Forwarding ports

- It's a common feature for any Soho-based firewall to block any incoming information that wasn't initiated by somebody on the inside. Now, if you're inside the router inside the firewall and you go www.google.com, you've opened up a conversation. And once it goes out and then Google comes back, your router sees, oh, this guy inside started that, we want to let Google through, so that your web browser will work. But there are situations where we want unsolicited conversations from the internet to come through our router, so that we can do things. And this is known generically as forwarding ports. Now there's a few different ways to do this. In particular we're going to talk about port forwarding, port range triggering, and then something called DMZ, which I'd prefer to call a Soho DMZ. All three of these features will take unsolicited information coming in from the internet, let it pass through your router, and then go to a particular system inside your network. This allows us to have servers inside a private network and we can do some cool things with it. For example, at my house I have security cameras and if I want to, I can go through my router and access any of my security cameras. Now if you think about that, we'd want to be careful with the process and we are going to be careful. So let's go ahead and talk about all these. What I'd like to do is start off by talking about something called port forwarding. So here's a little setup I've got right now. And so this is a NAT capable Soho router. Let me put NAT in there to remind you. And from time to time I want to be able to remote access this computer. Now by default, I'm not going to be able to do that and that's the power of a good firewall and NATing is that if the only thing I could ping would be the public IP address coming from my internet service provider. So what I'm going to do is I'm going to make up a number here and we'll say that my internet service provider gives the WAN side of my NAT an IP address of 1.1.1.1. Trust me, that won't work and that's not what my real wan IP address is on my home router, but it'll work for this demonstration, okay? Then what I'm going to do is I'm going to have 192.168.5, and this is going to be 11 here. And this computer over here be 192.168.5.12. You know what? Let's have a little fun. I'm going to add one more device. Let me use a red cable here. And I'm going to plug this in to my network and it's going to be a security camera. This security camera is a PTZ point tilt zoom and it uses a web interface. And I'm going to say this guy is 192.168.513 'cause I punched it in and gave him that IP address. That's where that IP address came from. Now I can open up a web browser on either one of these computers and type in 192.168.5.13. And because he's a really a web server, that camera serves to a web interface, I could just see what's on that camera. So that's great when I'm at home, but what if I'm far away and I want to see what's happening on these cameras. I have to set up what's called port forwarding to make this work. So basically what we're going to do is this. The router has to have this capability. So what we're going to do is we're going to say anybody who's coming in on 1.1.1.1, fours ones, on port, watch this, 8181. Where did that number come from, Mike? I just made it up and I'll show you how we can use that. So anything that comes in on 1.1.1.1, port 8181, this router will automatically send it over to 192.168.5.13. And what does a web browser use? Port 80. Port 80. So this is a way we can get past the firewall of a standard router and this is a way that we can actually allow something with a private IP address to kind of act like a public server. Now, I wouldn't do this with much more than a camera. Don't think you could put a web server back here, but you would just literally murder your poor router with the amount of work you'd have to do. So what I'd be able to do is I could be. Here I am, I'm up in, I'm in Denver, and I can just open up a web browser and type in 1.1.1.1:8181. I can type that right into my browser window, hit enter and I'll be able to see my camera. That's what port forwarding is all about. But this guy has to have the brain power to do it for you. And I just happen to have a perfectly good little router right over here that will do exactly that for me. So let me show you what I've got over here. So, it's a pretty simple setup. This is a very typical home router. It's even a wireless access point. This is a Linksys, which is a good little product. And what I've done, it's not on anything at this point. What I've done though is I've got it plugged into my little surface here and I'm going to go ahead and configure it. This has a web-based interface and I'm going to go ahead and set up what we just talked about over there. So this is the web interface for this little Cisco Linksys box that I have. This is actually a customized firmware called dd-wrt. I like to use this. I'll actually replace the firmware on these with dd-wrt. It gives me a few extra features. Now the the problem we run into with these little home routers is that they're all different. Everyone has a web interface and every web interface is different. Sometimes you just got to poke around. So I'm going to poke around on here a little bit. So I got literally two rows of tabs here. Let's see what we got. And you'd think I would do where I was going. So I click on this NAT QOS, and here's port forwarding, right, because that makes sense. Anyway, so what we're going to do is set up this router so I could watch my camera from anywhere on the internet. So you see where it says port forwarding. So, I'm going to add one. Now, application, I can type in anything I want in here. I'm just going to type in camera. Protocol is TCP or UDP. This camera probably Jesse uses TCP. But I'm going to go ahead and say both 'cause I'm never sure. The source is what IP address will you allow in. If I leave this blank, it'll allow in anything. So then I'm going to do port 8181. I'll show you why we use 8181 in just a minute. And then we type in the internal address of the camera, which is one, there it is. 182.168.5.13 and we're going to port it to port 80 because that's what the camera's listing on and I'm going to enable it and I'm going to save it. What I've just done is allowed port forwarding so that I can see that camera. Keep in mind the camera is a web server, so it's listening in on port 80. A lot of people go, Mike, why did you type in port 8181? Why don't you just type in port 80 so I can open up my web browser, type in the 1.1.1.1, and it should shoot it straight to that guy, right? Well, it will. The problem is bad guys know to look for stuff like that. By using offbeat weirdo IP addresses like 8181 in order for me to get to my camera, I'm going to have to open up a web browser type in 1.1.1.1:8181. I'm just doing it as a security thing just to make it a little bit harder for people to be able to get into my camera. Now also, keep in mind, my camera also has a login and a password just on the camera itself. So I've got that level of security as well. Now there are situations where you might find yourself having to open up a whole bunch of ports. For example, a lot of people like to play a lot of these online games and