How to set up your router securely, by understanding what ports are, and how to use them!
Ports - DMZ - Forwarding
The way Internet works, is that it uses IP address and protocols to communicate.
The Internet uses many protocols, but the ones you most often use are TCP and UDP.
-- We're not going to go into the difference between TCP and UDP except to say:
** TCP = "Transmission Control Protocol: Creates a connection between two devices on a network and stays connected for the duration of the session. This enables both devices to verify that all information sent has been properly received. When the communication between the two devices is done, the connection is released.
** UDP = "User Datagram Protocol: The device sending the information packages it into a nice, neat package and sends it into the network with the proper destination header. It does not make a connection to the receiving device, nor does it verify that the package arrived safely.
** TCP is more reliable because the connection between the two devices means you can ensure that ALL data is received properly, but UDP has much lower overhead.
But that's not important... what IS important is that EVERY IP ADDRESS can use either TCP or UDP
** AND each of those protocols has 65,535 available ports on which to received data (We don't use 0)
** A port is just a "Communications Endpoint"
** In other words... EVERY address that any device has more than 130k possible ports to use...
-- And that's just counting TCP and UDP (There are other protocols)
** Each of those ports can be forwarded to a particular device on your network... which means you could theoretically access EVERY device you have on your home network without having to purchase a service or pay a subscription.
SO LET'S UNLOCK YOUR PORT POWER!!!!
There are 65,535 availible ports (Unsigned 16 bit Integer 2^16 = 65,536 - 1 [Because we don't use 0])
* The first 1024 ports are reserved for common applications
-- ftp uses 20, 21
-- ssh uses 22
-- SSL uses 443
-- HTTP uses 80
When we type an address into a browser, it ASSUMES that we want port 80 because that's where HTTP services can normally be found.
* So http://192.168.1.1 is actually http://192.168.1.1:80
* That means we can tell our browser (or any application) to use a DIFFERENT port on the same IP address
-- For example... we can tell it to go to http://192.168.1.1:8080 -- and it will try to get HTTP response from port 8080 on 192.168.1.1
Examples of application needing port forwarding
-- FreeNAS Plex Server
-- IP Cameras
-- Minecraft Server
XBOX Live Requires the Following Ports:
3074 (UDP and TCP)
53 (UDP and TCP)
Setting User-definable Ports
* WAN response port on the 2600
* Network Cameras
Forward what you need
* We need to open the ports that are necessary for our network, then make sure that nothing else is open
Let's use the Synology RT2600AC to demo ports forwarding!
1. Navigate to the Router UI
2. Open "Network Center"
3. Click on "Port Forwarding"
4. Click "Create"
5. In "Private IP Address", enter the IP address of the LAN device that you want to access from the Internet
6. In "Public Port" enter the WAN port (Internet-facing) that you want to assign to the device
7. In "Private Port" enter the LAN port (Network-facing) to which you want the device to respond
* We've got a camera that we've given a static address to at 192.168.1.5
* The camera listens on port 80 (HTTP)
* We want to be able to access that camera from the Internet on the WAN IP address, port 12345
- Private IP address: 192.168.1.5
- Public Port: 12345
- Private Port: 80
** Any device hitting our WAN address at port 12345 will be forwarded to port 80 on the device with the IP address of 192.168.1.5
Shut it Down
Now Let's Shut it down!
* We need to make sure that ONLY the ports we're using are open.
* We're going to us NMAP
I prefer the command line
* To run a scan against an IP address: "nmap <IP Address>"
- nmap 192.168.1.1
* To run a scan against a RANGE of IP addresses: "nmap <IP Address Start>-<last octet of IP Address end"
- nmap 192.168.1.1-10
* To run a scan against an entire subnet: "nmap <IP Address.*>
- nmap 192.168.1.*
Connect with us!
- Don't forget to check out our large library of projects at https://twit.tv/shows/know-how.
- Join our Google+ Community.
- Tweet at us at @PadreSJ, @Cranky_Hippo, and @Anelf3.
Thanks to CacheFly for the bandwidth for this show.