1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Port forwarding external ports to different internal ports

Discussion in 'DD-WRT Firmware' started by Lazybones, Oct 8, 2005.

  1. Lazybones

    Lazybones Network Guru Member

    This is sort of a feature request. Currently the web interface lets you forward a range of ports to an IP but the external port and the internal port become the same.

    What I would like is to be able to forward an external port to a different internal port. This can be very usefull when running the same service on multipule machines behind because you could access each from a different port while still maintining the default port on the internal system.
     
  2. Cyberian75

    Cyberian75 Network Guru Member

    That's what Port Triggering is for. Google it.
     
  3. Lazybones

    Lazybones Network Guru Member

    As I understand it Port triggering is for outbound connections, also because it is dynamic it times out.

    In other words it is useless for server applications.

    I will give you a few examples.

    1. remote desktop. I may want to remote connect to more than one computer on my LAN behind the WRT, but I do not want to change the default port on each maching so I set up different external ports to map to each machine on the inside.

    2. I have serveral servers on the inside that I want to connect to via SSH again withiout changing the port on the machine it self I can just setup a special forward.


    This can be done with IPTables its just not possible from the Web interface. I could edit the startup scripts but that is hard for others to manage if they have no linux or comand line skills.
     
  4. rtau

    rtau Network Guru Member

    I found that you can do that with UPnP.
     
  5. aaaaaa

    aaaaaa Network Guru Member

    No, it's not. As someone else pointed out, you can do it with UPnP. However, that is an inelegant solution even when UPnP is working correctly, which AFAIK it still isn't. Thus, to do what the OP wants, one must either create the iptables rules by hand or use FWBuilder to manage the firewall, which is what I do.

    This feature should be added to the web GUI at some point.
     
  6. duomenox

    duomenox Network Guru Member

    Not correct!

    Just FYI about Port Triggering...

    Port Triggering is used to open ports that are normally closed in specific sitations. For example:

    If you have a server that accepts incomming TCP communications on port 1030, but requires all other forms of data transfer to occur on ports 1031 - 1035 you could do 1 of 2 things...

    #1, statically forward ports 1030 - 1035 to your workstation (which keeps them open and could invite a doorway into your network)...

    OR

    #2 use port triggering so that when you send a packet out port 1030, it triggers the router to automatically forward ports 1031 - 1035 from that desination machine to your workstation, then after a pre-deturmined time period, close those ports again... keeping your internal network more secure.

    What this person is asking for is known as Port Redirection. Which can be a useful feature if the Applications that are communicating do not code the port number into the data.
     
  7. Guyfromhe

    Guyfromhe Network Guru Member

    port triggering is only useful when the port forwarding is pre-empted by something comming from the LAN for his situation SSH or remote desktop nothing would come from the lan when he wanted to connect in so port triggering would be useless in this case, I don't know anything about the GUI on this firmware but you can do it with iptables for sure, i've done it myself.
     
  8. Cyberian75

    Cyberian75 Network Guru Member

    Ok, ok, I sit corrected.
     
  9. Lazybones

    Lazybones Network Guru Member

    Well that was a fun round trip.. Almost like an echo in here. :grin:

    So to summarize

    1. Needed for server applications where connections initiate from the outside and are persistent. So port triggering is not a solution.

    2. Can already be done with IPTables scripting but not present in the UI. So yes it can be done, as other routers and linux router distros offer it in there web UI, just none of the WRT ones that I know of.

    3. Not something I want to be dynamic and hack in with UPNP, especially since it appears to be unreliable in v23.

    4. Just a feature request, one that shouldn't be that hard to implement, given that the port forwarding page is already undergoing some big changes.
     
  10. maxrebo

    maxrebo Network Guru Member

    I agree that this should be a feature. When I used a Linux box as my router, I used to do this.

    For example, my ISP blocks port 25 incoming (SMTP) so I'd have port 2525 on the WAN side forward to 25 on my mail server internally (LAN). Right now what I have been doing since I went to a Linksys router (w/ stock or DD-WRT firmware) is setup my mail server to listen on both ports.

    Having this config on the gui makes it alot easier to setup anything like that since you wouldn't have to go and setup the server to listen on a non-standard port.

