How to: Set Up Port Forwarding with Tomato
July 13, 2009
If your router is running Tomato firmware, you can configure how it manages particular kinds of data. Learn how here.
When two computers connected via the Internet want to talk to one another, they do so through a channel called a port. If each computer were an apartment building, a port would be a particular apartment. For example, if your computer contacts the Web server of a remote computer, it usually knocks at the door of port 80, because this is where most Web servers live.
Many network applications are assigned to specific portsbesides port 80, port 443 is used for HTTPS, or secure Web communications. Meanwhile, port 21 is used for FTP and port 110 for POP3 e-mail. In custom configurations you can sometimes use non-standard ports, but most applications stick to the standard port assignments.
One job of a router is to navigate data from external to internal ports and vice versa. This ensures that data coming into your network from an outside machine reaches the correct destination, and that outgoing data enjoys the same. If your router is running Tomato firmware, you can configure how it manages particular kinds of data so that it travels the correct route. This is called port forwarding, and Tomato offers four basic kinds of port forwarding configuration: basic, DMZ (de-militarized zone), triggered, and UPnP/NAT-PMP. If few of those words make sense now, hopefully they will soon.
Basic port forwarding
In the case of running a Web server, incoming requests will hit the router asking for port 80. You need the router to forward these requests to the internal IP address of your server.
To configure basic forwarding in Tomato, log in to the routers administrative interface (default http://192.168.1.1) and click on Port Forwarding/Basic.
In the picture above, the configuration labeled primary Web server demonstrates forwarding port 80 to an internal computer, with the address 192.168.1.10.
When configuring a port forward, there are several criteria you may specify:
On: Checkbox enables or disable port forwarding rule.
Proto: Whether to forward for TCP, UDP, or both protocols. TCP is used for most Internet traffic, but UDP is often used for streaming media. When in doubt, choose Both.
Src Address: Not frequently used, this will restrict the rule to incoming requests from the specified addresses. You can specify addresses three ways: as an individual IP address (192.168.1.100), a sequential range of IP addresses (192.168.1.100-192.168.1.150), or using a netmaska somewhat more complex way of calculating a set of addresses. Most of the time you want your rule to apply to all incoming data, so you typically leave this field blank.
Ext Ports: List the ports to be forwarded under this role, either a single port (80), a list of individual ports separated by commas (80,82), or a sequential range of ports (80-85).
Int Port: You can redirect the incoming request to a different port on your internal server. In the picture above, the rule labeled secondary Web server redirects outside requests for port 8080 to the standard port 80 on the internal machine at 192.168.1.11. This means that a Web server running on the default port 80 will receive requests that outside users send to http://yourrouter:8080.
Int Address: Finally, the IP address of the internal machine that will receive requests to the specified port(s). You can enter only one address here, since that is the point of these port forwarding rules. Keep in mind that if your machine is configured to receive its IP address by DHCP from the router, it may not always be the same on each boot. This could cause a port forward rule to this machine to fail. Instead, you should configure the internal machine with a static IP address compatible with your routers network addressing scheme.
Of course, after completing the fields be sure to click Add for the port forwarding rule to take effect.
Even if youre not running a Web server, there are many cases where you might need to configure port forwarding. For example, suppose you want to use Microsoft Remote Desktop to connect to one of your PCs from outside the networksay, at the office or a friends house. Without port forwarding, the Remote Desktop client outside your network wont be able to reach your PC because its requests will die at the router. Remote Desktop uses port 3389, so this is the port you would need to forward to the specific machine you want to connect to.
There are hundreds of network applications which require port forwarding rules to reach a PC behind your router from outside.
DMZthe demilitarized zone
TMZ is a Web site for celebrity gossip, but DMZ is a computer inside your network which gets a free pass from the firewall. In other words, when you enable a DMZ, you specify one machine that will receive any requests from the Internet not otherwise destined for a different machine via port forwarding rules.
Creating a DMZ essentially places the target machine in the clear, which also means it is not protected by the routers firewall.
