By Aaron Weiss
July 13, 2009
If your router is running Tomato firmware, you can configure how it manages particular kinds of data. Learn how here.
- Ask the Wi-Fi Guru: Episode XIV
- How to: Manage Traffic Using Tomato and QoS
- How to: Monitor Bandwidth with Tomato Firmware
- Introduction to Tomato Firmware
- Sauce Up Your Router with Tomato
When two computers connected via the Internet want to talk to one another, they do so through a channel called a “port.” If each computer were an apartment building, a port would be a particular apartment. For example, if your computer contacts the Web server of a remote computer, it usually knocks at the door of port 80, because this is where most Web servers “live.”
Many network applications are assigned to specific ports—besides port 80, port 443 is used for HTTPS, or secure Web communications. Meanwhile, port 21 is used for FTP and port 110 for POP3 e-mail. In custom configurations you can sometimes use non-standard ports, but most applications stick to the standard port assignments.
One job of a router is to navigate data from external to internal ports and vice versa. This ensures that data coming into your network from an outside machine reaches the correct destination, and that outgoing data enjoys the same. If your router is running Tomato firmware, you can configure how it manages particular kinds of data so that it travels the correct route. This is called port forwarding, and Tomato offers four basic kinds of port forwarding configuration: basic, DMZ (de-militarized zone), triggered, and UPnP/NAT-PMP. If few of those words make sense now, hopefully they will soon.
Basic port forwarding
Most of the cases where you need to use port forwarding involve directing incoming requests from the Internet to a particular machine inside your LAN. And in most of these cases, that means you’re running a server inside your LAN, such as a Web server.
In the case of running a Web server, incoming requests will hit the router asking for port 80. You need the router to forward these requests to the internal IP address of your server.
To configure basic forwarding in Tomato, log in to the router’s administrative interface (default http://192.168.1.1) and click on Port Forwarding/Basic.
In the picture above, the configuration labeled “primary Web server” demonstrates forwarding port 80 to an internal computer, with the address 192.168.1.10.
When configuring a port forward, there are several criteria you may specify:
On: Checkbox enables or disable port forwarding rule.
Proto: Whether to forward for TCP, UDP, or both protocols. TCP is used for most Internet traffic, but UDP is often used for streaming media. When in doubt, choose “Both”.
Src Address: Not frequently used, this will restrict the rule to incoming requests from the specified addresses. You can specify addresses three ways: as an individual IP address (192.168.1.100), a sequential range of IP addresses (192.168.1.100-192.168.1.150), or using a netmask—a somewhat more complex way of calculating a set of addresses. Most of the time you want your rule to apply to all incoming data, so you typically leave this field blank.
Ext Ports: List the ports to be forwarded under this role, either a single port (80), a list of individual ports separated by commas (80,82), or a sequential range of ports (80-85).
Int Port: You can redirect the incoming request to a different port on your internal server. In the picture above, the rule labeled “secondary Web server” redirects outside requests for port 8080 to the standard port 80 on the internal machine at 192.168.1.11. This means that a Web server running on the default port 80 will receive requests that outside users send to http://yourrouter:8080.
Int Address: Finally, the IP address of the internal machine that will receive requests to the specified port(s). You can enter only one address here, since that is the point of these port forwarding rules. Keep in mind that if your machine is configured to receive its IP address by DHCP from the router, it may not always be the same on each boot. This could cause a port forward rule to this machine to fail. Instead, you should configure the internal machine with a static IP address compatible with your router’s network addressing scheme.
Of course, after completing the fields be sure to click “Add” for the port forwarding rule to take effect.
Even if you’re not running a Web server, there are many cases where you might need to configure port forwarding. For example, suppose you want to use Microsoft Remote Desktop to connect to one of your PC’s from outside the network—say, at the office or a friend’s house. Without port forwarding, the Remote Desktop client outside your network won’t be able to reach your PC because its requests will die at the router. Remote Desktop uses port 3389, so this is the port you would need to forward to the specific machine you want to connect to.
There are hundreds of network applications which require port forwarding rules to reach a PC behind your router from outside.