    This shouldn't be hard to implement since the current way of forwarding is the same way with IPTables, just a different destination port. (I didn't research to see the exact command line used for the current setup, I'm just going off previous IPTables experiance 1+ year ago!)
     
  11. 4Access

    4Access Network Guru Member

    I would really like to see this feature added to the GUI as well. I would use it quite often. It's also practically the only feature left that people can legitimately complain they can do easier in other SOHO routers running stock firmware.
     
  12. BrainSlayer

    BrainSlayer Network Guru Member

    now a statement from me. this feature will be added, be sure.
    i'm hard under pressure to fix many known bugs on all sides. so sometimes i also forget some new important requests.
     
  13. 4Access

    4Access Network Guru Member

    BrainSlayer, you're doing a great job, don't let our requests stress you out, we're just excited! Thanks for the info though, port redirecting will be a great addition! :thumbup:
     
  14. Lazybones

    Lazybones Network Guru Member

    Glad to here it's on the todo list BrainSlayer. Keep up the good work.
     
  15. maxrebo

    maxrebo Network Guru Member

    Yay! Looks like it is added on Oct 11 release. I will have to go install it now I think!
     
  16. BrainSlayer

    BrainSlayer Network Guru Member

    thats true. i had a little bit time between coffee and cigarettes
     
  17. maxrebo

    maxrebo Network Guru Member

    Found a prob with it flipping ports around ... posted in the oct 11 thread.
     
  18. skipparoo

    skipparoo Network Guru Member

    If you're using SSH to make a remote connection to your WRT, then you can setup multiple tunnels from the SSH client on different source ports.

    Like in your example, for Remote Desktop, you can setup a tunnel on source port localhost:3390 pointing to 192.168.1.100:3389 on your LAN, and setup another on source port localhost:3391 pointing to 192.168.1.101:3389, and so on. This works very well for any TCP based program/service and the only port you will need to open on the WRT is port 22 using a simple iptables rule, or whatever port you assign to sshd, no forwarding or redirection required. Then setup public key authentication, and you have the best end-to-end secure remote access solution on the market.

    After establishing an SSH connection (i like to use PuTTY), you can simply load RDC and make a connection to localhost:3390 (or 127.0.0.1:3390). There should be plenty of guides available on the net to do this but I can go into more detail if needed.

    Cheers,
    skip
     
  19. BrainSlayer

    BrainSlayer Network Guru Member

    something didnt realized that i implemented the port redirecting feature today. who cares :)
     
  20. Lazybones

    Lazybones Network Guru Member

    Not a big deal now since BrainSlayer has implemented the the solution requested but here is why I don't like the SSH suggestion.

    1. It's no easier to maintain than me adding the IPTables rules to a script.. If I am not the only one managing the router it could be difficult for a nother tech to setup or trouble shoot. The web interface its ideal for noobs.

    2. Requires access to a SSH client on the other end configured to act as a tunnel.. I have done this, its secure and its great, but sometimes you are at a terminal where you only have a webbrowser and RDC available, with no rights to run or install a SSH client, let alone spend time configuring one. Sometimes even the SSH port is blocked on networks.
     
  21. 4Access

    4Access Network Guru Member

    While I'll admit that I do make direct RDC connections on occasion when necessary, I much prefer to tunnel them through something like ssh whenever possible. For me, it's simply a matter of knowing that the RDP is susceptible to man-in-the-middle attacks that make the extra hassle of setting up a ssh tunnel worthwhile. Especially considering there are utilities out there that allow anyone with moderate networking knowledge to easily implement the attack and capture your Windows username & password all without being detected. :ninja:
     
  22. Lazybones

    Lazybones Network Guru Member

    You see the hard part is getting in the middle to use those attacks.
     
  23. 4Access

    4Access Network Guru Member

    All an attacker has to do is be on the same LAN as you or your server. When you work from public or untrusted networks alot that's all too easy for my taste.
     
  24. Lazybones

    Lazybones Network Guru Member

    I work from mostly trusted sites, and it's not that simple on a switched network. You would have to know exactly what you where looking for and poison the switches tables...

    At anyrate its not a problem for my uses.
     
  25. tempralflux

    tempralflux Network Guru Member

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP

    change the port number on each station
     

Share This Page