To configure a DMZ in Tomato, log in to the routers administrative interface and click on Port Forwarding/DMZ.
Click Enable DMZ to turn this feature on, and specify the static IP of your internal machine under Destination Address.
As with the Src Address field under basic port forwarding, you can enter an IP address, range, or netmask to restrict which external machines will be routed to your DMZ machine.
It is easy to create a DMZ as a way of being lazy and avoiding creating port forwarding rules, but remember that this can be very dangerous since that machine is no longer protected from potentially malicious connections.
Basic port forwarding as seen earlier does have some limitations. One is that you must forward to a specific machine, which makes it cumbersome to run a service using the same ports from more than one machine inside your LAN. Another is that the rule is always in effect (unless you manually disable it), meaning that port is left open even when the network application is not being used, which could be a security risk in some circumstances.
A port trigger is a variant on basic port forwarding that can be useful in certain cases. A port trigger is basically a dynamic port forwarding rule, which enables port forwarding to a trigger machine only when that machine connects to certain external ports.
Lets put it another way, looking at the example of bittorrent. When you run a bittorrent client and initiate a torrent download, the client connects to a tracker server at port 6969. Peer machines will try to create incoming connections to your machine on ports 6881 to 6889. Without these ports open through your router, your download speeds may suffer.
You could create a basic port forwarding rule to forward ports 6969 and 6881-6889 to a specific internal IP address. But doing this means you can only run your Bittorrent client from that one machine (and, again, those ports will always be open, even if you arent torrenting anything).
In this case, configuring a port trigger rule makes more sense.
To configure a port trigger in Tomato, log in to the routers administrative interface and click on Port Forwarding/Triggered.
In the picture above weve created a rule labeled bittorrent. The Triggered Port is 6969, because this is the port your machine will connect to via outgoing request. When the router sees this outgoing connection, it will create a temporary incoming rule for Forwarded Ports 6881-6889. You do not need to specify the IP address of your internal machine because it initiated the trigger in the first place, so the router knows who it is.
This temporary rule will remain in effect until a few minutes have passed without activity on the incoming ports. This adds some security, since the hole in the firewall will close itself once no longer needed.
The major limitation of port triggers versus basic port forwarding is that triggers can only take effect when your internal machine initiates the connection. If your machine were a Web server, for example, this makes no senseit is the outside machine that would initiate a request to your server. So port triggering would not work for a Web server or, indeed, most traditional servers. As a result, port triggers are not that common, but you may find them useful for hybrid client/server applications like Bittorrent, IM with file transfer, IRC, and some gaming servers.
Automated port forwarding
Port triggers are one way to create dynamic port forwarding rules, but they arent the only way. Where basic port forwarding is a top down systemthe rules are created by the administratortwo protocols, called UPnP (Universal Plug n Play) and NAT-PMP allow applications to automate port forwarding rules themselves.
For example, a media server device with support for UPnP may tell the router I need port 4100, and so the router will dynamically create a temporary port forwarding rule to that device. This is similar to port triggers, but the difference is that the rule request is being initiated by the software itself rather than an administrator configuring the router.
To configure UPnP/NAT-PMP triggering in Tomato, log in to the routers administrative interface and click on Port Forwarding/UPnP / NAT-PMP.
The only two options here are to enable or disable each of the two protocols, UPnP and NAT-PMP. UPnP is the most common automated port forwarding protocol, supported by many media devices. NAT-PMP is the protocol that Apple uses under the name Bonjour, often used by printers and some media servers under both Mac and Windows.
If any UPnP or NAT-PMP devices have initiated port forwarding requests, these temporary rules will appear in the Tomato interface. When the devices disconnect from the network, they will shut down their port forwarding and the temporary rules will disappear.
Aaron Weiss is a freelance writer, book author, and Wi-Fi enthusiast based in upstate New York. For more Tomato help, read "How to: Monitor Bandwidth with Tomato Firmware." For definitions of unfamiliar term, visit our searchable glossary.