Disclaimer: Apple does not necessarily endorse any suggestions, solutions, or third-party software products that may be mentioned in the topic below. Apple encourages you to first seek a solution at Apple Support. The following links are provided as is, with no guarantee of the effectiveness or reliability of the information. Apple does not guarantee that these links will be maintained or functional at any given time. Use the information below at your own discretion.
b How do I use Port Mapping? (Part I)
(This document assumes that you are using an ABS/AEBS/AX as an internet router and have DHCP & NAT turned on.)
Sometime you may want to offer access to a computer on your AirPort network to users on the internet, whether it be a web site, or for file sharing, or just remote access for yourself when traveling. If any of these sound like something you want to do, then you need to understand how Port Mapping works.
b AirPort as Firewall
Most of the time your AirPort base station will not let any traffic into your network which did not originate from your network. It will let everything out and replies to your traffic back in, but it will not let sessions initiated on the internet side of the base station in to your network. This is what is referred to as the "NAT firewall" capability of the base station and it provides effective protection for your network from the internet. What Port Mapping does is poke a hole in this wall to allow certain type(s) of traffic into the network and direct this traffic to a specific computer on the network. In the firewall world this is commonly referred to as an "inbound proxy" or "inbound translation" rule or "PAT" (Port Address Translation) in the router world.
b The Need for Manual Addressing
Since a Port Mapping entry in the base station configuration requires an inside private IP address to be specified, the computer to which to mapping entry applies should always have the IP address specified in the mapping entry. Thus, DHCP should not be used for a computer offering services on the internet as the Port Mapping entry will no longer work if the target computer's IP address changes. In general, an Apple base station's DHCP server will try to assign IP addresses in the 10.0.1.2 to 10.0.1.200 range. IP addresses above 10.0.1.200 can be Manually assigned to computers and other devices on the network up to 10.0.1.254. 10.0.1.255 is reserved (it is the broadcast address for the 10.0.1 subnet). To Manually set up the TCP/IP information for a Macintosh running Mac OS X, go to System Preferences -> Network and "Show" the appropriate interface (Ethernet or AirPort) and click on the TCP/IP tab. Select "Configure Manually" and enter the following information:
IP address : 10.0.1.201 (or whatever address you decide to use)
Subnet mask : 255.255.255.0
Router IP : 10.0.1.1 (the AirPort base station LAN IP)
DNS server : 10.0.1.1, or whatever DNS server IP your ISP uses
After making these changes verify that your computer can still access the internet and local resources on the LAN before continuing.
b Port Mapping a service
In our example we will be hosting a web site on a computer which we have given an IP address of 10.0.1.201. Basic web sites are accessed using the HyperText Transport Protocol (HTTP) and this protocol typically uses port 80 to communicate. In order for others to see the web site, we must configure a Port Mapping entry in the base station configuration to not only allow the web browsers in, but to tell the base station what IP address the web server is using. The Port Mapping entry has three parts: Public Port, Private IP, and Private Port. In this case you would use the following values:
Public Port : 80
Private IP : 10.0.1.201 (this is the computer hosting the web site)
Private Port : 80
In order to access the web site from the internet, users must reference the base station's WAN port public IP (determined by looking at the base station configuration summary page in the AirPort Admin Utility). Since this address may change over time, you might want to use a Dynamic DNS service to simplify connecting for your users.
Do you want to provide feedback on this User Contributed Tip or contribute your own? If you have achieved Level 2 status, visit the User Tips Library Contributions forum for more information.
b How do I use Port Mapping (Part II)
Sometimes the port you wish to use may be blocked by the ISP. In this case use a different, non-standard, Public Port number for the service but keep the Private Port standard. In the above example, if the ISP was blocking port 80, you could potentially use 8080 instead, so:
Public Port : 8080
Private IP : 10.0.1.201
Private Port : 80
Your users would then have to enter "http://<publicIP>:8080/" (where <publicIP> is the public IP address of the AirPort base station) to access the web site.
b Internal Access
It should be noted that when accessing these services from within the network you cannot reference the Public IP/Public Port, but rather you must use the Private IP/Private Port. Thus, "http://10.0.1.201:80/" in the above example.
b Limits and Options
There is a maximum of 20 Port Mapping entries that can be made in an Apple base station configuration. If you use an AirPort Extreme or AirPort Express base station there is an option which can be helpful in the case where you need many ports opened to a single computer. This is the Default Host option. When using this it is not necessary to use Port Mapping at all as all ports will be opened to the specified Default Host. This is found in Base Station Options. The default IP address for the Default Host is 10.0.1.253. You may change this IP address. The target computer must be Manually configured as specified above with the same IP address. Since all ports are now open to this computer, you should enable and configure the Mac OS X firewall on the default host computer to protect it from intruders.
b Useful Related Links
Designing AirPort Extreme Networks: Manuals
"Well Known" TCP and UDP Ports Used By Apple Software Products
IANA Port Number Assignments
Replies