July 6th, 2004 05:14 AM
Home NAT Routers: Port Triggering/Special Applications
You probably read that if an application that uses the internet doesn't work with your NAT router, its because of the way NAT works. However, with Port Triggering it might solve the problem. It is a way to open up certain ports to the internet when needed. Most home/SOHO (Small office home office) routers that use NAT also have support for Port Triggering.
The trigger port is the outgoing (destination) port that the application uses. The incoming ports are the ports that are needed by the application for it to work, and are opened after the trigger port is, well, triggered.
Consider this example. You are using an Instant Messaging service. When you sign on, you connect to the server at port 5000. You want your friend to use a "direct connect" feature to connect to your computer at port 4096 to share files or whatever. This doesn't work with a pure NAT router, because it denies the connection. Actually it really denies it because it is NAT, and because it is NAT, it doesn't know what computer that data is for, so it denies it to be safe (unless you set Port Triggering).
If you go to the Port Triggering/Special Applications page on your NAT router, you can set the trigger port to 5000, and the incoming ports to 4096. Why? Because when you connect, or "sign on", you router sees that you are connecting to port 5000, the trigger port. So it then opens port 4096 for you, and fowards all requests for port 4096 to your computer. Now your friend can connect to your computer.
Ok, now lets talk security. If we use the same example, every time you sign on the router is going to open port 4096 and foward any requests to your computer. Now, when you sign off, the router doesn't "know" that you signed off, so it will still foward all requests to port 4096 to your computer. It will do this until it times out (when it sees that there has been no data going through that port and it thinks you're done). My router's timeout is 5 minutes, but yours might be slightly different.
Even if it doesn't time out for another five minutes, you are safe anyway because your computer closed that port since you signed off, and will deny any connections. You will also be safe because you (should be) using a firewall that only allows your IM program to accept connections to port 4096.
Realize the difference between what I explained, Port Triggering, and Virtual Servers. There is a big difference. The difference with Virtual Servers is that it is permanent; the router will foward all requests for port X to your computer, and there is no timeout. This is only needed if you are running a server of some type.
Two more things: You cannot specify TCP or UDP when setting up Special Applications. To your router it doesn't matter whether a TCP or UDP port was requested, it is going to open up the port(s) anyway. Also, note that at any given time, only one computer can use each defined "Port Trigger".
Here is a link that has list of applications that work with Port Triggering, along with the right port numbers, and a better explanation if you need one.
Happy July 4th weekend
Either get busy living or get busy dying.
-The Sawshank Redemption
July 6th, 2004 04:01 PM
Your article was very useful. The online help for my d-link router assumes you know what you're doing but that isn't always the case. I learned the hard way to get it.