How To Setup Port Forwarding

If you are considering hosting services (web service, FTP service, game server) on your home network computers accessible from the Internet, then port forwarding is a prerequisite. Port forwarding, also called port mapping, is a networking process, NAT/PAT, to allow a remote computer, from the internet, to be redirected to a port listening on a private network where a service is running.The NAT (Network Address Translation) / PAT (Port Address Translation) mechanism is enabled at the router level. Let’s look at the picture below as an example.

The “red” line represents the Internet traffic. A workstation makes a connection to my WAN IP address provided by my ISP, on the port 3389 (RDP). At the router level, the port value is checked against the existing port forwarding rules.

Once the rule is found, the router will “forward” the request to the local IP address (192.168.110.2) associated with the port, illustrated by “blue” line.

Prerequisites:

Have a Dynamic DNS setup.

Static IP on the servers or workstations hosting the services.

Workstations have their firewall is disabled or add an exception rule.

Steps Overview

1- Identify the host LAN IP address, from the command line or via the network interface properties

2- Identify the port listener associated with the service

3- Set up the port forwarding rule in the router

4- Connect to the service from a remote client

1- Get the LAN IP addresses

From the Command line

“Run” > “Start” > “cmd”

Type ipconfig at the prompt and hit the ENTER key.

From the output, the value that we are looking for is the “IPv4 Address”. Write down the value.

Here, I only care about the workstation IP address, thus, “ipconfig”. The switch /all returns a lot more information, such as “Default Gateway”, DNS servers, MAC address, DHCP server, leases.

From the Network Adapter Settings. Start > Control Panel > Network and Sharing Center > Change Adapter settings (#1)

Right Click on the active Network interface (#1) and “Status” (#2)

Click on “Details” (#1) and (#2) is the value for the local IP address

Identify the port.

Every server type application utilizes a port which is a unique value.

When a service is setup to accept connections from clients over a network, the architecture is called “client-server” model.

For a client to connect, and authenticates, to a service (hosted on a networked device), two pieces of information are required. The host IP address and the listening port.

For instance, terminal services or Remote Desktop Protocol listens on port 3389, Web Server (IIS or Apache) on port 80, FTP service on port 21.

The last information good to know is the protocol, TCP, UDP or both. When in doubt, select “Both” or “TCP/UDP”.

Setting up the port forwarding rule.

The set up occurs within the router. From the main menu, look for “Applications” and “Port Forwarding ” or “Port Range Forward”.

Based on my router, here are the detailed explanation for each value from top to bottom.

 

“Sequence Number”: This is just an incremental value

“Rule Name”: Mostly for record purposes. Come up with something explanatory in case the rule needs to be updated.

“Rule Enable”: In some cases, there may be a need to temporary disable the port forwarding rule.

“External Interface“: This field is specific to my router. It supports a Mobile WAN as a failover. In the event my internet service is unavailable, I could connect a USB mobile broadband and keep my network online.

“Protocol“: Choices are, TCP, UDP. TCP/UDP. In doubt, choose TCP/UDP.

“External Port Range“: Ordinary, the external port range matches the Internal port range. However for security purposes, we may want to change the external port value. I will discuss that point in the best practices section. What’s important for now is to understand the port forwarding concept.

“Internal IP“: Self explanatory, enter here the IP address of the application or service host.

“Internal Port Range“: Port value of the service running on the internal IP host. The services were going to make available and port number associated are, FTP 21, IIS 80 and RDP 3389.

RDP port forwarding rule

 

Web Server forwarding rule.

 

FTP port forwarding rule.

Connection from a remote client to the local service.

Remote Desktop Protocol:

From the remote computer, start the RDP client.

In Windows 7:

“Start” > “Run” > “mstsc”

[Alternative] “Start” > “All Programs” > “Accessories” > “Remote Desktop Connection”

Enter the computer hostname or public IP address (#1), click “Connect” (#2). On the next dialog box, (#3) is optional, check it if unsure then click “Connect” (#4)

 

If you are getting the authentication box, it means that the connection has been established and the port forwarding is functional. Enter your credentials (#1), it is NOT recommended to check “Remember my credentials” and this is valid for any form of authentication. If you happened to leave your computer unattended, a third party could gain access without the need to enter the username/password combo.

