www.vitenka.com | ToothyWiki | Vitenka | RecentChanges | Login | Webcomic

Here commenceth the lesson.

Every host on the internet (which means every webserver, mail server etc. - and most games too) is capable of running more than one network connection at once. (And almost always does so)
'ports' are one way of splitting these up. They're just a number which is sent along with your request for the service (so when you ask for a webpage, an email or whatever, your computer sends a port number along with the request.)

Popular services generally have well known ports. For example, almost all mail servers run on port 23 and 110. Almost all webservers run on port 80 etc. etc. (In fact, URLs allow you to specify a port as part of the URL: The full URL for rpg.net is: http://www.rpg.net:80/ If the :80 isn't given, then it will find the default for http - which is 80, and send that.)

Right. Now, on to your router.

Your router is actually a NAT box. Network Address Translation.
(I can tell this, because only NAT boxes need to, and are able to, offer port forwarding.)
NAT means that the rest of the internet sees one IP address for your compuer (host names like www.rpg.net get turned into IP addresses like because computers prefer numbers) whilst everything on the OTHER side of the NAT box has its own set of addresses (usually 192.168.*.* or 10.*.*.* - because those are reserved and won't clash with anything else visible on the public internet)
This means that you can have two computers on your side of the NAT (called, maybe, and but the rest of the world sees only a single address (say...
The NAT box translates outgoing requests that say "I've come from 192.blah" to instead say "I've come from 131.blah" and vice versa.

Port forwarding, then, is allowing it to do the reverse.
If someone sends YOUR computer a request, out of the blue, with no prior warning, then the NAT box panics and says "I don't know what to do with this! Which of the (potentially thousands) of the computers on the local side should I pass this on to?"

Forwarding is a way to tell the NAT, in advance: "Any requests to this particular port, should be passed on to this particular computer"
So you could tell it "Hey! My webserver is on So pass any requests from the outrside world to me on port 80, on to that local IP." and it will, and your webserver will be visible to the outside world. Yay you!

Triggering is similar, except there you tell the NAT "Watch what's going on on the inside world - and if you see me SEND anything from a particular computer, on a particular port, then you know that is where you should send things on that port, from now on"

You will certainly already have SOME triggering turned on, or the NAT would be useless. For example, you'll send out a request for this web-page (on some port, to port 80 on www.rpg.net) and www.rpg.net will need to reply - the NAT knows that you've recently sent some stuff ONE way (the request) and so allows the answer to come back via the same route. (Rather than sending it to your other computer(s) - which would go "Oh! A webpage. How nice... Wait! I didn't ask for that! Blarg! I die now!")

So this is what NAT is, and why you need port forwarding and triggering.

Note that NAT is not perfect - some services (notably filesharing via ftp) really don't play well with it. (Usually because they do something like: I send on port 1234, then reply on port (made up number that you told me to) and you reply by carrier pigeon...) and need special rules to cope with it.
Better (read: more expensive) NAT devices know about these special cases and are set up to cope with it. (Or, more often, to listen for and deliberately BLOCK it.)

Here endeth the lesson.

Short version:
If you have multiple computers and want to run services, including file sharing or some games then you want to turn it on.

Advanced answer:

Actually, there are some ways to 'punch holes' in a NAT box, tricking it into opening a route. Many clients now do this, so you may not need this service.
Futhermore, there is a service called uPnP? which is a way to let your computer talk to the box and do all this configuring FOR you. If you have it, you may want to take a risk and use it.
And finally, there is DMZ (de-militarised zone) which is ashortcut way to tell the NAT box: "Anything I haven't given you some other way of dealing with - send it to THIS computer." Make sure that the 'this' computer is able to deal with every worm and virus that comes its way! Turning this feature on means that you lose ALL the security of running a NAT - but can be useful if (for some reason) you only have a single computer behind it.

www.vitenka.com | ToothyWiki | Vitenka | RecentChanges | Login | Webcomic
This page is read-only | View other revisions | Recently used referrers
Last edited January 11, 2007 10:33 am (viewing revision 1, which is the newest) (diff)