- Posts: 8
- Thank you received: 0
NAT and Port Forwarding
20 years 4 months ago #4221
by mikeb
NAT and Port Forwarding was created by mikeb
Why do we need to setup port forwarding for some applications when NAT is supposed to take care of that automatically?
20 years 4 months ago #4226
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: NAT and Port Forwarding
Hi Mike,
It's quite difficult to answer such a question because your not giving any information about the NAT Device or Application(s).
If your referring to a specific problem, please provide more details, otherwise, if your question is that of general interest, then yes, you are (in most) cases required to setup port forwarding depending where the server and client is.
To give you an idea on the importance of each one's location, If for example the client is behind the NAT device and the server is on a public or different network, you might not need to configure NAT, but in the event its the otherway around, with the server behind the NAT Device, then you'll probably need to apply some configuration to the NAT Device in order to have it forward packets internaly to the server.
Cheers,
It's quite difficult to answer such a question because your not giving any information about the NAT Device or Application(s).
If your referring to a specific problem, please provide more details, otherwise, if your question is that of general interest, then yes, you are (in most) cases required to setup port forwarding depending where the server and client is.
To give you an idea on the importance of each one's location, If for example the client is behind the NAT device and the server is on a public or different network, you might not need to configure NAT, but in the event its the otherway around, with the server behind the NAT Device, then you'll probably need to apply some configuration to the NAT Device in order to have it forward packets internaly to the server.
Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
20 years 4 months ago #4231
by mikeb
Replied by mikeb on topic Re: NAT and Port Forwarding
Hi, Chris. Great job on the tutorials!
I understand what you're saying about the server being behind NAT, but what if we have 2 similar servers behind a NAT device? For example, one of the popular P2P clients needs port 6346. Let's say I have 2 pcs connected to a router which runs NAT and connects to WAN. I would need to configure the router to forward data coming in for port 6346 to one of the two local IPs, correct? Here's the question, how would I then run the same P2P client on the second pc if all the packets coming in would be routed to the first pc?
And another question:
let's say in the same configuration as above, both pcs almost simultaneously send a request to the SAME ip on port 80. If, as you say, in your tutorial NAT device stores in its table source and destination ips, there would be for example 2 entries:
192.168.0.100 -- 120.233.42.66
192.168.0.101 -- 120.233.42.66
it then strips off the local ip and replaces it with its WAN ip, and after the response is received the process is reversed. So, how would it know in this case to which of the 2 local IPs to forward the data?
thanks.
I understand what you're saying about the server being behind NAT, but what if we have 2 similar servers behind a NAT device? For example, one of the popular P2P clients needs port 6346. Let's say I have 2 pcs connected to a router which runs NAT and connects to WAN. I would need to configure the router to forward data coming in for port 6346 to one of the two local IPs, correct? Here's the question, how would I then run the same P2P client on the second pc if all the packets coming in would be routed to the first pc?
And another question:
let's say in the same configuration as above, both pcs almost simultaneously send a request to the SAME ip on port 80. If, as you say, in your tutorial NAT device stores in its table source and destination ips, there would be for example 2 entries:
192.168.0.100 -- 120.233.42.66
192.168.0.101 -- 120.233.42.66
it then strips off the local ip and replaces it with its WAN ip, and after the response is received the process is reversed. So, how would it know in this case to which of the 2 local IPs to forward the data?
thanks.
20 years 4 months ago #4234
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: NAT and Port Forwarding
For your first question.. port forwarding is not really required here.. you dont need to tell the NAT device to forward to your port XX, you initiated a connection outwards, and when data comes back it will come to the right port.. or at least it should ideally do so. With NAT (in overload mode), the issue comes when you have someone from outside trying to initiate a connection inwards.
For your second question, you've forgotten one vital bit of information.. the source port numbers... the requests would be like
192.168.1.100:4382 ---> www.firewall.cx:80
192.168.1.101:5839 ---> www.firewall.cx:80
So even after it rewrites the source IP , it still knows the source port.
