Complete PDF manual
PDF of This Chapter

Inbound Rules (Port Forwarding)

Because the FWG114P v2 uses Network Address Translation (NAT), your network presents only one IP address to the Internet, and outside users cannot directly address any of your local computers. However, by defining an inbound rule, also known as port forwarding, you can make a local server (for example, a Web server or game server) visible and available to the Internet. The rule tells the router to direct inbound traffic for a particular service to one local server based on the destination port number. This is also known as port forwarding.

Note: Some home broadband accounts do not allow you to run any server processes (such as a Web or FTP server). Your ISP may check for servers and suspend your account if it discovers active servers at your location. If you are unsure, refer to the Acceptable Use Policy of your ISP.

Follow these guidelines when setting up port forwarding inbound rules:

If your external IP address is assigned dynamically by your ISP, the IP address may change periodically as the DHCP lease expires. Consider using the Dyamic DNS feature in the Advanced menus so that external users can always find your network.
If the IP address of the local server computer is assigned by DHCP, it may change when the computer is rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu to keep the computer's IP address constant.
Local computers must access the local server using the local LAN address of the computer. Attempts by local computers to access the server using the external WAN IP address will fail.

Remember that allowing inbound services opens holes in your FWG114P v2 Wireless Firewall/Print Server. Only enable those ports that are necessary for your network. Following are two application examples of inbound rules:

Example: Port Forwarding to a Local Public Web Server

If you host a public Web server on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web server any time of day.

Figure 6-3: Rule example: A Local Public Web Server

This rule is shown in Figure 6-3.

Example: Port Forwarding for Videoconferencing

If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown in Figure 6-4, CU-SeeMe is a predefined service and its connections are allowed only from a specified range of external IP addresses. In this case, we have also specified logging of any incoming CU-SeeMe requests that do not match the allowed parameters.

Figure 6-4: Rule example: Videoconference from Restricted Addresses

Example: Port Forwarding for VPN Tunnels when NAT is Off

If you want to allow incoming VPN IPSec tunnels to be initiated from outside IP addresses anywhere on the Internet when NAT is off, first create a service and then an inbound rule.

Figure 6-5: Service example: port forwarding for VPN when NAT is Off

In the example shown in Figure 6-5, UDP port 500 connections are defined as the IPSec service.

Figure 6-6: Inbound rule example: VPN IPSec when NAT is off

In the example shown in Figure 6-6, VPN IPSec connections are allowed for any internal LAN IP address.

201-10301-03_V2.2, July 2005