Click “OK” (#3) to authenticate and access the resource.

Success! I was able to establish a remote desktop control into my workstation from the internet.

Best practices:

Setting up port forwarding or port mapping will open up your network to the internet. Access to your computer resources from the internet requires two pieces of information, the WAN IP address or name server and the port number.

You do not want to advertize your IP address, in forums, social media networks.

You do not want to use the application or service default port as the incoming port on the WAN side. It is easy to guess the service based on the port. Once I know what service is behind that port, I know what client I would use and try to gain access to that resource.

In my example, if the port 3389 is opened, it is likely that the computer accepts RDP connections, therefore I would use a RDP client to connect. I still need to authenticate before I can access the workstation.

The idea is to pick a random port for the WAN incoming request. For this tutorial, I set the RDP port value to “4000”. Although the port is opened from the internet, it would take a lot of guessing to find out what is the real service I am running on the home network side.

 

Normally, to RDP into a computer there is no need to specify the port, but since it was changed from 3389, then it must be entered as shown in the screenshot below.

 

Conclusion:

Once you understand the port forwarding or port mapping concept, your data and computer resources can be accessed from anywhere as long as an internet connection is available.

Keep in mind that if your resources are accessible from the outside, you want to monitor your server(s) for unusual behavior, such as slowness, higher bandwidth usage, increase of disk space usage, connections logs (from the router), security logs (from Windows event viewer) and keep your antivirus up to date.

Reference from Article by Michael Nguyen (05/29/2014)

 

Natting - A little bit about Hair-Pin NAT ...

In the below network topology a web server behind a router is on private IP address space, and the router performs NAT to forward traffic to its public IP address to the web server behind it.



The NAT configuration would look like below:

/ip firewall nat
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80 \
  action=dst-nat to-address=192.168.1.2
add chain=srcnat out-interface=WAN action=masquerade

When a client out on the Internet with IP address 2.2.2.2 establishes a connection to the web server, the router performs NAT as configured.

1. the client sends a packet with a source IP address of 2.2.2.2 to a destination IP address of 1.1.1.1 on port tcp/80 to request some web resource.
2. the router destination NATs the packet to 192.168.1.2 and replaces the destination IP address in the packet accordingly. The source IP address stays the same: 2.2.2.2.
3. the server replies to the client's request and the reply packet has a source IP address of 192.168.1.2 and a destination IP address of 2.2.2.2.
4. the router determines that the packet is part of a previous connection and undoes the destination NAT, and puts the original destination IP address into the source IP address field. The destination IP address is 2.2.2.2, and the source IP address is 1.1.1.1.

The client receives the reply packet it expects, and the connection is established.
When a client on the same internal network as the web server requests a connection to the web server's public IP address, the connection breaks.

1. the client sends a packet with a source IP address of 192.168.1.10 to a destination IP address of 1.1.1.1 on port tcp/80 to request some web resource.
2. the router destination NATs the packet to 192.168.1.2 and replaces the destination IP address in the packet accordingly. The source IP address stays the same: 192.168.1.10.
3. the server replies to the client's request. However, the source IP address of the request is on the same subnet as the web server. The web server does not send the reply back to the router, but sends it back directly to 192.168.1.10 with a source IP address in the reply of 192.168.1.2.

The client receives the reply packet, but it discards it because it expects a packet back from 1.1.1.1, and not from 192.168.1.2. As far as the client is concerned the packet is invalid and not related to any connection the client previously attempted to establish.
To fix the issue, an additional NAT rule needs to be introduced on the router to enforce that all reply traffic flows through the router, despite the client and server being on the same subnet. The rule below is very specific to only apply to the traffic that the issue could occur with - if there are many servers the issue occurs with, the rule could be made broader to save having one such exception per forwarded service.