For your second question, you've forgotten one vital bit of information.. the source port numbers... the requests would be like
192.168.1.100:4382 ---> www.firewall.cx:80
192.168.1.101:5839 ---> www.firewall.cx:80
So even after it rewrites the source IP , it still knows the source port.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
20 years 4 months ago #4250
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: NAT and Port Forwarding
Hi Mike,
Taking your questions in reverse order, as Sahir so correctly pointed out, the source port of the Internal PC is what the NAT device (e.g Router) will use to map all outgoing connections into its memory. When the response comes back, it compares the IP and TCP Headers with that in its memory and knows where to send the data internally.
I'm not sure if you missed it, but the following page contains exactly what your after, with examples to ensure all questions are answered:
www.firewall.cx/nat-overload-part1.php
As for your first question, port forwarding is only required when external clients are trying to connect to a service on your internal network, e.g the server you mentioned with the P2P service.
In this case, you forward all requests to a given port e.g 6346 from the front end device - router or firewall, to the server inside, so nothing special is required here.
On the other hand, if you have two servers internally, running the same service as above (port 6346) then things start to become slightly tricky since you have two internal servers, each running the same service (6346) to which external clients need to connect.
The classical way to resolve this problem is to give your router two IP Addresses and create two different mappings on the external interface , mapping each one to a different external IP:)
For example:
[code:1]
Internal Servers
192.168.0.10
[Private interface]-Router-[Public Interface]
192.168.0.20
|
Router's Private Interface: 192.168.0.1
Router's Public Interface: 200.0.0.1 & 200.0.0.2
[/code:1]
Mappings required to make this work:
1) If any client hits 200.0.0.1, port 6346, forward to 192.168.0.10
2) If any client hits 200.0.0.2, port 6346, forward to 192.168.0.20
This way you are able to achieve the required result!
Hope that helps clear all your doubts.
Cheers,
Taking your questions in reverse order, as Sahir so correctly pointed out, the source port of the Internal PC is what the NAT device (e.g Router) will use to map all outgoing connections into its memory. When the response comes back, it compares the IP and TCP Headers with that in its memory and knows where to send the data internally.
I'm not sure if you missed it, but the following page contains exactly what your after, with examples to ensure all questions are answered:
www.firewall.cx/nat-overload-part1.php
As for your first question, port forwarding is only required when external clients are trying to connect to a service on your internal network, e.g the server you mentioned with the P2P service.
In this case, you forward all requests to a given port e.g 6346 from the front end device - router or firewall, to the server inside, so nothing special is required here.
On the other hand, if you have two servers internally, running the same service as above (port 6346) then things start to become slightly tricky since you have two internal servers, each running the same service (6346) to which external clients need to connect.
The classical way to resolve this problem is to give your router two IP Addresses and create two different mappings on the external interface , mapping each one to a different external IP:)
For example:
[code:1]
Internal Servers
192.168.0.10
[Private interface]-Router-[Public Interface]
192.168.0.20
|
Router's Private Interface: 192.168.0.1
Router's Public Interface: 200.0.0.1 & 200.0.0.2
[/code:1]
Mappings required to make this work:
1) If any client hits 200.0.0.1, port 6346, forward to 192.168.0.10
2) If any client hits 200.0.0.2, port 6346, forward to 192.168.0.20
This way you are able to achieve the required result!
Hope that helps clear all your doubts.
Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
20 years 4 months ago #4284
by mikeb
Replied by mikeb on topic Re: NAT and Port Forwarding
Thank you for clarification, but one point still confuses me. I will try to summarize what I undertood so far, please correct me if I'm wrong in any of my interpretations. I'm sorry for taking so much of your time with this question, but I believe this is a crucial point in undertanding networking and administration.
As far as I understand port forwarding is required when no outside connection has yet been made (since no entry yet exists in NAT table), in other words, whenever there's an application that acts as a server. A P2P application acts as both a client and a server that uses port 6346 for its communication. So, if our application sent a request to another user on port 6346 NAT device would record the following information in its table.
Source IP: 192.168.0.100
Source port: 6346
Dest. IP : xxx.xxx.xxx.xxx
Dest. port: 6346
Then, the router would replace the source IP with its own public IP and send the packet. when reply comes back it would look at destination port 6346, look in its table and see that port 6346 associated with 192.168.0.100 so that's where it forward the packet.
