Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: MRYFLYGUY
MRYFLYGUY Author
User level: Level 2
223 points

How to block Public TCP port and ALLOW Private port forwarding on AirPort Extreme

I am using port forwarding on my Airport Extreme for a few devices and it works as expected. I would like restrict VNC use to my local Private network and block Public access on port 5500. Seems simple enough but when define a new mapping, the Public TCP and UDP field are required. You can not leave them blank and only define the Private ports (see below).


Before everyone suggests blocking that port on the modem/router, let me say I'm using the DSL modem in a pass-through mode so all configuration is on the AirPort Extreme, which I love. I can't even access the DSL modem without reconfiguring it. If I noodled around on this I could probably figure something our but, what is the best way to accomplish this on the AirPort Extreme - block access to a specific port for Public WAN access but allow Private port access?


Thanks in advance for your response!


User uploaded file


User uploaded file

Posted on Nov 14, 2017 10:45 AM

Reply
Question marked as Best reply
User profile for user: LaPastenague
LaPastenague
User level: Level 9
67,208 points

Posted on Nov 14, 2017 3:41 PM

Something is a bit strange here.


Port Mapping is only through NAT.. in other words all ports are open on the LAN side.. there is no need and no use port translating on airport as it will do nothing on the LAN.


My issue is that I am using VNC in a non-standard port (5NNN instead of 5900, the default VNC port). If I delete the port mapping I have in place, I can’t connect vnc on my Private Network/LAN -because there’s no map to 5NNN.

This would only be true if airport has NAT Loopback.. but it is really unnecessary.


I would simply use standard 5900.. on your internal LAN.. and no port forwarding at all from NAT.


In fact the best protection is to set DMZ to non-existent address..

Apple calls it Default Host.. if there is a default host set.. anybody attempting to break in is automatically taken to an IP that either doesn't exist or is unable to respond.

User uploaded file

View in context
5 replies

There are no replies.

How to block Public TCP port and ALLOW Private port forwarding on AirPort Extreme

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up