DMZ—the demilitarized zone
TMZ is a Web site for celebrity gossip, but DMZ is a computer inside your network which gets a free pass from the firewall. In other words, when you enable a DMZ, you specify one machine that will receive any requests from the Internet not otherwise destined for a different machine via port forwarding rules.
Creating a DMZ essentially places the target machine “in the clear,” which also means it is not protected by the router’s firewall.
To configure a DMZ in Tomato, log in to the router’s administrative interface and click on Port Forwarding/DMZ.
Click Enable DMZ to turn this feature on, and specify the static IP of your internal machine under Destination Address.
As with the Src Address field under basic port forwarding, you can enter an IP address, range, or netmask to restrict which external machines will be routed to your DMZ machine.
It is easy to create a DMZ as a way of being “lazy” and avoiding creating port forwarding rules, but remember that this can be very dangerous since that machine is no longer protected from potentially malicious connections.
Basic port forwarding as seen earlier does have some limitations. One is that you must forward to a specific machine, which makes it cumbersome to run a service using the same ports from more than one machine inside your LAN. Another is that the rule is always in effect (unless you manually disable it), meaning that port is left open even when the network application is not being used, which could be a security risk in some circumstances.
A port trigger is a variant on basic port forwarding that can be useful in certain cases. A port trigger is basically a dynamic port forwarding rule, which enables port forwarding to a “trigger” machine only when that machine connects to certain external ports.
Let’s put it another way, looking at the example of bittorrent. When you run a bittorrent client and initiate a torrent download, the client connects to a tracker server at port 6969. Peer machines will try to create incoming connections to your machine on ports 6881 to 6889. Without these ports open through your router, your download speeds may suffer.
You could create a basic port forwarding rule to forward ports 6969 and 6881-6889 to a specific internal IP address. But doing this means you can only run your Bittorrent client from that one machine (and, again, those ports will always be open, even if you aren’t torrenting anything).
In this case, configuring a port trigger rule makes more sense.
o configure a port trigger in Tomato, log in to the router’s administrative interface and click on Port Forwarding/Triggered.
In the picture above we’ve created a rule labeled “bittorrent.” The Triggered Port is 6969, because this is the port your machine will connect to via outgoing request. When the router sees this outgoing connection, it will create a temporary incoming rule for Forwarded Ports 6881-6889. You do not need to specify the IP address of your internal machine because it initiated the trigger in the first place, so the router knows “who” it is.
This temporary rule will remain in effect until a few minutes have passed without activity on the incoming ports. This adds some security, since the “hole” in the firewall will close itself once no longer needed.
The major limitation of port triggers versus basic port forwarding is that triggers can only take effect when your internal machine initiates the connection. If your machine were a Web server, for example, this makes no sense—it is the outside machine that would initiate a request to your server. So port triggering would not work for a Web server or, indeed, most traditional servers. As a result, port triggers are not that common, but you may find them useful for hybrid client/server applications like Bittorrent, IM with file transfer, IRC, and some gaming servers.
Automated port forwarding
Port triggers are one way to create dynamic port forwarding rules, but they aren’t the only way. Where basic port forwarding is a top down system—the rules are created by the administrator—two protocols, called UPnP (Universal Plug n Play) and NAT-PMP allow applications to automate port forwarding rules themselves.
For example, a media server device with support for UPnP may tell the router “I need port 4100,” and so the router will dynamically create a temporary port forwarding rule to that device. This is similar to port triggers, but the difference is that the rule request is being initiated by the software itself rather than an administrator configuring the router.
To configure UPnP/NAT-PMP triggering in Tomato, log in to the router’s administrative interface and click on Port Forwarding/UPnP / NAT-PMP.
The only two options here are to enable or disable each of the two protocols, UPnP and NAT-PMP. UPnP is the most common automated port forwarding protocol, supported by many media devices. NAT-PMP is the protocol that Apple uses under the name Bonjour, often used by printers and some media servers under both Mac and Windows.
If any UPnP or NAT-PMP devices have initiated port forwarding requests, these temporary rules will appear in the Tomato interface. When the devices disconnect from the network, they will shut down their port forwarding and the temporary rules will disappear.