How to block Public TCP port and ALLOW Private port forwarding on AirPort Extreme

Question

Level 2

223 points

How to block Public TCP port and ALLOW Private port forwarding on AirPort Extreme

I am using port forwarding on my Airport Extreme for a few devices and it works as expected. I would like restrict VNC use to my local Private network and block Public access on port 5500. Seems simple enough but when define a new mapping, the Public TCP and UDP field are required. You can not leave them blank and only define the Private ports (see below).

Before everyone suggests blocking that port on the modem/router, let me say I'm using the DSL modem in a pass-through mode so all configuration is on the AirPort Extreme, which I love. I can't even access the DSL modem without reconfiguring it. If I noodled around on this I could probably figure something our but, what is the best way to accomplish this on the AirPort Extreme - block access to a specific port for Public WAN access but allow Private port access?

Thanks in advance for your response!

Posted on Nov 14, 2017 10:45 AM

Reply

Answer 1

Best reply

LaPastenague

Level 9

67,208 points

Nov 14, 2017 3:41 PM in response to MRYFLYGUY

Something is a bit strange here.

Port Mapping is only through NAT.. in other words all ports are open on the LAN side.. there is no need and no use port translating on airport as it will do nothing on the LAN.

My issue is that I am using VNC in a non-standard port (5NNN instead of 5900, the default VNC port). If I delete the port mapping I have in place, I can’t connect vnc on my Private Network/LAN -because there’s no map to 5NNN.

This would only be true if airport has NAT Loopback.. but it is really unnecessary.

I would simply use standard 5900.. on your internal LAN.. and no port forwarding at all from NAT.

In fact the best protection is to set DMZ to non-existent address..

Apple calls it Default Host.. if there is a default host set.. anybody attempting to break in is automatically taken to an IP that either doesn't exist or is unable to respond.

Reply

Answer 2

Tesserax

Level 10

148,447 points

Nov 14, 2017 2:34 PM in response to MRYFLYGUY

Apple has designed all of the AirPort base stations for very "simple" network configurations. All ports on the Apple base station are "closed," by default, to inbound traffic and "open" to outbound traffic from the local network. The port mapping settings would be used to allow certain inbound traffic to pass through to a private (local) port that the user designates. Any other methods to configuring ports is not available with this simple interface ... again, by design.

Reply

Answer 3

MRYFLYGUY Author

Level 2

223 points

Nov 14, 2017 2:44 PM in response to Tesserax

My issue is that I am using VNC in a non-standard port (5NNN instead of 5900, the default VNC port). If I delete the port mapping I have in place, I can’t connect vnc on my Private Network/LAN -because there’s no map to 5NNN.

I suppose I could update the VNC server to listen on the standard port 5900 and see if I can connect without any mapping defined, but wouldn’t this open 5900 to Public/WAN Traffic? I’m thinking it would.

Reply

Answer 4

MRYFLYGUY Author

Level 2

223 points

Nov 14, 2017 4:13 PM in response to MRYFLYGUY

I have no default host defined So I’m good there. I am hosting a web page with OSX Server and have the http ports mapped to my Mac. This works fine too.

I‘ll try setting the VNC Client/Server back to the default 5900 & removing the VNC port forwarding, see if I can connect locally.

Thx.

Reply

Answer 5

MRYFLYGUY Author

Level 2

223 points

Nov 14, 2017 5:11 PM in response to MRYFLYGUY

Okay, removed the port forwarding & reset VNC client & server to 5900. Works fine connecting over LAN apnd, if I try to connect VNC to my Mac external IP over cellular network, a message is displayed that the computer is not listening; or something similar. Whereas I used to be able to connect with port forwarding.

Thanks for for your help.

Reply