Friday, August 17, 2007

The port forwarding checklist

O.K. So you have to forward a port to a computer in your LAN because you want to run an internet server. You configure the router but it does not work. This checklist goes through some of the major points what may be wrong:

Find out the correct port numbers and protocols: Check the documentation of the software or search the internet for the ports you have to forward. Port numbers are from 1-65535. The normal protocol choices are TCP or UDP.

Verify the server uses those ports: Make sure the server is running on the computer. Now open a command prompt window and enter netstat -an. Look at the TCP lines with "LISTENING" state and also at the UDP lines. In those lines look for the entries which have your port number in the local address column after the ":". If you look for port 12345 the local address could be 0.0.0.0:12345 or 127.0.0.1:12345. Be sure to find all lines for your port number and protocol.

If you find your port with local address 0.0.0.0 or the IP address of the computer in front (e.g. 192.168.1.50:12345) then a server is listening correctly. If you only find 127.0.0.1:12345 then the server is only listening on the local "loopback interface". This interface is only accessible on the computer. The forwarding will not work. In that case find out how to change the interface on which your software is listening.

If you don't find the port at all it is either not listening at all or it is listening on a different port. Find your running server entering "tasklist" into the command prompt window. Find the server checking the image name in the first column. Make a note of the PID in the second column from that line. Now enter "netstat -ano" and search for this PID in the last column of the netstat output. The lines with this PID in the last columns are those ports on which your server is currently listening.

Check the firewall: Make sure you have opened the ports in the firewall on the computer. You have to open it for all computers (i.e. the whole internet) and not only for the local subnet or similar.

Check the IP address of the server: The destination IP address of the port forwarding is the IP address of the server inside your LAN. Enter ipconfig /all to find out. It is highly recommended to use a static IP address on that computer because otherwise the IP address may change over reboots and each time you have to adjust the forwarding in the router. If the entry for your network connection in ipconfig /all shows DHCP enabled then you don't have a static IP address on the computer. Take a note of the IP address of the computer, e.g. 192.168.1.50.

Make sure the server is operational: Try to connect to the server from inside your LAN using the IP address you have found in the previous step. E.g. point your client software to 192.168.1.50 and port 12345. Make sure it works. Otherwise your server may not be operational.

Enter and enable the forwardings: Be sure to enter the correct information into the port forwarding form on the router. Choose the correct protocol, i.e. TCP oder UDP. If you have the option to forward both at the same time, you may choose that option. Forward all the ports that you need as target IP address for the forwarding enter the IP address you have found before of the server, e.g. 192.168.1.50. Don't forget to enable the forwarding if the router has the option to enable/disable specific entries and don't forget to save the settings on that page.

Do not enable port triggering or smiliar: You want to forward some specific ports. Port triggering does dynamically forward some ports based on some traffic on some other ports. Thus configuring port forwarding and port triggering for the same ports may or may not work. The port triggering function may influence the effect of the port forwarding.

Access the server from inside your LAN: find the IP address of the router on the internet port. Usually you find it somewhere on the status page of the router configuration. (It is not the LAN IP address of the router, which usually is a private IP address and ends in .1, e.g. 192.168.1.1). Point your client software to the IP address on the status page and make sure it works.

Make sure the router has a direct connection to the internet: Open the website http://whatismyipaddress.com/ . It shows you the public IP address from which the request came. This IP address must be the IP address you have found before in the status page of your router on the internet port. If it is different, your router is not directly connected to the internet but there is another router in front of the router which also does network address translation (NAT). You have to configure port forwarding on this other router as well. Most of the time, this other router is embedded into your modem. If you connect through an apartment building connection there is another router inside your building. Some ISPs also use NAT. In the two latter cases there is probably little or nothing you can do to get the server into the internet.

Access the server from the internet: You have to access the public IP address of your router which you saw in the status page of the router and which you could also find with whatismyipaddress.com in the previous step. You cannot access the server on its private IP address 192.168.1.50 or similar. If your ISP frequently changes the public IP address on your internet connection you may consider to configure the "DDNS" function in your router if it has one. With DDNS the router registers its IP address with a service like dyndns.org. You can then access your server using a simple hostname instead of the IP address.

Still not working? If everything so far is correct and the way it should be but you cannot access the server it may be that your ISP blocks it. Some ISPs don't allow clients to run internet servers on the connections. Some other ISPs block specific ports which are known to cause problems or are well-known to spread malware. You may ask your ISP about whether they block the port you are trying to use.

5 comments:

Mimlac said...

Wow! After spending all day trying to get my web server up and running, I finally found your checklist and found out what my problem was in only a few minutes. Very well written! Thank you.

Trevor said...

Hi GV,

Does the MTU affect the port forwarding, I got port problem forwarding in Linksys, but Dlink is ok, so confirm that ISP does not block the ports. Even I try putting the server in the DMZ zone still no help.

gv said...

An incorrect MTU value affects all communication through the router including forwarded ports.

Trevor said...

hummh... so any suggestion on the MTU value, my current is set to Auto, with 1500 grey off, so I assume it is running at 1500.... thanks

sorry that i turn your blog into a answer and question session.

gv said...

See here to determine the correct MTU value.