Remote Access/Port Forwarding Theory
Port Forwarding Theory
The Basics To really explain port forwarding, you first need to understand a little more about what your router does. Your internet service provider assigns one IP address to your internet connection. All computers on the internet need a unique IP address, but you have multiple computers in your house and only one address. So how does this work?
NAT - What is it? Why do we use it? Your home router has a function called Network Address Translation, or NAT, built in. Inside your network, computers have addresses like 192.168.1.100. All addresses in the 192.168.* range (or in the 10.*) range are "private" or "reserved" addresses. These addresses are officially assigned by IANA to be used inside of private networks. Your router automatically assigns such an address to each computer connected via DHCP. These addresses are how computers in your network communicate with the router and with each other.
Your router has a separate network interface that connects it to the internet. This interface has a very different address which is assigned by your ISP. This is the one address that I mentioned before, and your router uses it to communicate with other computers on the internet. Computers inside of your network have non-routable private IP addresses, meaning that if they send packets directly to the internet the packets will automatically be dropped (packets with private addresses are not allowed to traverse the internet for stability reasons). But your router has a routable address. Network Address Translation, as its name suggests, translates between these two kinds of addresses, allowing the multiple computers inside of your network to appear to the internet as one computer with one address.
The Details Although this might sound complicated, it's actually pretty simple how your router does it. Every time a computer inside your network wants to connect to a computer on the internet, it sends the connection request to the router (it knows to send it to the router because its Default Gateway parameter is set to the router's address). The router then takes that connection request (a "SYN request" in TCP/IP) and changes the source address (the "reply-to" or return address) and changes it from the private IP of the computer to the public IP of the router, so that the response will be sent to the router. It then takes note in a database (called the NAT table) that the connection was initiated, so that it remembers it later.
Or think of it this way This might be a little easier to visualize with a metaphor - let's say you're a freight forwarder in the US working with Chinese clients. They need to send packages to many customers in the US, but it's easier for customs/paperwork reasons to only send packages to one place. So, a package comes to you from one of your clients in China (the private network, in this example) with an actual destination somewhere in the US (the internet). You change the address label on the box to the US (public) address, and you change the return address to your own public address (since it can't be returned straight to China without inconveniencing the customer) and hand it to the postal service. If the customer returns the product, it comes to you. You look it up in your records and see what company in China it came from, and change the destination to that company (its private address) and the return address to your private address, so that they can send back a replacement through you.
This works great, but there's a bit of a problem. What if a customer needs to send something to the company, let's say a money order in payment for something? Or, let's say that a computer on the internet initiates a connection with the router (a SYN request), say to a web server that is in the network. The letter/packet only has the router's public address on it, so the router actually doesn't know where to send it! it could be destined for any of the computers on the private network, or for none of them. You might have experienced this problem when you call someone's home phone - when they call you it's no problem, but when you call them there's no way for them to know who's the call for, so the wrong person might answer.
While it's easy enough for humans to sort this out, it's a lot trickier for computers, because not every computer on your network knows all the other computers. When the response comes back from the remote computer (a "SYN-ACK"), the router looks in its NAT table and sees that a connection to that host on that port was previously initiated by a private computer on your network, changes the destination address to the private address of the computer, and forwards it inside your network. In this way, packets can continue to transit back and forth between networks, with the router transparently changing the addresses so that it works. When the connection is terminated, the router just removes it from the NAT table.
The Basics
To really explain port forwarding, you first need to understand a little more about what your router does. Your internet service provider assigns one IP address to your internet connection. All computers on the internet need a unique IP address, but you have multiple computers in your house and only one address. So how does this work?
If you know what it is and just want to know how to do it: http://portforward.com/ has a how-to with screenshots for literally hundreds of different routers. The documentation is there hidden behind an ad-page for their automatic portconfig tool. (Just click around a bit an you'll find it.)
NAT - What is it? Why do we use it?
Your home router has a function called Network Address Translation, or NAT, built in. Inside your network, computers have addresses like 192.168.1.100. All addresses in the 192.168.* range (or in the 10.*) range are "private" or "reserved" addresses. These addresses are officially assigned by IANA to be used inside of private networks. Your router automatically assigns such an address to each computer connected via DHCP. These addresses are how computers in your network communicate with the router and with each other.
