Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Question:

Question: How to block Public TCP port and ALLOW Private port forwarding on AirPort Extreme

I am using port forwarding on my Airport Extreme for a few devices and it works as expected. I would like restrict VNC use to my local Private network and block Public access on port 5500. Seems simple enough but when define a new mapping, the Public TCP and UDP field are required. You can not leave them blank and only define the Private ports (see below).


Before everyone suggests blocking that port on the modem/router, let me say I'm using the DSL modem in a pass-through mode so all configuration is on the AirPort Extreme, which I love. I can't even access the DSL modem without reconfiguring it. If I noodled around on this I could probably figure something our but, what is the best way to accomplish this on the AirPort Extreme - block access to a specific port for Public WAN access but allow Private port access?


Thanks in advance for your response!


User uploaded file


User uploaded file

Posted on

Reply
Question marked as Solved
Answer:
Answer:

Something is a bit strange here.


Port Mapping is only through NAT.. in other words all ports are open on the LAN side.. there is no need and no use port translating on airport as it will do nothing on the LAN.


My issue is that I am using VNC in a non-standard port (5NNN instead of 5900, the default VNC port). If I delete the port mapping I have in place, I can’t connect vnc on my Private Network/LAN -because there’s no map to 5NNN.

This would only be true if airport has NAT Loopback.. but it is really unnecessary.


I would simply use standard 5900.. on your internal LAN.. and no port forwarding at all from NAT.


In fact the best protection is to set DMZ to non-existent address..

Apple calls it Default Host.. if there is a default host set.. anybody attempting to break in is automatically taken to an IP that either doesn't exist or is unable to respond.

User uploaded file

Posted on

Question marked as Helpful

Nov 14, 2017 2:34 PM in response to MRYFLYGUY In response to MRYFLYGUY

Apple has designed all of the AirPort base stations for very "simple" network configurations. All ports on the Apple base station are "closed," by default, to inbound traffic and "open" to outbound traffic from the local network. The port mapping settings would be used to allow certain inbound traffic to pass through to a private (local) port that the user designates. Any other methods to configuring ports is not available with this simple interface ... again, by design.

There’s more to the conversation

Read all replies

Page content loaded

Question marked as Helpful

Nov 14, 2017 2:34 PM in response to MRYFLYGUY In response to MRYFLYGUY

Apple has designed all of the AirPort base stations for very "simple" network configurations. All ports on the Apple base station are "closed," by default, to inbound traffic and "open" to outbound traffic from the local network. The port mapping settings would be used to allow certain inbound traffic to pass through to a private (local) port that the user designates. Any other methods to configuring ports is not available with this simple interface ... again, by design.

Nov 14, 2017 2:34 PM

Reply Helpful (1)

Nov 14, 2017 2:44 PM in response to Tesserax In response to Tesserax

My issue is that I am using VNC in a non-standard port (5NNN instead of 5900, the default VNC port). If I delete the port mapping I have in place, I can’t connect vnc on my Private Network/LAN -because there’s no map to 5NNN.


I suppose I could update the VNC server to listen on the standard port 5900 and see if I can connect without any mapping defined, but wouldn’t this open 5900 to Public/WAN Traffic? I’m thinking it would.

Nov 14, 2017 2:44 PM

Reply Helpful
Question marked as Solved

Nov 14, 2017 3:41 PM in response to MRYFLYGUY In response to MRYFLYGUY

Something is a bit strange here.


Port Mapping is only through NAT.. in other words all ports are open on the LAN side.. there is no need and no use port translating on airport as it will do nothing on the LAN.


My issue is that I am using VNC in a non-standard port (5NNN instead of 5900, the default VNC port). If I delete the port mapping I have in place, I can’t connect vnc on my Private Network/LAN -because there’s no map to 5NNN.

This would only be true if airport has NAT Loopback.. but it is really unnecessary.


I would simply use standard 5900.. on your internal LAN.. and no port forwarding at all from NAT.


In fact the best protection is to set DMZ to non-existent address..

Apple calls it Default Host.. if there is a default host set.. anybody attempting to break in is automatically taken to an IP that either doesn't exist or is unable to respond.

User uploaded file

Nov 14, 2017 3:41 PM

Reply Helpful

Nov 14, 2017 4:13 PM in response to MRYFLYGUY In response to MRYFLYGUY

I have no default host defined So I’m good there. I am hosting a web page with OSX Server and have the http ports mapped to my Mac. This works fine too.


I‘ll try setting the VNC Client/Server back to the default 5900 & removing the VNC port forwarding, see if I can connect locally.


Thx.

Nov 14, 2017 4:13 PM

Reply Helpful

Nov 14, 2017 5:11 PM in response to MRYFLYGUY In response to MRYFLYGUY

Okay, removed the port forwarding & reset VNC client & server to 5900. Works fine connecting over LAN apnd, if I try to connect VNC to my Mac external IP over cellular network, a message is displayed that the computer is not listening; or something similar. Whereas I used to be able to connect with port forwarding.


Thanks for for your help.

Nov 14, 2017 5:11 PM

Reply Helpful
User profile for user: MRYFLYGUY

Question: How to block Public TCP port and ALLOW Private port forwarding on AirPort Extreme