/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 \
  dst-address=192.168.1.2 protocol=tcp dst-port=80 \
  out-interface=LAN action=masquerade

With that additional rule, the flow now changes:

1. the client sends a packet with a source IP address of 192.168.1.10 to a destination IP address of 1.1.1.1 on port tcp/80 to request some web resource.
2. the router destination NATs the packet to 192.168.1.2 and replaces the destination IP address in the packet accordingly. It also source NATs the packet and replaces the source IP address in the packet with the IP address on its LAN interface. The destination IP address is 192.168.1.2, and the source IP address is 192.168.1.1.
3. the web server replies to the request and sends the reply with a source IP address of 192.168.1.2 back to the router's LAN interface IP address of 192.168.1.1.
4. the router determines that the packet is part of a previous connection and undoes both the source and destination NAT, and puts the original destination IP address of 1.1.1.1 into the source IP address field, and the original source IP address of 192.168.1.10 into the destination IP address field.

The client receives the reply packet it expects, and the connection is established.
However, the web server only ever sees a source IP address of 192.168.1.1 for all requests from internal clients regardless of the internal client's real IP address. There is no way to avoid this without either using a router that can do application level DNS inspection and can rewrite A records accordingly, or a split DNS server that serves the internal clients the internal server IP address and external clients the external server IP address.
This is called - among other terms - hair pin NAT because the traffic flow has clients enter the router through the same interface it leaves through, which when drawn looks like a hair pin.


Reference from MicroTik Docs web source.

Installation and configuration of a DNS server in Windows Server 2008

Installation and configuration of a DNS server Using Windows Server 2008

Why we need a DNS Server in LAN (Local Area Network):

You must know importance of DNS server can be judge from the fact that without DNS, computers would have a very tough time communicating with each other. However, most Windows administrators still rely on WINS for name resolution on local area networks and some have little or no experience with DNS. Steven Warren explains how to install, configure, and troubleshoot a Windows Server 2008 DNS server.

I don't want to go in other details but as many of you are probably aware, the Domain Name System (DNS) is now the name resolution system of choice in Windows (any Microsoft or non Microsoft server). Without it, computers would have a very tough time communicating with each other. However, most Windows administrators still rely on the Windows Internet Name Service (WINS) for name resolution on local area networks and some have little or no experience with DNS. If you fall into this category, read on. We'll explain how to install, configure, and troubleshoot a Windows Server 2008 DNS server.

Installation Step by Step

You can install a DNS server from the Control Panel or when promoting a member server to a domain controller (DC) (Figure A). During the promotion, if a DNS server is not found, you will have the option of installing it.
 
Figure-A

 
                 
To install a DNS server from the Control Panel, follow these steps:

• From the Start menu, select | Control Panel | Administrative Tools | Server Manager.
• Expand and click Roles (Figure B).
• Choose Add Roles and follow the wizard by selecting the DNS role (Figure C).
• Click Install to install DNS in Windows Server 2008 (Figure D).

Figure B

 
 

Expand and click Roles

Figure C

 

 

DNS role

Figure D

 

Install DNS

DNS console and configuration

After installing DNS, you can find the DNS console from Start | All Programs | Administrative Tools | DNS. Windows 2008 provides a wizard to help configure DNS.
When configuring your DNS server, you must be familiar with the following concepts:

• Forward lookup zone
• Reverse lookup zone
• Zone types

A forward lookup zone is simply a way to resolve host names to IP addresses. A reverse lookup zone allows a DNS server to discover the DNS name of the host. Basically, it is the exact opposite of a forward lookup zone. A reverse lookup zone is not required, but it is easy to configure and will allow for your Windows Server 2008 Server to have full DNS functionality.
When selecting a DNS zone type, you have the following options: Active Directory (AD) Integrated, Standard Primary, and Standard Secondary. AD Integrated stores the database information in AD and allows for secure updates to the database file. This option will appear only if AD is configured. If it is configured and you select this option, AD will store and replicate your zone files.
A Standard Primary zone stores the database in a text file. This text file can be shared with other DNS servers that store their information in a text file. Finally, a Standard Secondary zone simply creates a copy of the existing database from another DNS server. This is primarily used for load balancing.
To open the DNS server configuration tool:

1. Select DNS from the Administrative Tools folder to open the DNS console.
2. Highlight your computer name and choose Action | Configure a DNS Server... to launch the Configure DNS Server Wizard.
3. Click Next and choose to configure the following: forward lookup zone, forward and reverse lookup zone, root hints only (Figure E).
4. Click Next and then click Yes to create a forward lookup zone (Figure F).
5. Select the appropriate radio button to install the desired Zone Type (Figure G).
6. Click Next and type the name of the zone you are creating.
7. Click Next and then click Yes to create a reverse lookup zone.
8. Repeat Step 5.
9. Choose whether you want an IPv4 or IPv6 Reverse Lookup Zone (Figure H).
10. Click Next and enter the information to identify the reverse lookup zone (Figure I).
11. You can choose to create a new file or use an existing DNS file (Figure J).
12. On the Dynamic Update window, specify how DNS accepts secure, nonsecure, or no dynamic updates.
13. If you need to apply a DNS forwarder, you apply it on the Forwarders window. (Figure K).
14. Click Finish (Figure L)

Figure E

 

 

Figure F

 
 

Forward lookup zone

Figure G

 

 

Desired zone

Figure H

 

IPv4 or IPv6

Figure I

Reverse lookup zone

Figure J

Choose new or existing DNS file

Figure K

 

Forwarders window

Figure L

 
 
 
Now installation is finished. From here we will start configuring DNS server for connectivity of your client and other services to resolve naming.

Managing DNS records

You have now installed and configured your first DNS server, and you're ready to add records to the zone(s) you created. There are various types of DNS records available. Many of them you will never use. We'll be looking at these commonly used DNS records:

• Start of Authority (SOA)
• Name Servers
• Host (A)
• Pointer (PTR)
• Canonical Name (CNAME) or Alias
• Mail Exchange (MX)

Start of Authority (SOA) record

The Start of Authority (SOA) resource record is always first in any standard zone. The Start of Authority (SOA) tab allows you to make any adjustments necessary. You can change the primary server that holds the SOA record, and you can change the person responsible for managing the SOA. Finally, one of the most important features of Windows 2000 is that you can change your DNS server configuration without deleting your zones and having to re-create the wheel (Figure M).

Figure M

 

 

 Change configuration

Name Servers

Name Servers specify all name servers for a particular domain. You set up all primary and secondary name servers through this record.
To create a Name Server, follow these steps:

1. Select DNS from the Administrative Tools folder to open the DNS console.
2. Expand the Forward Lookup Zone.
3. Right-click on the appropriate domain and choose Properties (Figure N).
4. Select the Name Servers tab and click Add.
5. Enter the appropriate FQDN Server name and IP address of the DNS server you want to add.

Figure N

 

Name Server

Host (A) records

A Host (A) record maps a host name to an IP address. These records help you easily identify another server in a forward lookup zone. Host records improve query performance in multiple-zone environments, and you can also create a Pointer (PTR) record at the same time. A PTR record resolves an IP address to a host name.
To create a Host record:

1. Select DNS from the Administrative Tools folder to open the DNS console.
2. Expand the Forward Lookup Zone and click on the folder representing your domain.
3. From the Action menu, select New Host.
4. Enter the Name and IP Address of the host you are creating (Figure O).
5. Select the Create Associated Pointer (PTR) Record check box if you want to create the PTR record at the same time. Otherwise, you can create it later.
6. Click the Add Host button.
 

