Know How...

Mar 20th 2017

Know How... 295

Networking 101: Ports

Ports, DMZ, Forwarding, and NMAP!
New episodes every Thursday at 2:00pm Eastern / 11:00am Pacific / 19:00 UTC.
Category: Help & How To

How to set up your router securely, by understanding what ports are, and how to use them!

Port Forwarding    

Ports - DMZ - Forwarding
    Basic Information:
    The way Internet works, is that it uses IP address and protocols to communicate.
    
    The Internet uses many protocols, but the ones you most often use are TCP and UDP. 
    -- We're not going to go into the difference between TCP and UDP except to say:
    ** TCP = "Transmission Control Protocol: Creates a connection between two devices on a network and stays connected for the duration of the session. This enables both devices to verify that all information sent has been properly received. When the communication between the two devices is done, the connection is released.
    
    ** UDP = "User Datagram Protocol: The device sending the information packages it into a nice, neat package and sends it into the network with the proper destination header. It does not make a connection to the receiving device, nor does it verify that the package arrived safely. 
    
    ** TCP is more reliable because the connection between the two devices means you can ensure that ALL data is received properly, but UDP has much lower overhead.
    
    But that's not important... what IS important is that EVERY IP ADDRESS can use either TCP or UDP
    ** AND each of those protocols has 65,535 available ports on which to received data (We don't use 0)
       ** A port is just a "Communications Endpoint"
    ** In other words... EVERY address that any device has more than 130k possible ports to use... 
    -- And that's just counting TCP and UDP (There are other protocols)
    
    ** Each of those ports can be forwarded to a particular device on your network... which means you could theoretically access EVERY device you have on your home network without having to purchase a service or pay a subscription.
    
    SO LET'S UNLOCK YOUR PORT POWER!!!!
    
    There are 65,535 availible ports (Unsigned 16 bit Integer 2^16 = 65,536 - 1 [Because we don't use 0])
    * The first 1024 ports are reserved for common applications
    -- ftp uses 20, 21
    -- ssh uses 22
    -- SSL uses 443
    -- HTTP uses 80
    
    When we type an address into a browser, it ASSUMES that we want port 80 because that's where HTTP services can normally be found.
    * So http://192.168.1.1 is actually http://192.168.1.1:80
    * That means we can tell our browser (or any application) to use a DIFFERENT port on the same IP address
    -- For example... we can tell it to go to http://192.168.1.1:8080 -- and it will try to get HTTP response from port 8080 on 192.168.1.1
    
    Examples of application needing port forwarding
    -- FreeNAS Plex Server
    -- IP Cameras
    -- Minecraft Server
    -- Pogoplug
    
    XBOX Live Requires the Following Ports:
    88 (UDP)
    3074 (UDP and TCP)
    53 (UDP and TCP)
    80 (TCP)
    500 (UDP)
    3544 (UDP)
    4500 (UDP)
    
    Minecraft
    25565 (TCP/UDP)

Port Setting    

Setting User-definable Ports
        * WAN response port on the 2600
         * Network Cameras
    
Forward what you need

    * We need to open the ports that are necessary for our network, then make sure that nothing else is open
    
    Let's use the Synology RT2600AC to demo ports forwarding!
    
    1. Navigate to the Router UI
    2. Open "Network Center"
    3. Click on "Port Forwarding"
    4. Click "Create"
    5. In "Private IP Address", enter the IP address of the LAN device that you want to access from the Internet
    6. In "Public Port" enter the WAN port (Internet-facing) that you want to assign to the device
    7. In "Private Port" enter the LAN port (Network-facing) to which you want the device to respond
    
    Example:
    * We've got a camera that we've given a static address to at 192.168.1.5
    * The camera listens on port 80 (HTTP)
    * We want to be able to access that camera from the Internet on the WAN IP address, port 12345
    * So:
       - Private IP address: 192.168.1.5
       - Public Port: 12345
       - Private Port: 80
    ** Any device hitting our WAN address at port 12345 will be forwarded to port 80 on the device with the IP address of 192.168.1.5

Shut it Down    

Now Let's Shut it down!
    * We need to make sure that ONLY the ports we're using are open.
    * We're going to us NMAP
    
    https://nmap.org/
    
    I prefer the command line
    * To run a scan against an IP address: "nmap <IP Address>"
        - nmap 192.168.1.1
    
    * To run a scan against a RANGE of IP addresses: "nmap <IP Address Start>-<last octet of IP Address end"
        - nmap 192.168.1.1-10
    
    * To run a scan against an entire subnet: "nmap <IP Address.*>
        - nmap 192.168.1.*
    
    
Shields Up
https://www.grc.com/shieldsup

Connect with us!

Thanks to CacheFly for the bandwidth for this show.