Your router has a separate network interface that connects it to the internet. This interface has a very different address which is assigned by your ISP. This is the one address that I mentioned before, and your router uses it to communicate with other computers on the internet. Computers inside of your network have non-routable private IP addresses, meaning that if they send packets directly to the internet the packets will automatically be dropped (packets with private addresses are not allowed to traverse the internet for stability reasons). But your router has a routable address. Network Address Translation, as its name suggests, translates between these two kinds of addresses, allowing the multiple computers inside of your network to appear to the internet as one computer with one address.
The Details
Although this might sound complicated, it's actually pretty simple how your router does it. Every time a computer inside your network wants to connect to a computer on the internet, it sends the connection request to the router (it knows to send it to the router because its Default Gateway parameter is set to the router's address). The router then takes that connection request (a "SYN request" in TCP/IP) and changes the source address (the "reply-to" or return address) and changes it from the private IP of the computer to the public IP of the router, so that the response will be sent to the router. It then takes note in a database (called the NAT table) that the connection was initiated, so that it remembers it later.
When the response comes back from the remote computer (a "SYN-ACK"), the router looks in its NAT table and sees that a connection to that host on that port was previously initiated by a private computer on your network, changes the destination address to the private address of the computer, and forwards it inside your network. In this way, packets can continue to transit back and forth between networks, with the router transparently changing the addresses so that it works. When the connection is terminated, the router just removes it from the NAT table.
Or think of it this way
This might be a little easier to visualize with a metaphor - let's say you're a freight forwarder in the US working with Chinese clients. They need to send packages to many customers in the US, but it's easier for customs/paperwork reasons to only send packages to one place. So, a package comes to you from one of your clients in China (the private network, in this example) with an actual destination somewhere in the US (the internet). You change the address label on the box to the US (public) address, and you change the return address to your own public address (since it can't be returned straight to China without inconveniencing the customer) and hand it to the postal service. If the customer returns the product, it comes to you. You look it up in your records and see what company in China it came from, and change the destination to that company (its private address) and the return address to your private address, so that they can send back a replacement through you.
This works great, but there's a bit of a problem. What if a customer needs to send something to the company, let's say a money order in payment for something? Or, let's say that a computer on the internet initiates a connection with the router (a SYN request), say to a web server that is in the network. The letter/packet only has the router's public address on it, so the router actually doesn't know where to send it! it could be destined for any of the computers on the private network, or for none of them. You might have experienced this problem when you call someone's home phone - when they call you it's no problem, but when you call them there's no way for them to know who's the call for, so the wrong person might answer.
While it's easy enough for humans to sort this out, it's a lot trickier for computers, because not every computer on your network knows all the other computers.
And finally we get to Port Forwarding
Port Forwarding is how we fix this problem: it's a way to tell your router what computer inside the network incoming connections should be directed to. We have three different ways we can do this:
Faux-DMZ: a lot of routers have a feature called DMZ. This stands for Demilitarized Zone, which is a kind of network security configuration. The DMZ on home routers is often referred to as faux-DMZ because it lacks the features of an actual DMZ. What it does do is the simplest kind of incoming connection handling: all incoming connection requests will be sent to one specified inside your network. It's dead simple - you type an IP address in to your router's configuration, and all incoming connections go there. This doesn't always work, though, because you might have multiple computers that need to accept incoming connections. For that, we have... Port forwarding: All network connection requests include a "port". The port is just a number, and it's part of how a computer knows what the packet is. IANA has specified that Port 80 is used for HTTP. This means that an incoming packet that says port number 80 must be a request intended for a web server. Port forwarding on your router allows you to enter a port number (or possibly a range or combination of numbers, depending on the router), and an IP address. All incoming connections with a matching port number will be forwarded to the internal computer with that address. UPnP port forwards: UPnP forwarding works the exact same way as port forwarding, but instead of you setting it up, software on a computer inside the network automatically sets the router to forward traffic on a given port to it.