Port forwarding - how?

rado84

Well-Known Member
Joined
Feb 25, 2019
Messages
757
Reaction score
623
Credits
4,705
I've never done this before (port forwarding), so I need some help. When I run a python http server, it opens only locally with address 0.0.0.0 and the port I've chosen. But nobody outside my local network can access it, so I was told I should forward the chosen port through the router settings:

4Orpl3m.png


The LAN port I'll set to the one I've chosen and the protocol must TCP (I guess) but the rest of the boxes are very unclear to me what they do. As well as what's the difference bw "LAN port" and "WAN port", therefore - what should I write in each box. I'm guessing that I should choose "Manual" for the port I decided to assign but that still leaves what should be written in "WAN port". I know how to get my public IP address, that's not a problem. But that box above reads "internal IP address", not "Public IP address", which confuses me.

As I said - I've never done this before, so please, explain it to me the way you're explaining it to someone with a room temperature IQ.
 


What I've mentioned so far. In order...

The IP address should be the private IP address of the device (ip addr).
The second should be manual to select the port chosen in the Python command.
Buggered if I know.
It should be TCP.
I assume the last button saves it as a new port forwarding rule.
 
Yup. I'm sharing the above to save some else some time. Ideally making it easier so that you get a resolution soon.
 
Look up your router on the following website and it will explain how to forward your port.
 
Last edited:
I've never done this before (port forwarding), so I need some help. When I run a python http server, it opens only locally with address 0.0.0.0 and the port I've chosen. But nobody outside my local network can access it, so I was told I should forward the chosen port through the router settings:

4Orpl3m.png


The LAN port I'll set to the one I've chosen and the protocol must TCP (I guess) but the rest of the boxes are very unclear to me what they do. As well as what's the difference bw "LAN port" and "WAN port", therefore - what should I write in each box. I'm guessing that I should choose "Manual" for the port I decided to assign but that still leaves what should be written in "WAN port". I know how to get my public IP address, that's not a problem. But that box above reads "internal IP address", not "Public IP address", which confuses me.

As I said - I've never done this before, so please, explain it to me the way you're explaining it to someone with a room temperature IQ.
Stay calm. This is not very difficult, but please read my security warning at the end.

Your router has two sides.

The public internet side is the Wide Area Network (WAN). This is the internet side of your router. It connects to the public internet that the world uses. Everything on the public internet has its own unique IP address, including your router. Your router gets one public IP address that all of the devices in your house share. The public IP address for your router is assigned by your ISP. For some customers (possibly including you), the public IP address may change without notice.

The private internal network side is the Local Area Network (LAN). This network is where all of your WiFi, devices, and computers connect. The network is private, with internal IP addresses like "192.168.x.x" or maybe "10.x.x.x". Everything on this network must share the one public IP address on the other side of the router.

(Note: I am writing "internal IP address" because that is the label on your router's configuration page in your image. I usually think of it as a "private IP address" or a "LAN IP address.")

Web browsers use the TCP protocol to connect to web servers on the internet. They connect to the public IP address of the server. If you are offering a web server from your home, then other people on the internet will connect to the public IP address of your router.

TCP is divided into ports, which are numbered from 1 through 65535. Web browsers connect to web servers on TCP Port 80 (old) or TCP Port 443 (TLS, aka "SSL"). Port 80 is used for old-style HTTP browser connections, which are not encrypted. Port 443 is used for modern encrypted HTTPS connections, which rely on TLS (aka "SSL") to encrypt the connection and also need "certificates". HTTPS on Port 443 is the correct way to configure your web server, but more complex. (Other TCP ports are used for email, remote control and management, SSH, and many other "services".)

When somebody's web browser connects to your new web server, it must connect to your router's public IP address on a TCP port on the WAN (internet) side of your router. Unless you are doing something special, that "WAN port" should be either Port 80 (HTTP) or Port 443 (HTTPS, which uses TLS (aka "SSL")).

Inside your home network, you have a computer that is the actual web server. It is on your LAN (your private internal home network). Your web server has a private internal IP address on the LAN. That private internal IP address probably starts with "192.168.x.x" or maybe "10.x.x.x". It might start with "172.16...", which is fine but less common.

When somebody's web browser connects to TCP port 80 or 443 on the WAN side of your router, then your router must know which device in your private internal network (LAN) it should send the TCP connection to. In other words, the router must know your web server's private internal IP address. That is what the Virtual Server (port forwarding) setting does in your router's configuration. The Virtual Server / port forwarding setting tells the router, "If you get a TCP connection on Port 443 on your public internet WAN IP address, forward it to private internal LAN IP address "x.x.x.x" on private internal LAN TCP port "y". (The "y" is probably 443 or 80, but could be anything else.)

Your internal web server probably uses TCP port 80 or port 443, but it may be using an unusual port (e.g., Port 4321) instead. Your router can forward the TCP connection it receives to whichever private internal address you want on whatever port you want. The "WAN Port" does not have to match the "LAN Port" that you use on your web server device.

So ....

Internal IP Address:
The private internal IP address (192.168.x.x. or 10.x.x.x) of your web server computer.
LAN Port:
This is the TCP port for connecting to your web server on your private internal network (LAN). You are probably using Port 80 or Port 443 on that web server. It is likely to match the WAN Port setting (below), but it does not have to match it.
WAN Port:
This is the public internet side TCP port where others will connect to the public IP address of your router. Browsers on the internet expect to connect to Port 80 (HTTP) or Port 443 (HTTPS), so choose whichever is appropriate. If your server offers both, then you will need two separate port forwarding entries in your router configuration, one for each port.
Protocol:
HTTP and HTTPS both use TCP. Some services use "UDP". Some use both. Choose "TCP" here.
NOTE: Your web server may offer both HTTP and HTTPS. In that case, you will need two separate port forwarding entries in your router configuration: One for Port 80 and the other for Port 443.

