selfhosted-apps-docker/network-knowledge-base/port_forwarding.md
2024-06-01 12:55:08 +02:00

8.1 KiB

Port Forwarding Guide

What is a port

An IP address identifies specific machine on a network, a port identifies specific application running on that machine.

A port is a number between [1 - 65,535] that is assigned by the OS to any application that wants to communicate over the network. Can be choosen at random, can be hard set.

pic_port_header

How Router's NAT works

  • Allows outgoing traffic on any port.
  • Drops incoming traffic unless it is a response to communication initialized from the inside.

This is not really some security effort, the router just literally has no idea where to send it...

More unnecessary details

NAT is implemented in your router.
It makes your LAN side devices able to connect with the outside world - WAN side, through one public IP. "The internet" sees just one device it communicates with, at least at this network level.

pic_nat

LAN side initialized communication

  • You visit a website, let's say youtube.com
  • Your browser has some random port assigned by the OS, this will be the source port. The local IP address of the machine it runs on will be the source IP
  • Browser/OS ask DNS servers for IP address of youtube.com, the answer is 142.250.191.78 - destination IP
  • Youtube is a website, standard for https is using port 443 - destination port.
  • All requred information are there. Destination[ip & port] Source[ip & port].
  • Packets are send.
  • The browser now waits for a response at that random port.
  • Since the router is the default gateway, thats where the packets arrive.
  • The router saves all that info in its state table for a time, could be seconds, could be days depending on protocol and state.
  • Router doing the NAT now replaces the source IP address of that one machine, with its own wan IP address, it might also change source port but that is not as important, and sends it out in the direction of the destination IP.
  • Response comes back, router knows it is a response because it's coming from the IP that it contacted recently and the destination port it uses is the same number that was used as the source port.
  • It checks the state table for the original source IP and source port, put them in, now as destination and off the packets go.
  • The browser receives response on its assigned port, from the IP it contacted.

WAN side initialized communication

  • Want to connect to a jellyfin server to watch some movies from browser.
  • You know the IP address or the url. You also expect it to run on default port jellyfin uses 8096
  • The browser makes the request.
  • The router sees it coming at port 8096, but where does it send it? There is nothing in the state table, that would tell it.
  • So it drops it, unless there is a port forwarding rule that says that if something comes to port 8096 send it to this local ip address and at that port...

Youtube explanation videos if you want deeper dive:



Double NAT (CGNAT)

Bad News.
It is very likely that even when you do everything 100% correctly, you still wont get your ports open.
The reason being that your machine is behind double NAT. Your ISP - internet service provider, has you behind its own NAT device and that WAN side of your router is not really "the internet", but ISPs LAN side.

A way to try and check, is looking up your public IP online then log in to your router and finding somewhere the IP address of your WAN interface. If they are the same then your are not behind double NAT and port forwarding will work straight away.
If they differ and some local IP is there, then there is still a chance it will work, but you wont know till you try.

But if you are failing to make port forwarding work, it's time to call your ISP and ask about public IP, how much would it cost. It can be few extra € to your monthly bill.

Port forwarding

Finally. Right?!

You want to host something, lets say a minecraft server.
You set it all up, you give your public IP address to others and they try to connect, but your router blocks them. It's a connection initialized from the outside.

So you need to tell your router/firewall to let through the traffic that comes to minecraft default port - 25565 and where to send it on your LAN, to the local IP of your minecraft server.

diagram_port_forw_minecraft

Examples of port forward rule

How to actually create that port forward rule depends on router/firewall model.

Generally what to expect

  • It would be called port forwarding, or a virtual server, or be under NAT section.
  • The port on which to expect traffic is obviously a core information, sometimes it is called a service port or an external port.
  • IP address is required, so that the router knows where on the LAN side to send traffic that comes to that external port.
  • The setup might offer option for internal port, this can be often left empty, or the same port number is put there.
    It is there to give you option to run stuff on your LAN network on a different port than the one you open to the world. Like your webserver is 80, but you open to the world port 12250 or whatever.
  • The protocol - TCP or UDP, if dunno select both / all
    You don't need to fear you are opening too much, if there is no service running on that port for that protocol it is same as a closed port.

Testing if port forwarding works

port_check_web

First you need to understand that unless there is some application running that answers on that port, all tests will come back as - closed port.

For testing we can use websites that will test if a port is open at specified public IP.

Windows

  • Find the local ip address of the machine you are planning to use for the test.
  • Follow the instruction in Port forwarding section of this guide and forward port 666 to the IP of that machine.
  • Download Port Listener.
  • Run Port Listener, set port 666, press Start.
    • If a windows firewall notification pops up with a question, answer yes.
  • Go to portchecker.co, set the port to 666 and press Check.

port_listener

In windows it is also pretty useful knowing that you can go Task Manager > Performance > Open Resource Monitor > Network Tab

There unroll Listening Ports and you should find there - listener.exe with port 666 and firewall status should be allowed, not restricted

windows_port_check

Linux

  • find your ip address - ip r
  • Follow the instruction in Port forwarding section of this guide and forward port 666 to the IP of that machine.
  • try running netcat - nc
    • if it is not installed, get it for your distro, for arch it's openbsd-netcat, for debian it's netcat-openbsd, for fedora it's netcat
  • execute sudo nc -vv -l -p 666
  • Go to portchecker.co, set the port to 666 and press Check.

UDP port test

UDP is kinda special cuz it's session-less, so you need to actually communicate through it to test it.

  • on a linux machine on LAN - sudo nc -vv -u -l -p 666
  • on a linux machine somewhere out there - nc -u the_public_ip_goes_here 666
  • write something and it should appear on the other side