User profile for user: David Lawrence4
David Lawrence4 Author
User level: Level 1
41 points

I have finally figured out port-forwarding!!! more advanced questions now

for a very long time now I have wanted to figure out how to accomplish port-forwarding with a router that my home LAN is plugged into. I have heard this was necessary in order to access the files on my own home comptuers from another location (such as someone else's home)

for instance, to be able to use the afp protocol the same way I can over my LAN without any issues

I HAVE FIGURED IT OUT!! It really isn't complicated at all. It was all about figuring out exactly which ports to open.

So if I want to access my power mac G5 from someone else's house, I go into the port-forwarding section of my router's administration page, and simply set port 548 to forward to the ip address of my G5 that has been assigned to it by my router....for example, 192.169.1.110

since I do NOT have a static IP on my home cable internet, I go to www.whatismyipaddress.com so it gives me my CURRENT IP address (note that this can change since most people have dynamic and not static IP addresses for their basic home dsl or cable internet....but it is true that sometimes this number does not change for very long periods of time!)

so that url gives me an IP address in this format 55.555.555.555 (obviously different numbers than 5, but that's the format so you get the point)

so now, if I go to a neighbors house and enter afp://55.555.555.555 into the "connect to server" window of my laptop (now using THEIR internet and not mine), which is accessible from the Go menu in the finder, my home router will immediately route that specific traffic to my G5's IP address, and I can successfully enter my username and password and access all of my home files!!!

this is amazing and works well for other services too....for ftp, open port 21 to your IP address, for screen sharing using VNC open port 5900....and you can look up the ports for other services as well

now.....HERE is my problem

I have a few computers on my home network....let's say their IP addresses assigned by my router are 192.169.1.110, 192.169.1.111, and 192.169.1.112 and let's say I want the choice of being able to access ANY of these at a time remotely from someone else's house using my laptop...

the router will ONLY let me forward a port, like 548, to ONE IP address at a time...so that I basically enter the IP address of my home internet, and the router directs the traffic from there....but how do I specific which computer I want to access?

i tried entering afp://55.555.555.555/192.169.1.112 into the connect to server, so I could specifically get to that computer....but it didn't work and I'm not sure if that is even the correct way to go about doing this

I am very happy that I figured this out, but would now like to configure port-forwarding for multiple computers at a time and now need more advanced help

can anyone shed some light on this for me? thank you very much

Posted on Feb 20, 2008 12:25 AM

Reply
11 replies
User profile for user: Camelot
Camelot
User level: Level 9
60,033 points

Feb 20, 2008 9:13 AM in response to David Lawrence4

the router will ONLY let me forward a port, like 548, to ONE IP address at a time...so that I basically enter the IP address of my home internet, and the router directs the traffic from there....but how do I specific which computer I want to access?


That's the way port forwarding works - map one port on the outside world to one port on the inside world.

If you want to access the same service (e.g. AFP/port 548) on multiple machines you have two options.

The first requires that your router can change the target port number (e.g. can map one port number on the outside world to a different port number on the inside world). Some routers can do this, but others require that the port number matches.
If yours lets you change this then use a range of ports on the outside, each mapping to port 548 on different internal machines. e.g.:

5110 -> 192.168.1.110:548
5111 -> 192.168.1.111:548
5112 -> 192.168.1.112:548

Then all you need to do is remember which external port number (5110, 5111, 5112) maps to which internal machine and use that in the URL. e.g., using a dummy IP address as an example, to get to the machine at 192.168.1.111 you would:

afp://xx.xxx.xxx.xxx:5111/

This tells the client (at your remote location) to connect to port 5111 on the router's public address using the AFP protocol. The router then forwards that connection to port 548 on the target machine.

If your router supports this model, it's the easiest path.

If it doesn't your next best option is to use SSH tunneling to leverage SSH's ability to embed any traffic within the SSH connection

This approach has two advantages - it allows you to access any protocol without having it setup in advance, and it encrypts the connection which adds a degree of security. However, it involves using one of the machines as a gateway to the others, and if that machine is turned off, you're out of luck.

First, setup port forwarding on your router in the normal way to forward port 22 to any machine in your network.

