Your method may vary…
There are many ways to share a connection and consequently just about as many ways to open holes in a NAT-based firewall. Because of this, this section is not an exact how-to guide, but instead is a reference that is intended to save time when you are trying to get your special application to work.
Let’s start with a look at the features and limitations of some popular sharing products.
Sygate will handle many applications that are “special” to other sharing methods, right “out-of-the-box”. It also handles triggered maps, port ranges, and allows you to specify TCP or UDP protocols. Although a 3 user license costs $40, it’s cheap compared to the time you can spend tearing your hair out getting some other programs to work. You can download a free demo by clicking here.
If ICS is your chosen instrument of torture, you can make mapping ports easier by using Harley Acheson’s ICS Configuration, which you can get here. Also check out the ICS Configuration port map page for ready-to-use map files. ICS can handle port ranges and multiple protocols, but does not support triggered maps.
If you’re using Linux “Masq” or “Masquerade” to share your connection, this site has lots of helpful info.
Note that some of the very inexpensive routers do not support port range mapping or triggered maps. They also tend to have a limited number (10-12) of single port mappings and you can’t specify TCP or UDP. So if your favorite application needs mapped port ranges, you’ll have to choose another router or use the router’s “DMZ” or “Exposed Computer” option for one computer. Go back to this section for a list of routers that support triggered maps.
If all this just sounds like too much of a hassle, you might want to skip trying to find out what holes to open and just place one computer outside the firewall. Most NAT routers will allow you to do this through a feature usually called “Exposed Computer” or “DMZ Computer”. Of course, that computer is completely exposed to the Internet, so you’d better lock it down real tight!
How to Do it
Before we get going, here’s the warning, one more time.
Opening holes in your firewall, can compromise your LAN’s security if done incorrectly. Please read this information on Security before proceeding.
The Special Application Ports section below contains a list of applications with information on the ports that they use. This list is mostly an edited version of Sygate’s Apprule.cfg file, with the Sygate specific terminology removed.
In the list, you’ll see OUT, IN, TCP, UDP and numbers. Here’s what they mean:
OUT
This is useful for programs and routers that support triggered maps, such as Sygate.
– Triggered maps are not active until a Client computer sends a packet that matches the protocol and port that are specified in the trigger.
– Triggered maps allow you to have more than one machine use a port mapping, although only one machine at a time can use the mapping. Triggered maps do not include an IP address of the “Target” client (the machine that uses the mapping).IN
This is the “hole” that the application needs in the firewall. You always need to enter this information.TCP
Means Transmission Control Protocol, and is one way that applications communicate on the Internet.UDP
Means User Datagram Protocol, and is another way that applications communicate on the Internet.Number
Is the number of the special ports(s) used by the application. There’s a reference list of port definitions here if you’re curious (WARNING: it’s ONE looonng page).
Tips to create your mapped ports
- Use a fixed IP address for the computers that are the targets of your port mappings.
If you use a DHCP server to assign your Client computer IP addresses, your Port maps will stop working when your Clients obtain different IP addresses from the DHCP server.
(Of course, if you assign a fixed IP address, make sure you enter the proper Gateway and DNS information into the Client’s TCP/IP properties.)
(NOTE: If you are using a NAT router that supports triggered maps, you can ignore this step.) - Set up the mapping using the IN port and protocol information.
If you see a single number, like this:
IN TCP 113
that’s a single port.
If you see two numbers like this:
IN TCP 113 120
it means you need to map a port range from port 113 to 120. - Make sure you enter both the TCP and UDP information in separate mapping entries if your router allows you to specify the protocol used.
If it doesn’t allow you to specify TCP or UDP, then enter separate mappings for both the TCP and UDP table entries, but only if they are different port numbers.Example 1
The application port information looks like this:
IN UDP 1140 1234
IN TCP 1140 1234
Your router doesn’t let you specify TCP or UDP, so you make one mapping for port range 1140 to 1234.Example 2
The application port information looks like this:
IN UDP 51200 51201
IN TCP 51210
Your router doesn’t let you specify TCP or UDP, but the port ranges are different, so you make two mappings: one for port range 51200 to 51201; the other for port 51210. - If your router doesn’t support triggered maps
(most don’t) first don’t enter the OUT information. However, if the application doesn’t work, try adding the OUT information to your mapping. - If you don’t find your application’s information in the list below,
consult the application’s Help files or Web site FAQ. The information is usually in a section about Firewalls, or Proxies. - To access your mapped application, remember to use the IP address assigned by your ISP.
Don’t use the private, non-routable address that your router assigns (example: 192.168.0.X). The ISP-assigned address might be assigned dynamically and could change from time to time, which can make it difficult to connect to your special application. You can use a Dynamic DNS service to prevent this.
