Special? What’s special?
A “special application” is one that doesn’t work with the default settings of your Internet sharing method. Depending on the sharing method you use and the applications you run, you can have a lot of “specials” or none at all. To narrow things down a bit, here are some rules of thumb:
- If you use the Multiple IP method of sharing, you won’t have any “Special Applications” because every computer is connected directly to the Internet and has its own IP address. So, no sharing!
- If you use a Proxy sharing method, that uses a classic proxy server (and not one of the “redirection” protocols that many proxies use today in order to appear more “NAT” like) you’ll tend to have a lot of “Special Applications” (in addition to having to play with the settings of each application to configure them for proxy use).
- If you use a NAT sharing method, a hardware router, or a Proxy-with-redirector, the number of special applications you have and which ones they are will vary.
Since the way of the world seems to be leaning toward NAT based sharing, we’ll be focusing on that method.
| Configure Clients |
| Secure LAN |
| Troubleshoot |
| Special Applications |
| Other Info |
| Summary |
A note for Wingate and other proxy users
Proxy-based sharing requires setting up a UDP or TCP mapping service for each Special Application. The basic information on how to do this with the original Wingate (2.X) or Wingate 3.X’s Standard or Pro’s Proxy Service can be found in Wingate Knowledge Base Article 1057. A how-to for setting up a Dialpad mapping can be found in Article 1556. You can also click here to get a listing of Wingate Knowledge Base Articles that deal with port mapping.
Note that you can’t map ports with Wingate 3.X Home or when using Wingate 3.X’s WRP method.
For other proxy programs, the approach is the same as with Wingate, but the details of doing the mapping will be different. Consult your program’s Help or FAQ pages.
Your Friend, the NAT firewall
NAT routers have a natural firewall that rejects any unsolicited data that tries to travel from the Internet to a computer on your LAN. Basically, if you didn’t ask for the data, it isn’t gonna get past the firewall. A few examples may help:
Applications like Web browsing, and email work fine through the NAT firewall because in each case, you ask for a web page or ask to send or receive email.
If you try to run a web server on one of the computers behind the NAT firewall, it won’t be accessible because the requests for data are not originating from a machine on your LAN, but from a machine out on the Internet.
Messaging applications like AIM, ICQ, Netmeeting, Dialpad and others might be able to originate calls or chat sessions, but may not be able to receive calls, because receiving calls means that the data request didn’t start out from a machine on your network.
Just another hole in the wall
So what do you want to do if you want to receive data originating from the Internet? The answer goes by many names, i.e. port mapping, port forwarding, DMZ, application rules, etc. But they all boil down to opening holes in the firewall so that unrequested data can come into selected computers on your LAN.
Notice that I said unrequested data. In light of all the media articles about Internet security, that might make you want to stop right here and leave that firewall intact! However, it is possible to be secure and have your favorite applications work, but it takes some work and you have to be careful to do things right.
Opening holes in your firewall, can compromise your LAN’s security if done incorrectly. Please read this information on Security before proceeding.
Rule #3 “Open only the ports you need” is the most relevant to the subject of opening special application ports, so keep it in mind when you’re deciding whether you really need to open that firewall hole.
One port per customer!
Port mapping through a firewall isn’t a substitute for having a computer connected directly to the Internet. Another rule of thumb may help:
Only one computer inside the firewall can use a specific inbound port at a time.
If all Internet applications used only one unique port, there wouldn’t be much confusion about how all this port mapping stuff works. But, not all applications work that way. Many applications (messaging and gaming applications in particular) use multiple ports and groups of ports, and are generally the hardest to get working behind a firewall. Other applications, like MS Netmeeting are pretty much impossible to get working behind a firewall because they use multiple ports, port ranges, dynamically assigned ports, and special protocols. For these applications, you’ll just have to place the computer that you want to run the application on outside the firewall, either physically, or via your router’s “DMZ” or “Exposed Computer” feature.
Some routers try to get around this “one port per customer” limitation by using “triggered” maps. Triggered maps work by having the router watch outgoing data for a specific port number and protocol. When the router sees a match, it remembers the IP address of the computer that sent the matching data. When the requested data wants to come back in through the firewall, the router uses the port mapping rules that are linked to the trigger, and the IP address of the computer that “pulled” the trigger, to get the data back to the proper computer.
These triggered events can be timed so that they erase the port mapping as soon as they are done with the data transfer, so that the port map can be triggered by another Client computer. This gives the illusion that multiple computers can use the same port mapping at the same time, but the computers are really just taking turns using the mapping.
Two important limitations of triggered maps!
The trigger event comes from a computer inside the firewall.
Trigger events can’t happen on data coming from outside the firewall because the NAT router’s sharing function doesn’t work in that direction.The more an application needs to have a continuous data stream, the less likely that triggered maps are going to help.
This is because the continuous data stream ties up the port mapping so that it can’t be triggered by another computer.
Remember: Only one computer can use a port or port range at a time on a given real (ISP assigned) IP address!
Routers that have this “triggered map” capability include:
Nexland’s ISB2LAN-H4 (called Special Applications)
UMAX’s UGate series (UGate Plus, UG3000, UG3200)
(called Special Applications)Kingston’s KNR7TXD EtheRX (called Special Applications)
Asante’s FR3004 series FriendlyNET (called Popular Applications)
SMC’s Barricade (called Popular Applications)
- Linksys BEFSR41 v.2.
So you now should have your expectations properly adjusted about port mapping and know that it won’t be the solution for every need that you have, right?