Figure O

 

 
 

 

 

 

 

 

 

 

 

To ad a Host (A) record

Pointer (PTR) records

A Pointer (PTR) record creates the appropriate entry in the reverse lookup zone for reverse queries. As you saw in Figure H, you have the option of creating a PTR record when creating a Host record. If you did not choose to create your PTR record at that time, you can do it at any point.
To create a PTR record:

1. Select DNS from the Administrative Tools folder to open the DNS console.
2. Choose the reverse lookup zone where you want your PTR record created.
3. From the Action menu, select New Pointer (Figure P).
4. Enter the Host IP Number and Host Name.
5. Click OK.
 

Figure P

 

 

New Pointer

Canonical Name (CNAME) or Alias records

A Canonical Name (CNAME) or Alias record allows a DNS server to have multiple names for a single host. For example, an Alias record can have several records that point to a single server in your environment. This is a common approach if you have both your Web server and your mail server running on the same machine.
To create a DNS Alias:

1. Select DNS from the Administrative Tools folder to open the DNS console.
2. Expand the Forward Lookup Zone and highlight the folder representing your domain.
3. From the Action menu, select New Alias.
4. Enter your Alias Name (Figure Q).
5. Enter the fully qualified domain name (FQDN).
6. Click OK.
 

Figure Q

 

Alias Name

Mail Exchange (MX) records

Mail Exchange records help you identify mail servers within a zone in your DNS database. With this feature, you can prioritize which mail servers will receive the highest priority. Creating MX records will help you keep track of the location of all of your mail servers.
To create a Mail Exchange (MX) record:

1. Select DNS from the Administrative Tools folder to open the DNS console.
2. Expand the Forward Lookup Zone and highlight the folder representing your domain.
3. From the Action menu, select New Mail Exchanger.
4. Enter the Host Or Domain (Figure R).
5. Enter the Mail Server and Mail Server Priority.
6. Click OK.

Figure R

 

Host or Domain

Other new records

You can create many other types of records. For a complete description, choose Action | Other New Records from the DNS console (Figure S). Select the record of your choice and view the description.

Figure S

 

Create records from the DNS console

Troubleshooting DNS servers

We will not going in depth to tell you about troubleshooting perhaps troubleshooting DNS servers, the nslookup utility will become your best friend. This utility is easy to use and very versatile. It's a command-line utility that is included within Windows 2008. With nslookup, you can perform query testing of your DNS servers. This information is useful in troubleshooting name resolution problems and debugging other server-related problems. You can access nslookup (Figure T) right from the DNS console.

Figure T

 
 
Thanks for reading, must your inputs regarding my this blog post ....
Your comments will encourage me to explore more and improve contents to help others for their problems. Fee free to write me on arsalanh2000@gmail.com or twitter: arsalanh2000

Don't forget to click Follow or rate my blog ... 
 
 

Requirements in Microsoft Exchange Server 2007/2010 for inbound/outbound Email Flow (Routing)

inbound (Receive) mail flow?

1)   - The sending SMTP server queries Domain Name System (DNS) to locate the mail exchanger (MX) resource record of the recipient's SMTP mail server. This MX record resolves to a corresponding host (A) record that resolves the IP address of the recipient's SMTP mail server.

2)   - The sending SMTP server initiates a conversation on the recipient's SMTP server (using port 25). On an Exchange Server gateway, the recipient's SMTP server is the SMTP virtual server on the Exchange server that is configured to accept inbound mail.

3)   - If the message is destined for a recipient of its SMTP mail domain, the SMTP server accepts the inbound message, as defined by recipient policies.

4)   - When the message is accepted, the message is persisted in the \Queue folder on the Exchange server. The SMTP virtual server submits the message to the Advanced Queuing Engine, which then submits the message to the message categorizer.

5)   - The message categorizer validates the recipients of the message, checks for proper recipient attributes, applies limits and restrictions, flags the message for local delivery, and then returns the message to the Advanced Queuing Engine.

6)   - The Advanced Queuing Engine submits the message to the Local Delivery queue.

7)   - The Exchange store receives the message from the Local Delivery queue.

8)   - Mail messages are delivered to the client (for example Outlook, Outlook Express, or Outlook Web Access).