they'll set up their own online, private online server, and that's a great idea. That could be a lot of fun. But a lot of these servers require seven, eight, 10, even a hundred different ports. And imagine having to go through each line in here to set all these up. So what we do instead is we have something called port range forwarding, which is just port forwarding, but it gets a whole bunch of them at once. So here I'm going to type in counterstrike. And it says start and end. Now I'm making up numbers here, so don't get excited, okay? But I'm going to say start at 12001 and go to 12027. So in this case, I've opened up 28, well, 27 different port numbers. And then I'll say where it goes to it. In this case, I'll say one of my machines is actually serving Counterstrike 192.168.5.11. So that's one of my boxes and I'll go ahead and turn that on. And I'll save it. People get all excited about stuff like this and everybody wants to have cameras and I'm a big security nut and I have multiple cameras at multiple locations for anything that's important to me. But a lot of people will then say, well, wait a minute, Mike, I just ran over to my local computer store and I got a camera for like 45 bucks and I didn't have to go through any of this with my router. I just plugged it in and it kind of magically worked. I even got an app on my phone. Those cameras completely get around this by phoning to a cloud location and then your app or whatever you're using is using that cloud to access your video. Those things terrify me for one simple reason, I don't have control over my video, it's sitting up in the cloud somewhere and that scares me. So I'm really picky about how I use cameras because I don't want people having any ability to get to my cameras. So when you hear about these cloud cameras, think about that while you're making your decision. Now the next thing I want to talk about is what we call port triggering. Port triggering is a type of forwarding of ports, but it's done for a very, very different reason. And here's an example right here. Let's just say I've got this computer right here and he wants to get onto this FTP server somewhere up in the cloud. FTP has filed transfer protocol and this guy has tons and tons of files that I want to download. Very common, very old, and still very respected protocol. FTP uses ports 20 and 21. And the problem we run into with FTP is that depending on how you have FTP set up, this guy will set up an FTP client and in fact, most web browsers are even good FTTP clients and he'll go out on port 21 to talk to this guy. That's great. The problem is that FTP, and this is just how the protocol's designed, folks, I didn't invent this. FTP will respond back not on port 21, but on port 20. This is a big problem for these guys. This NATed out router will see him going out on port 21 and he's expecting this FTP server to respond back on port 21. And by default, these guys will stop them cold. Now to get around that, what we're going to do is we're going to go up to this router right here and go listen, anytime anybody sends anything out on port 21, go ahead and allow both port 20 and 21 to come back in. Now I do want to stress to you is that FTP servers can go into what's known as a passive mode where basically the FTP server turns off port 20 and responds back on port 21. They did that because so many of these routers were making it impossible for have people work FTP. The important thing is that FDP works better in active mode where it can respond back on port 20. So what I'm going to do, so we're going to go right back into this guy and we're going to set this up so that we can do port triggering so that FTP will work. Okay, coming right back to this guy, you'll see here's port triggering right here. Now port triggering is a pretty automated process because people are familiar with a lot of these things. So we're going to click on add. And this one's actually interesting because a lot of these home routers, they'll say applications, it'll say stuff like FTP and certain games that do this and stuff like that. Here we're going to go old school and just do it the the old fashioned way. So we're going to call the application FTP and the trigger is somebody sending something out on port 21. So our triggered range, I'm feeling triggered right now. Our triggered port number is 21. And then what we're going to say over here is if somebody goes out on 21, allow anything coming back from that source to come in on 20 and 21. And we've gone ahead and saved it. The fun part about port range triggering is that with the exception of FTP, you'll be hard pressed to find applications that need this little feature. There are some voiceover IP applications where you might run into and surprisingly enough, a number of games, especially if you want to be a server of games where you're simply going to have to turn on port range triggering. Now I love port range triggering, but there's one more guy I want to talk about and that's called DMZ. Now, DMZ stands for Demilitarized Zone and we have entire episodes that cover a official DMZ, which is something that you'll run into in an enterprise environment, but that's not what I'm talking about here. What I'm about to show you is something you shouldn't do. I'm going to call this Soho DMZ. Soho DMZ is a forwarding of ports, but it does it in a very, very scary way. I will go up to my router and I'll go listen, anything, I mean anything that comes in unsolicited from the internet, send it to a particular computer. Anything. Now, any router that you plug into the internet itself is going to be probed and picked on and prodded by something scary about once every couple of minutes. So if you turn on this style of DMZ, you're exposing your internal network to some very scary stuff. So the one place I've seen people do it, where I've done it myself, is I get nosy about what bad guys are doing, trying to do to me and I'll set up like a temporary network and just put, you know, a couple of computers back here and I'll set up a DMZ just 'cause I want to see what kind of evil people are trying to do. The longest I've been able to keep a computer up and running with a DMZ on was about four days before somebody just hacked it apart. So with that attitude in mind, what I want to do is, let's go back one more time and set up a Soho DMZ on this little router here. All right, now luckily for me, DMZ is also on this same tab. You see it right there. So let's click on DMZ and basically it's not much to set here. Do you want to turn it on? Yes, I do. And who do you want me to expose to the entire internet? Oh, let's go ahead and do 12 there. And ta-da, I have just set up a DMZ. Now be very careful. This type of Soho DMZ, where you're just exposing one computer to the entire internet is not a good idea. There is a whole other thing that we do in enterprise environments called DMZ, which uses multiple routers and it's a very powerful and important tool that we use all the time. Be ready on the exam. You will run into a number of scenario questions where Bob's trying to set up a camera, or Janet wants to do remote desktop and things like that. And really more the answer is what type of port numbers are they going to be using and where is this configured, which is going to be right in the router.