnt make any sense!!