Port Forwarding

From DD-WRT Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 02:35, 18 May 2005 (edit)
Sveasoft (Talk | contribs)
(Configuring Port Forwarding)
← Previous diff
Revision as of 02:36, 18 May 2005 (edit) (undo)
Sveasoft (Talk | contribs)
(Port Range Forward)
Next diff →
Line 59: Line 59:
==== Port Range Forward ==== ==== Port Range Forward ====
This is the most common port forwarding and always forwards ports to the same machine (LAN IP) on the network. This is the most common port forwarding and always forwards ports to the same machine (LAN IP) on the network.
--Browse to the web interface (http://&lt;RouterLanIP&gt;)<br>+-Browse to the web interface <nowiki>(http://&lt;RouterLanIP&gt;)</nowiki><br>
-Click on the "Applications and Gameing" tab<br> -Click on the "Applications and Gameing" tab<br>
-Click on the "Port Range Forward" subtab. <br> -Click on the "Port Range Forward" subtab. <br>

Revision as of 02:36, 18 May 2005


Introduction (for beginners)

A Primer on Ports and IP Addresses

The internet works using two main address units: the IP Address and the port. When your computer makes a call on the internet--trying to load www.dd-wrt.com for example--it starts by asking the IP address of www.dd-wrt.com for the webpage. However, it can't just ask dd-wrt.com's IP address for the webpage files--that would be like leaving off the apartment number when mailing someone. It needs to ask dd-wrt.com's IP address on port 80--the universal webpage port. Your computer instructs the response to be sent back to your IP address on some port that you opened to recieve that data. By using ports, your computer can keep track of which stream of data belongs to what.

For example, when requesting a webpage with some text and 1 image, your web browser might ask that the main text content be sent back to it on port 10345 and the image be sent back on 10548. It might also be recieving instant messages on other ports and e-mails on yet other ports. The ports here don't matter because your computer just makes them up on the fly. What does matter are server ports. A web server doesn't announce that it's waiting for webpage requests on port 80, that's just known. It's a standard. In fact, all of the ports from 1-1024 are set asside for such standardization.

On the internet there are two types of addresses: public IP addresses and private IP addresses. Public IP addresses are those addresses that are routable on the internet. These consist of the bulk of all IP addresses. Addresses that begin with 10.x.y.z or 192.168.x.y (where x, y, and z can be anything 0-255) are strictly private addresses and cannot exist on the internet. Additionally, 127.x.y.z is set asside as the local loop back address and, depending on your computer, 127.x.y.z will reach your own system. On most computers this is limited to, but that needn't be so.

There are only 2^32 possible IP addresses, and worldwide there are many more than 2^32 devices (computers, printers, scanners, etc) that would like to have internet IP addresses. Private Addresses and, more specifically, NAT were setup to solve the problem of a limited number of IP addresses. The new IP Protocol specification, IPv6 intends to solve this problem by increasing the number of addresses.

A Primer on Network Address Translation

Network Address Translation (NAT) works by making an entire network of privately addressed devices appear as just 1 device on the internet. NAT is usually done inside of a router, like the WRT54G, but can also be done on a computer running Linux, MAC OS, or Windows provided you have more than 1 network adapter.

When a computer behind a NAT device makes a call to the internet, it sends it's packet to the NAT device just as though it were going to send it directly to it's destination. To the privately addressed device, the NAT device appears to be any ordinary router.

When the NAT device recieves a packet destined for the internet, it reconstructs the packet taking not of the origional sender IP and Port and then resends that packet as though it were making the request. When the information comes back, it sends it back to the origional device as though it had come from the computer on the internet.


                            ___     ___
                          __\ /____/   \      Broadband     |    WRT54G     |
     www.dd-wrt.com------/(The Internet)\-----Connection----|WAN 64.125.x.y |
   (   \__/\__/\______/                   |LAN|-----Computer A
                              (Cloud) ;)                               

1. Computer A tries to connect to www.dd-wrt.com, it sends a packet like:
     To= From= Get index.html

2. The WRT54G intercepts this packet and sends the following:
     To= From=
  and makes a note:
  Anything recieved on port 15846 goes to on port 16848

3. www.dd-wrt.com responds with
    To= From= <Contents of Index.html>

4. The WRT54G sees the information is addressed to 15846, so it sends:
    To= From= <Contents of Index.html>

In this way neither www.dd-wrt.com nor Computer A knew that they weren't talking directly to each other.
  (all ports except 80 were completely made up and were simply for illustration<br> is an invalid ip address on purpose)

Primer on Port Forwarding

In the example above, during step 2 the WRT54G makes a note that all information recieved on port whatever should be relayed to a certain IP address on a certain port. This is essentially port forwarding, but this happens automatically.

Port Forwarding is generally considered when you manually define a rule in the router to send all data recieved on some range of ports on the internet side (WAN Jack) to a ort and IP address on the LAN side (LAN Jacks or Wireless Antennas).

You will need to do this whenever your computer opens a port to recieve connections without first connecting to a machine on the internet. This happens if your running a Webserver (80), FTP Server (21), SSH Server(22) etc on one of your local computers that you would like to be visible on the internet. Many games and instant messaging clients also open ports without trying to connect out first, and these ports may need to be specifically defined as well.

Port Mapping

Many routers allow a concept known as port mapping. This allows one to forward 1 port from the WAN address to a different port on some LAN address. This is useful if your ISP blocks port 80, but you would like to run a webserver. Just send people to http://<youripaddress>:<external_port> rather than http://<youripaddress>. Your webserver on your home computer will be working on port 80, but the router maps a different external port to it. Linksys routers does not allow this via the web interface, but perhaps a custom firmware will eventually add it. In order to setup port mapping, we must do so from the console.

Configuring Port Forwarding

It's a good idea to set static IP addresses for any computers you would like to forward ports to. This can be done using Static DHCP or by manually configuring IPs in your OS. Be sure to set your static IPs outside of your automatic (DHCP) address range. This range is by default.

Port Forwarding using the Webinterface

Port Range Forward

This is the most common port forwarding and always forwards ports to the same machine (LAN IP) on the network. -Browse to the web interface (http://<RouterLanIP>)
-Click on the "Applications and Gameing" tab
-Click on the "Port Range Forward" subtab.
-Enter any Application name you'd like. This if for you and makes no difference
-Enter the Start port in the range you'd like to forward
-Enter the End port in the range you'd like to forward. If you're just forwarding 1 port, set them both equal.
-Enter the Local IP Address of the machine you'd like to forward the port to
If the computer your forwarding to is configured by for automatic IP address by DHCP, you will periodically have to update the last field to reflect the machine's current Local IP Address.

Image Showing Portforwarding for a web server and a bittorrent client with a local IP address of
Here you can see that connecting to <WAN_IP_Address>:80 will bring you to the webserver on and connecting to any port between 6881 and 6889 on <WAN_IP_Address> will bring you to the bittorrent client on

Triggered Port Forwarding

Triggered Port Forwarding is not the same as Port Range Forwarding, and works by forwarding requests to a range of ports to the machine that first connected to a remote host on the trigger port. For example, this could be used to forward the File Transfer ports that AIM uses to any computer that connects to the AIM servers without requiring a hard coded rule.

Port Forwarding using uPNP

Windows users (and others?) can use uPNP to configure port forwarding. This can be a little more convienient. uPNP also allows supporting programs to automatically configure port forwarding for you when they need it.

Port Forwarding using the Console

Here I will specifically show port mapping, but the same thing can be done for port forwarding if you set the internal and external ports equal.

External Resources


You are here: Main Page/DD-WRT Doku (EN)/Port Forwarding