Then, from the remote location you SSH to the port forwarded address using the -L switch

-L takes three pieces of data as its parameter:
  • local port number
  • remote address
  • remote port


The way this works is that you tell SSH to listen on the local port number on the machine you're on. For any connection that comes in it tunnels that traffic over the SSH connection and forwards it to remote address:remote port as seen from the server.

For example, given the same three client IP addresses you could:

<pre class=command>ssh -L 5480:192.168.1.112:540 xx.xx.xxx.xxx</pre>

This tells your machine to ssh to xx.xx.xxx.xxx and listen on the local port number 5480 (you can't bind to ports less than 1024 unless you're root, so use some high-numbered port).
Once connected you can then open the URL afp://localhost:5480/

Since you're connecting to port 5480 on your local machine, ssh picks up that connection, encrypts it and sends it over the SSH tunnel and forwards it to port 548 on 192.168.1.112

You can use multiple -L options in the same command, so if you wanted to get to all three AFP servers at once, plus the web server running on the .113 machine, you could:

<pre class=command>ssh -L 5480:192.168.1.110:548 -L 5481:192.168.1.111:548 -L 5482:192.1681.1112:548 -L 8000:192.168.1.113:80 xx.xx.xxx.xxx</pre>

Now afp://localhost:8580 will connect to the .110 server, afp://localhost:5481 will connect to the .111 server, afp://localhost:5482 will connect to .112's AFP server and http://localhost:8000/ will connect to the web server on 192.168.1.113, all securely, and all without needing to preset the port forwarding that you want to use.
Reply
User profile for user: j.v.
j.v.
User level: Level 5
4,155 points

Feb 20, 2008 7:47 PM in response to David Lawrence4

You need to port forward port 22 in the router to the computer to which you will be connecting via ssh. That is the only port that you need open in your router.

Of course, in Sys Prefs you need personal file sharing turned on on 110, 111, and 112, and you need remote login turned on on the computer into which you will be ssh'ing.

The ssh command from afar will be:
ssh -L 5110:192.168.1.110:548 -L 5111:192.168.1.111:548 -L 5112:192.168.1.112:548 xx.xx.xxx.xxx

The command as listed above assumes that you have the same username on the computer at which you are typing as the computer into which your are ssh'ing at home. If not, modify like this:
ssh -l username -L 5110:192.168.1.110:548 -L 5111:192.168.1.111:548 -L 5112:192.168.1.112:548 xx.xx.xxx.xxx
(that's a lowercase ell, for login)

or like this:
ssh -L 5110:192.168.1.110:548 -L 5111:192.168.1.111:548 -L 5112:192.168.1.112:548 username@xx.xx.xxx.xxx

Goto versiontracker.com or macupdate.com and type in "dynamic DNS" as the search term. You install a piece of software on your home computer and sign up for a free domain name through the provider of that piece of software and then you don't have to worry about your ISP rolling your IP address on you. When they do, this software detects it and sends an update to the DNS server of the people that you got the software from. Then, no more "ssh ... xx.xx.xxx.xxx" with randomly varying IPAs anymore. It's "ssh ... lawrence4.no-ip.com" (as an example) every time, all the time.
Reply
User profile for user: David Lawrence4
David Lawrence4 Author
User level: Level 1
41 points

Feb 24, 2008 2:32 PM in response to David Lawrence4

just when I mark my question as answered, I now have more questions!

So I have an old Linksys BEFSR41 v.2 that DOES have UPnP forwarding. This is a wired-only router. It also has regular port-forwarding.

But I also have a Linksys WRT45G that is both a wired and a wireless router. This has port-forwarding (which is called Application & Gaming) but seems to NOT have UPnP forwarding even though it DOES have an option to either turn UPnP on or off (enable or disable) and is a much newer router model.

Why can I "enable" UPnP on the WRT54G but not actually find a UPnP forwarding option anywhere?

Might I have to buy a new wireless router that does allow UPnP forwarding?

Also, let's say your home's power goes out, or the internet has to be turned off and back on - - basically, let's say the router loses power for any reason......When it turns back on, it can then reassign possibly DIFFERENT IP addresses to each machine in the house (ex: 192.168.1.100, 192.168.1.101, etc)

If that happens, then the UPnP forwarding that has been setup can now be incorrectly routed to the wrong machines on the LAN.