But if, for some reason, the router receives an incoming packet (before the above took place) with 6346 source port and ip address of our router/NAT device, it wouldn't know where to forward the packet, since there's no IP entry associated with port 6346 in its table. So, if this situation is of a concern to us, we can setup port forwarding to let the router know that whenever a packet comes in with desktination port 6346 forward it to such and such local ip.
Here's what I'm confused about. If the everything above is true, then if our P2P application works without port forwarding, that means NAT device recorded the source port 6346 of our outgoing requests and that's what it is using to reference our local ip address, since otherwise, when replies or requests would come in with destination port 6346, NAT device wouldn't know what to do with them. That means that our source port cannot be anything but 6346 if we want to act as a server for other requests coming in.
How come for example, in your NAT overload tutorial on first page the source port is 3000 while the destination is 23. I was under impression that if we're trying to request a service running on port 23 (which is telnet), then our source ip for this request would also have to be 23. So is the source port randomly assigned to each outgoing packet which TCP/IP then monitors for replies? If yes, then what's the point of doing this, if NAT device will anyway assign a different random port for its table if it detects a duplicate source port. And if the source ports are randomly assigned then how does this apply to our P2P application whose source port of the outgoing packet has to be 6346 (otherwise it wouldn't work without port forwarding). Or does this depend on each application? When you program your application can you control whether your source port is going to be fixed or random?
And another thing, if NAT device detects duplicate source ports and then replaces with a random source port for its internal routing purposes, then two P2P application running at the same time on different pcs behind the same router/NAT device should work without a problem, so we wouldn't need to map a second ip to a second local ip in order for this to work. Correct?
I would appreciate it if you could clear up these points for me. Thank you and sorry again for such long questions.
As far as I understand port forwarding is required when no outside connection has yet been made (since no entry yet exists in NAT table), in other words, whenever there's an application that acts as a server. A P2P application acts as both a client and a server that uses port 6346 for its communication. So, if our application sent a request to another user on port 6346 NAT device would record the following information in its table.
Source IP: 192.168.0.100
Source port: 6346
Dest. IP : xxx.xxx.xxx.xxx
Dest. port: 6346
Then, the router would replace the source IP with its own public IP and send the packet. when reply comes back it would look at destination port 6346, look in its table and see that port 6346 associated with 192.168.0.100 so that's where it forward the packet.
But if, for some reason, the router receives an incoming packet (before the above took place) with 6346 source port and ip address of our router/NAT device, it wouldn't know where to forward the packet, since there's no IP entry associated with port 6346 in its table. So, if this situation is of a concern to us, we can setup port forwarding to let the router know that whenever a packet comes in with desktination port 6346 forward it to such and such local ip.
Here's what I'm confused about. If the everything above is true, then if our P2P application works without port forwarding, that means NAT device recorded the source port 6346 of our outgoing requests and that's what it is using to reference our local ip address, since otherwise, when replies or requests would come in with destination port 6346, NAT device wouldn't know what to do with them. That means that our source port cannot be anything but 6346 if we want to act as a server for other requests coming in.
How come for example, in your NAT overload tutorial on first page the source port is 3000 while the destination is 23. I was under impression that if we're trying to request a service running on port 23 (which is telnet), then our source ip for this request would also have to be 23. So is the source port randomly assigned to each outgoing packet which TCP/IP then monitors for replies? If yes, then what's the point of doing this, if NAT device will anyway assign a different random port for its table if it detects a duplicate source port. And if the source ports are randomly assigned then how does this apply to our P2P application whose source port of the outgoing packet has to be 6346 (otherwise it wouldn't work without port forwarding). Or does this depend on each application? When you program your application can you control whether your source port is going to be fixed or random?
And another thing, if NAT device detects duplicate source ports and then replaces with a random source port for its internal routing purposes, then two P2P application running at the same time on different pcs behind the same router/NAT device should work without a problem, so we wouldn't need to map a second ip to a second local ip in order for this to work. Correct?
I would appreciate it if you could clear up these points for me. Thank you and sorry again for such long questions.
Time to create page: 0.135 seconds