Site Tools


forward-basic

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
forward-basic [2023/06/21 03:50] – -explain Protocol bullet text hogwildforward-basic [2023/10/26 17:27] (current) – [Advanced Scenarios] -condense hogwild
Line 1: Line 1:
 ====== Port Forwarding - Basic ====== ====== Port Forwarding - Basic ======
  
-NAT (Network Address Translation) is a router feature that allows multiple LAN clients with private (not Internet-routable) IP addresses to connect to the Internet via a single public IP address. NAT re-addresses outgoing packets to the Internet from private LAN clients with FreshTomato'public (WAN) address. ConverselyNAT re-addresses incoming packets coming from the Internet with the private IP address of the appropriate LAN client. All this is transparent. The hosts on the LAN and the Internet never know it's happeningIn other wordsNAT takes traffic from network 1 and makes it appear on network 2 as if it's coming from the router IP address on network 2. The cache of address mappings and open/closed connections is called the NAT Table.+When traffic is initiated from the Internet towards FreshTomato's WAN IP on a specific portit is either answered by FreshTomato (if a service is enabled for the port) or droppedHoweverin some situations, you'll want WAN port traffic always redirected to a specific LAN IP address/port. This can be helpful for applications such an internal web/mail server, gaming, VoIP or certain VPN tunnelling protocols. The Basic Port Forwarding menu allows you to do this.
  
-Connections initiated on the Internet will not reach a LAN IP address, as the PAT table doesn't contain references to those connection attempts. By coincidence, this acts as minimal security feature.+ \\ 
 + 
 +==== NAT ====
  
-There are several types of NAT. The most common and relevant for FreshTomato is PAT (Port Address Translation). PAT is what FreshTomato performs by default. With PAT, translation happens not only between private and public IP addresses, but also between ports. For example, a request for an Internet connection from 192.168.0.100 to google.com will create a NAT mapping to allow the return packets to be sent to the correct LAN device on the correct portHoweverin some cases, you may want to have one port on the WAN always mapped/redirected to a single LAN client.+NAT (Network Address Translation) is a feature which allows multiple LAN clients with private (non-routable) IP addresses to connect to the Internet via single public IP address. NAT re-addresses outgoing packets to the Internet from private LAN clients with FreshTomato's public (WAN) address. Conversely, NAT re-addresses incoming packets coming from the Internet with the private IP address of the correct LAN client. All this is transparent. The hosts on the LAN and the Internet never know it's happeningIn other wordsNAT takes traffic from network 1 and makes it appear on network 2 as if it's coming from the router IP address on network 2. The cache of address mappings and open/closed connections is called the NAT Table.
  
-NOTE: A legacy legacy setting exists on older firmware versions in the Miscellaneous section of the //Advanced///[[advanced-routing|Routing]] menu that suggests FreshTomato can operate in Gateway mode or Router modeIgnore thisand leave it set to "Gateway", regardless of your configuration.+Connections initiated on the Internet will not reach a LAN IP address, as the PAT (Port Address Translation) table doesn't contain references to those connection attemptsBy coincidencethis acts as minimal security feature.
  
  \\  \\
  
-[[https://wiki.freshtomato.org/lib/exe/detail.php?id=basic&media=a16bb07aecd3c3d8967615c6fef64760.png|{{:a16bb07aecd3c3d8967615c6fef64760.png}}]]+==== PAT ==== 
 + 
 +There are several types of NAT. The most common and relevant for FreshTomato is PAT (Port Address Translation). By default, FreshTomato performs PAT translation. With PAT, translation happens not only between private and public IP addresses, but also between ports. For example, a request for an Internet connection from 192.168.0.100 to google.com will create a NAT mapping to allow the return packets to be sent to the correct LAN device on the correct port. However, in some cases, you may want to have one port on the WAN always mapped/redirected to a single LAN client. 
 + 
 +NOTEThere is an obsolete setting in the Miscellaneous section of some older versions in of the //Advanced///[[advanced-routing|Routing]] menu that suggests FreshTomato can operate in Gateway mode or Router mode. Ignore this, and leave it set to "Gateway", regardless of your configuration.
  
  \\  \\
  
-When traffic is initiated from the Internet towards FreshTomato's public (WAN) IP on a specific port, it is either answered by FreshTomato (if a service is enabled for the port) or dropped. However, in some situations, you'll want WAN port traffic always redirected to a specific LAN IP address/portThis can be helpful for applications such as an internal web/mail server, gaming, VoIP or certain VPN tunnelling protocolsThe Basic Port Forwarding menu allows you to do this.+[[https://wiki.freshtomato.org/lib/exe/detail.php?id=basic&media=a16bb07aecd3c3d8967615c6fef64760.png|{{:a16bb07aecd3c3d8967615c6fef64760.png}}]] 
 + 
 + \\
  
-**On:** Checking this enables the settings in that row of the table. (Deafult: Off).+**On:** Checking this enables the settings in that row of the table. (Default: Off).
  