Not mentioned, but important:
  • How will others find the public IP address of your web server?
    • Your WAN public IP address may be subject to change by your internet service provider (ISP).
    • If you use DNS (a name, like "www.linux.org"), then it adds more complexity:
      • You will want to register a domain name.
      • You must configure a DNS server to point to your public IP address.
        • If your public IP address is "dynamic" (subject to change without notice), then you will need to configure and use a special "dynamic DNS" service to automatically update the DNS when your router's public IP address (WAN address) changes.
        • You can use FreeDNS (mentioned above) for free dynamic DNS services. I use them.
          https://freedns.afraid.org
  • Are you using HTTP (not secure) or HTTPS?
    • If you are using HTTPS, then you will also need a certificate.
    • HTTPS is more complex to configure than HTTP.
    • You can get free certificates from Let's Encrypt. Since Let's Encrypt appeared a few years ago, other free certificate services have appeared. I still use and recommend Let's Encrypt.
SECURITY WARNING! DANGER!
You must keep your web server fully updated and secure. If an attacker succeeds, they will own ("pwn") your web server computer with full superuser (root!) access and can do anything they want, including defacing your website and substituting their own illegal content, mining cryptocurrency, etc. Once they are inside your home network, they can attack and take control of your router and your other computers and your phones and anything else on your private internal network (LAN). That's bad. Really bad. It is a serious risk for beginners.

Some routers offer a special feature called a "DMZ" which stands for "demilitarized zone". It is an old army term that means "a separate, isolated area". The DMZ for your router is a special, separate, isolated "LAN". It is independent from the regular LAN. If you put your web server computer in the special DMZ LAN and an attacker succeeds in compromising your web server, the router should prevent the attacker from gaining access to the LAN and attacking your other systems. That's better, but not perfect. Attackers are good at exploiting routers. Please keep your router updated and replace it when updates are no longer available.

If it were me, I would rent a cheap virtual private server (VPS) on the internet. You would have to learn how to setup SSH to connect to it and how to enable the firewall to keep it secure (and remember to keep it updated!!). If something really bad happens, the bad guys may "pwn" your VPS, but not your home LAN, your personal computer, your phones, etc. Cheap VPSs can be found for $10-20 per year. In that price range, some providers are good and some are not. Knowing which is which is an art form.

I hope this helps. If you need more info, just ask.

(Edits: Following the initial edits, I came back much later and fixed minor typos. Essential content remains unchanged.)
 
Last edited:
this is not rocket science. it is easy.
IP address = the ip address of the computer you want to send to. (the web server you made) Yes you need to set a static IP address on the computer.

Lan port = the port you assigned for the web server.

Wan Port = the port you want to use from outside (usually the same as the lan port)

protocol = tcp do not change it.

then hit the new button and you should be good. I would suggest a dynamic DNS service also so you don't have to watch for ip changes from the ISP. dynu.com has free stuff and it works in linux. I currently use it.
 
P.S. Forgotten Points

* Consider a Shared Hosting Service...
At the end of the long post above, I talked about the security risks of opening ports on your router to allow outsiders to see the web server on one of your personal computers. I suggested that you consider a virtual private server.
Sure, a VPS may protect your your home computer and network if your web server is successfully attacked, but it puts the burden on you to keep it secure.

A better approach would be to sign up for a shared hosting service. With a shared hosting server, you have a user account on someone else's server. It is up to you to keep a secure website on their server, but it is up to the hosting service to keep the server itself secure.

* The LAN Internal IP Address of Your Web Server MUST Be Fixed
If you decide to use port forwarding from the router, keep in mind that the web server computer's LAN internal IP address (e.g., 192.168.x.x.) must be fixed. It cannot change. Using DHCP leaves it subject to change, so that computer should be assigned a "manual" IP address that is outside the DHCP range and does not change. It will still start with "192.168" or "10.", but it is assigned by you and configured on that computer.

I hope that these extra hints do not add extra confusion. :-(
 
P.S. Reemphasizing my points above about security. I receive a

This blog was published two days ago. Among its key points is, "... This botnet has adapted techniques to conceal its infrastructure in residential IP space and infected web servers, as opposed to hiding in a network of hosted virtual private servers (VPSs)."

https://blog.lumen.com/qakbot-retool-reinfect-recycle/

That is what @rado84 is proposing to do, and emphasizes the security warning I left for them and others at the bottom of post #6 above. I had not seen the blog when I posted that warning. Be warned and very prepared.
 
Sorry for the long time of no response, I was quite busy and still am, tbh. I got one Sunday for myself (finally) but the "fun" resumes tomorrow...

Port forwarding won't work, not with this router anyway. It seems that this particular model of Tenda is allergic to port forwarding cuz whatever I try, according to everyone's instructions here, when I do it, I get cut off from the internet.
 
Without a model number, I looked at the instructions for port forwarding on Tenda's website. The settings all look straightforward to me. One of the Tenda interfaces I saw had you select the internal device from a list, rather than typing its LAN IP address. Whatever.

Which model Tenda router do you have? Is the firmware in the router fully updated, assuming that your ISP will let you update it? Which ports are you using for the public and private sides?

I have setup port forwarding on many many different routers. Some have very "quirky" user interfaces, weird, confusing terminology, stuff like that. At the same time, if you are persistent with the router, you should be able to find the settings you need and make them work. The router could have a port forwarding bug, but I wonder whether your problem is a configuration or firewall issue.

Which devices do you use to connect your network to the internet?
 
Are you sure you public IP address isn't behind your ISPs CGNAT?
 
Last edited:

Members online


Latest posts

Top