Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Port Forward Blues


  • Please log in to reply
7 replies to this topic

#1 BRSHiFi

BRSHiFi

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 10 February 2015 - 03:05 PM

Hi All,

 

I am a recently graduated electrical engineer who has a reasonable amount of knowledge in TCP/IP networking and the internet. My ultimate goal is to have an embedded computer system send information it collects from sensors over the internet to a C# application I will write.

 

To test the integrety of my network and configuration settings, I downloaded a simple chat client/server pair someone wrote. The program works fine within my own local home network. To test connectivity from LAN to LAN (over the internet), I connect to another WiFi network other than my own and the program does not work. This means the data is not passing through. The program uses UDP, which is OK for my application.

 

Numerous tutorials say I need to utilize port forwarding. I did this. I set the IP address of my local machine as the server and chose the port the application uses in my router. Still, it does not work.

 

I have Comcast and am using one of their provided routers. My neighbor does too. I even tried a port forward on his router in addition to mine. I checked the firewall settings (both router and Kaspersky) and they look OK. Other tutorials mention the public address of my router. They do not say however what I need to do with the public address, so I tried connecting with it and the application still did not work.

 

Can someone please assist me in trying to make my home network visible over the internet to these programs? Once I find out the proper configuration settings, I will be implement my embedded system. I feel this is really more complicated than it has to be.

 

Thanks


Edited by BRSHiFi, 10 February 2015 - 03:07 PM.


BC AdBot (Login to Remove)

 


#2 nickautomatic

nickautomatic

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 AM

Posted 10 February 2015 - 03:44 PM

I am not into networking. However, duty calls to do port forwarding. Please try visiting www.portforward.com. It is a site for networking related process or instructions. I hope that helps.



#3 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 10 February 2015 - 05:03 PM

Once you have configured port forwarding you still have two steps to complete. 

 

1. run the program on the server so it's listening on the port forwarded

2. run a port checker like canuseeme , shields up or the one at portforward.com to see if the port is open.



#4 BRSHiFi

BRSHiFi
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 10 February 2015 - 05:34 PM

I went to this site and scanned the port with my server running. My public IP address says the port is open. Here is the results from the scan.

 

https://pentest-tools.com/discovery-probing/udp-port-scanner-online-nmap

 

********************************************************************************************************************************************************************************

 

Starting job... [2015-02-10 22:29:31]             Stay on this page for results!

Starting Nmap 6.00 ( http://nmap.org ) at 2015-02-11 00:29 EET
Initiating UDP Scan at 00:29
Scanning c-67-165-158-4.hsd1.il.comcast.net (*** IP ADDRESS CENSORED ***) [1 port]
Completed UDP Scan at 00:29, 0.19s elapsed (1 total ports)

Nmap scan report for c-67-165-158-4.hsd1.il.comcast.net (*** IP ADDRESS CENSORED ***)
Host is up.

PORT STATE SERVICE
30000/udp open|filtered unknown


Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
Raw packets sent: 1 (28B) | Rcvd: 1 (40B)

 

Job finished [2015-02-10 22:29:31]



#5 BRSHiFi

BRSHiFi
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 10 February 2015 - 07:27 PM

Apparently the port opens just fine. Do I need to do put a port forward in my neighbor's router as well?


Edited by BRSHiFi, 10 February 2015 - 07:28 PM.


#6 Orecomm

Orecomm

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roseburg, Oregon
  • Local time:06:34 PM

Posted 10 February 2015 - 07:30 PM

You need to know who is initiating the connection and who is receiving. Port forwarding is directional. 

 

Lets say your embedded application is the receiver, it's local address on your network is 192.168.1.100, and it's listening on port 8888.

Your router's outside address is 100.200.123.123 

Your neighbor is going to connect from a PC on his network to your server.

His PC on his network is 192.168.1.3

His routers's outside address is 100.200.123.124

 

By default, nearly all home routers allow all outbound traffic, but block all inbound traffic unless the "conversation" was initiated from inside the local network. 

 

It will help to grab a pencil and paper and draw out the following as you read it:

 

When your neighbor's PC tries to hit your server there are two immediate problems. First of all, if he tries to send a packet to 192.168.1.100 his computer is going to try and find that device on his network, not yours. He will have to address any communication to your Public, outside address of 100.200.123.123. The second problem is that once that packet gets to your router the router sees it an uninvited traffic and simply ignores it. Even if it accepted it, it wouldn't know where to send it because every device behind your router shares that one address. This is where the port forward comes in. You need to define the port forward on your public address (100.200.123.123) router to map UDP port 8888 from any source (or at least your neighbor's public IP address) to UDP port 8888 on your server at 192.168.1.100. This does two things, it tells the router to be looking for uninvited traffic on it's UDP port 8888 and then where to send that traffic, altering the IP addresses and port numbers as it goes. Note that TCP and UDP ports aren't the same, so make sure the forward matches the protocol you are using. 

 

So the traffic leaves his PC going from source address 192.168.1.3 to destination address 100.200.123.123 port 8888. His router creates an entry for the conversation, effectively a temporary port forward that sends any reply to the request to 192.168.1.3 and also changes the source address to it's own outside address, 100.200.123.124 and some random port, say 6789. So now the packet is from 100.200.123.124 port 6789 to 100.200.123.123 port 8888. Your router receives the packet and notes that it has a port map for the destination port. It alters the destination address to your mapped address, 192.168.1.100, and port, 8888, and send the packet to the inside address. Your server receives the packet and sees it as with a source address of 100.200.123.124 port 6789 and destination of 192.168.1.100 port UDP 8888. When your server replies it should use the source address as it's destination. If it doesn't it won't get far. If it does, the entire process gets "unwrapped", your router exchanges your private inside 192.168.1.100 address for it's public outside address and sends it to your neighbor's router. His router (hopefully) recognizes your traffic as a response to the initial request. It removes it's outside address and port and replaces it with your neighbor's inside address and original port. The packet arrived back at your neighbor's PC with a source of 100.200.123.123 and UDP port 8888, and a destination address of 192.168.1.3 and whatever port was used to initiate the dialog. 

 

The port forward is only needed on the end receiving the connection, not the one originating it. 

Both ends "think" the other end is a public IP address, not the local 192.168.1.x address. This is important for firewall rules, particularly on the end PC's.

On the originating end the NAT router makes (almost) everything transparent.

If you reply to any port other than the one that originated the connection the source router can't match the request and reply, so your reply will not be recognized and will be ignored. Some protocols, like FTP, SIP, and others open additional connections. Most of these require "helper" code in the routers to be able to match up requests and replies. Since your little embedded app is unlikely to be popular enough to cause the router manufacturers to include a "helper" (aka Application Layer Gateway, ALG) it's best to just not do that. 



#7 BRSHiFi

BRSHiFi
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 10 February 2015 - 08:11 PM

When I attempt to port forward my router's public IP, it says:

 

Server IP addr is not in valid range:
10.0.0.[2~254]

 

I think it only accepts local IP's. Is this because the port forward maps the public IP to the machine I specify? In this case the IP address I send from my neighbor needs to be my router's public IP?

 

It is starting to fall into place.

 

Thanks



#8 Orecomm

Orecomm

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roseburg, Oregon
  • Local time:06:34 PM

Posted 10 February 2015 - 09:34 PM

The address it is looking for is the private (inside) address of your server. The outside address is a given for the router.

 

And yes, the address you need to use from your neighbor's house would be the outside address of your router once the port forward is set up.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users