 **Protocol:** This selects which transport layer protocols are forwarded. (Default: UDP) **Protocol:** This selects which transport layer protocols are forwarded. (Default: UDP)
Line 24: Line 32:
   * TCP - only TCP connections are forwarded   * TCP - only TCP connections are forwarded
   * Both - both UDP and TCP connections are forwarded   * Both - both UDP and TCP connections are forwarded
 +
 +\\
 +
 +[[https://wiki.freshtomato.org/lib/exe/detail.php?id=basic&media=b8fb9f003cf7ce3ff22f2bd6f1cfccbc.png|{{:b8fb9f003cf7ce3ff22f2bd6f1cfccbc.png?758}}]]
  
  \\  \\
  
-**Src Address**: (Optional). This will restrict the rule so it's applied only from specific source addresses. Contrary to its name, DNS hostnames and FQDN names are both valid here. Leaving this empty configures port forwarding to be "from any address".+**Src Address**: (Optional). This will restrict the rule so it's applied only from specific source addresses. DNS hostnamesFQDN names and IP addresses are all valid here. Leaving this empty configures port forwarding to be "from any address".
  
 **Ext Port:** This defines a mapping to the (external) port the Internet connection expects to use. It can be a single port or a range, with syntax: "FromPort-ToPort". **Ext Port:** This defines a mapping to the (external) port the Internet connection expects to use. It can be a single port or a range, with syntax: "FromPort-ToPort".
  
-**Int Port:** (Optional). Here, you can specify a different (internal) port to the target LAN IP address. Leaving this empty uses the same port as the Ext Port \\ (Default: empty).+**Int Port:** (Optional). Here, you can specify a different (internal) port for the target LAN IP address. Leaving this empty uses the same port as the Ext Port setting\\ (Default: empty).
  
-**Int Address:** This specifies the internal Address to which the port on the LAN the traffic should be redirected.+**Int Address:** This specifies the internal address to which the port on the LAN the traffic should be redirected.
  
 **Description:** Here, enter any text to help you remember the reason for the mapping. Most users enter the application name, or protocol used, such as "RDP" or "Mail Server". **Description:** Here, enter any text to help you remember the reason for the mapping. Most users enter the application name, or protocol used, such as "RDP" or "Mail Server".
Line 39: Line 51:
  \\  \\
  
-[[https://wiki.freshtomato.org/lib/exe/detail.php?id=basic&media=b8fb9f003cf7ce3ff22f2bd6f1cfccbc.png|{{:b8fb9f003cf7ce3ff22f2bd6f1cfccbc.png?758}}]]+ \\ 
 + 
 +==== Advanced Scenarios ==== 
 + 
 +As we know, only one given socket (port/protocol combination) can be forwarded at any given timeFor example, if port 80 is already redirected to 192.168.1.10, this port is now "taken" from the router's pool and all inbound connections will be redirected to the mapped LAN IP address. However, there are two ways to allow you to multiplex connectivity on the same port. 
 + 
 +=== Reverse Proxy === 
 + 
 +In order to perform its job, a proxy must speak the protocol used by the applicationFor example, an HTTP proxy cannot serve SMTP.  If you needed to redirect, say,  HTTP to multiple internal hosts from the same external port, a reverse proxy is a good solution. According to HTTP v1.1, the target hostname must be included in the HTTP client request. This allows a proxy to fetch such information, and redirect it according to the requested domain. Nginx is able to perform this so-called reverse-proxy for HTTP/HTTPS. 
 + 
 +=== Source Bound Redirection === 
 + 
 +If the source IP and/or FQDN is well-known, you can create multiple port mapping references on the same port:protocol combination as long as the source is defined differently The following settings would work fine:
  
  \\  \\
 +
 + {{:pasted:20231026-084901.png?750}}
 +
 + \\
 +
 +The settings above would cause traffic from the IP address(es) of "source.example.com" towards ports 80 and 443 on the router, to be redirected to the specific LAN address in that rule. They would also cause traffic on such ports that was //not// from source.example.com to be redirected to a different LAN IP address.
  
  \\  \\
  
  
forward-basic.1687315821.txt.gz · Last modified: 2023/06/21 03:50 by hogwild