·        

Outbound (Send) mail flow?

Outbound mail flows through an Exchange Server deployment in the following manner:

1)      Mail messages are sent from a client (Microsoft Outlook, Outlook Express, or Outlook Web Access, for example) and are submitted to the local Exchange store.

2)      The Exchange store submits the message to the Advanced Queuing Engine.

3)      The Advanced Queuing Engine submits the message to the message categorizer.

4)      The message categorizer validates the recipients of the message, checks for proper recipient attributes, applies limits and restrictions, flags the message for local or remote delivery, and then returns the message to the Advanced Queuing Engine.

5)      If for local delivery, the Advanced Queuing Engine submits the message to the Local Delivery queue, and the Exchange store receives the message from the Local Delivery queue.

6)      If for remote delivery, the Advanced Queuing Engine submits the message to the Routing Engine. The Routing Engine determines the most efficient route for mail delivery, returns the message to the Advanced Queuing Engine, and, in turn, submits the messages for remote delivery. The messages are then sent via SMTP to a remote SMTP host or to the Internet.

* External DNS Queries work?

When a DNS client needs to resolve the name of a server, it queries the DNS servers. Each query that the client sends essentially asks the DNS server to provide the information. The client specifies the query type, which can either indicate a resource record by type or a specialized type of query operation. For example, to find SMTP mail servers from the Internet, specify the query type MX (mail exchanger resource record).

For example, the name that is specified could be an external domain, such as example.microsoft.com., and the query type that is specified to look for could be an MX record by that name. Think of a DNS query as a client asking a server a two-part question: First, "Do you have any MX resource records for a domain named 'example.microsoft.com.'?" followed by "If so, can you resolve this MX record to an A (host) record and resolve its IP address?" When the client receives an answer from the server, it reads and interprets the MX record and gets the A record, thereby resolving the computer's IP address.

* Use Nslookup to Verify MX record configuration?

1.       At a command prompt, type nslookup, and then press ENTER.

2.       Type server <IP address>,where IP address is the IP address of your external DNS server.

3.       Type set q=MX, and then press ENTER.

4.       Type <domain name>, where domain name is the name of your domain, and then press ENTER. The MX record for the domain you entered should be displayed. If the MX record is not displayed, DNS is not configured properly.

The example below shows how MX records appear for the fictitious domain, example.com.

C:\> nslookup

Default Server:  pdc.edu.pk

Address:  192.168.3.10

> server 111.68.97.17

Default Server:  dns1.example.com

Address:  111.68.97.17

> set q=mx

> pdc.edu.pk.

Server:  dns1.pdc.edu.pk

Address:  111.68.97.17

pdc.edu.pk   MX preference = 10, mail exchanger = mail1.pdc.edu.pk

pdc.edu.pk   MX preference = 10, mail exchanger = mail2.pdc.edu.pk

pdc.edu.pk   MX preference = 10, mail exchanger = mail3.pdc.edu.pk

pdc.edu.pk   MX preference = 10, mail exchanger = mail4.pdc.edu.pk

pdc.edu.pk   MX preference = 10, mail exchanger = mail5.pdc.edu.pk

mail1.pdc.edu.pk     internet address = 111.68.99.10

mail2.pdc.edu.pk     internet address = 111.68.99.11

mail3.pdc.edu.pk     internet address = 111.68.99.12

mail4.pdc.edu.pk     internet address = 111.68.99.13

mail5.pdc.edu.pk     internet address = 111.68.99.14

In this example, the preconfigured DNS server is behind a proxy server. Therefore, an external or Internet DNS server with a known IP address of 111.68.97.17 was used to perform the query. Next, the query type was set to MX to locate the mail exchangers for example.com. In this example, five SMTP servers are equally balanced, each with its own IP address. However, your domain might only have a single entry, as seen in the following example:

contoso.com   MX preference = 10, mail exchanger = mailbox.pdc.com

1.     mailbox.contoso.com     internet address = 10.57.22.3