So.....is there any way to ensure that a router will ALWAYS assign via automatic DHCP the SAME internal IP address to any given specific computer EVERY TIME those two devices connect, even if there is a loss of power and the system has to reboot?

thank you for any more light that can be shed on this subject. this whole thing has been a great learning experience for me on how to really setup some kick-bootie LANs for people.
Reply
User profile for user: red_menace
red_menace
User level: Level 6
17,092 points

Feb 24, 2008 2:55 PM in response to David Lawrence4

You can also get different addresses assigned depending on the order that your computers are powered up. This is a good reason to assign static addresses (in the address range of your router) - your various server machines will always be at the same address. Go to System Preferences > Network > Built-in Ethernet and configure the address either "Manually" or "Using DHCP with manual address". Usually the DHCP server starts address assignments at 1, so I use addresses above 100 to allow dynamically assigned addresses to be used as well.
Reply
User profile for user: David Lawrence4
David Lawrence4 Author
User level: Level 1
41 points

Feb 24, 2008 3:30 PM in response to red_menace

so you're saying that if I manually assign my machines their IP addresses within System Prefs that that is exactly the IP address that they will use every time to connect to the router??

Isn't there something I should have to do in the router to make this possible as well?

I tried typing in 192.168.1.15 using DHCP with manual address, and it disconnected me from the internet.

So I'm assuming I have to do something within the router for this......how?
Reply
User profile for user: red_menace
red_menace
User level: Level 6
17,092 points

Feb 24, 2008 4:16 PM in response to David Lawrence4

Manually assigning an address will always set the computer to that address. There is a DHCP server in the router that will dynamically assign an address if one of your computers asks for one (which is what happens when your configuration is set to "Using DHCP"), but you shouldn't have to do anything with the router. Normally, a router will start at some beginning address (for example 192.168.0.2) and go up from there as needed, so all you really have to do is stay out of the range of addresses that would get assigned by the router.

There is some info about setting a static address and an address finder at PortForward.com.
Reply
User profile for user: Camelot
Camelot
User level: Level 9
60,033 points

Feb 24, 2008 4:26 PM in response to David Lawrence4

so you're saying that if I manually assign my machines their IP addresses within System Prefs that that is exactly the IP address that they will use every time to connect to the router??


Absolutely. A manual address is persistent, and is the address the machine will use each time it boots.

Isn't there something I should have to do in the router to make this possible as well?


Nope.

I tried typing in 192.168.1.15 using DHCP with manual address, and it disconnected me from the internet.


Do not use 'DHCP with manual address'. Use either 'DHCP' or 'Manual'. 'DHCP with manual address' opens up a whole other can of worms and is erratically supported.

The upshot is that the router will have an 'internal' network. In this case it sounds like you're using 192.168.1.x with a subnet mask of 255.255.255.0.
That subnet mask means you can use any IP address with the same first three octets - that is 192.168.1.1 through 192.168.1.254.

The router will have one IP address in the range - typically the lowest number, so 192.168.1.1 and the rest can be assigned however you like.

Depending on the router you might find that the router uses a small range like 192.168.1.100 through 192.168.1.200 for DHCP clients

If that's the case you can manually assign any IP addresses within the subnet (192.168.1.x) that is not within the DHCP range. For example you could assign a machine 192.168.1.30 - it is in the subnet, but outside of the DHCP range.
Set the machine's default router address as the address of the router and you're set. That machine will always use 192.168.1.30 and since it's outside of the DHCP range there won't be any conflicts with DHCP clients on the network.

Some routers may come pre-configured to use the entire subnet for DHCP clients in which case you'll need to change the router's configuration to leave yourself some space for the statically address hosts in your network.

You may also have an option in the router to assign the same IP address to a specific machine based on its MAC address, but that's a PITA to manage.

You could also opt to turn off DHCP altogether and manually assign an address to every machine in your network, but that's often a lot of work.

So I'm assuming I have to do something within the router for this......how?


Nothing should need to be done on the router, other than maybe exclude/reduce the range of DHCP addresses as discussed above.
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

I have finally figured out port-forwarding!!! more advanced questions now

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up