3
4
I am using BSNL BroadBand connection and a DSL Router is provided that can act as a Default Gateway to many wireless devices. One such device is my server. I have bought a static ip on lease. So that all the traffic on the to that ip directed to the Router.
But to forward the request from the router to the my server (which connected using wifi) requires port forwarding (got help from here). Port forwarding for BSNL DSL Router can be done by going to the VIRTUAL SERVER
section of the NAT
section. There I have forwarded all the requests on port 8080 (my JBOSS uses port 8080) to the server, which has an internal ip address 192.168.1.7
.
I am able to connect to internet from the server (192.168.1.7
), all the devices connected to the Router via wifi are able to ping each other. But traffic on port 8080 is not being directed to the server.
What can be the possible reasons for this?
NOTE
I am able to access the server when my request url is http://192.168.1.7:8080/myapp
. But When my url is http://118.XXX.XXX.XXX:8080/myapp
. I am not able to access it. 118.xxx.xxx.xxx is the public ip of the router.
This is what I was trying to say but couldn't got together correctly :) A great explanation. – The_aLiEn – 2012-07-27T17:52:57.723
1@David Schwartz : it works! I tried it from a different network. thanks:) . In the previous scenario is the connection terminated during tcp handshake itself? one more doubt - in point 3 you said, "The router NATs the destination to the LAN machine, but the source address is unmodified (still the LAN machine that originated the request)." When the packet has reached the router, isn't it the routers responsibility to change the source address at layer three to the public ip address (since this is the function of NAT)? – Ashwin – 2012-07-27T18:14:13.600
1@Ashwin: 1) The TCP handshake will never complete because the source machine will never receive the reply it is expecting. 2) Port forwarding doesn't involve changing the source address, just the destination. When you port forward to a server, the server still sees the unmodified origin IP address for the connections forwarded to it. – David Schwartz – 2012-07-27T19:37:11.073
@DavidSchwartz : I think I am still confused. I am trying to access 74.125.236.165 (public ip of google) from one of the devices (forget the server). In this device, during layer 3 encapsulation, the source ip is 192.168.1.5. This is forwarded to the router (which is the default gateway). The router has to hide this private source address. So it functions as a NAT. Doesn't it change this source ip to the public ip of the router? (hiding many private ip's behind on single public ip) – Ashwin – 2012-07-28T07:43:59.730
@Ashwin: Yes, of course. But we were talking about port forwarding (inside destination), not masquerading (outside destination). Masquerading changes the source but not the destination. Port forwarding changes the destination and not the source. – David Schwartz – 2012-07-28T18:49:40.580
@DavidSchwartz : "Port forwarding (rewriting the destination address) only works from the outside to the inside, not from the inside to the inside" - can u explain this part in the above scenario? – Ashwin – 2012-12-23T06:19:53.693
@Ashwin: For machines from the outside, the server's route to the source IP address already takes the packet back to the router, so the router has an opportunity to NAT the replies. This is not so for machines on the inside. The server's route to inside machines doesn't go through the router, so there's no opportunity for the router to NAT the replies. – David Schwartz – 2013-01-20T16:30:18.287
@DavidSchwartz OKay. So you're on a lan laptop and you want to, for example, SSH to a server you have on your LAN as well. So you try to SSH to your forwarded port saaayy 14522 for 192.168.1.154:22 (port number only being cosmetically named to avoid being the standard port) SO! you hit your public IP (outside interface of the router) on port 14522. Shouldn't it, coming from internal get NATd to a public IP with a source port of whatever, then the get hit on the outside interface at port 14522, forward that packet to the internal IP, and then the interal IP respond back to the public IP on the – PsychoData – 2013-09-24T03:47:53.820
source port. The router gets its response (on another generated port sourced from the server but destined for one more than the source port from the laptops outgoing connection) and then forwards the traffic to the laptop when it gets the response. Then the connection just goes on like normal? Or an I misunderstanding part of how NAT works? – PsychoData – 2013-09-24T03:50:07.817
@PsychoData What you're missing is that the server will send the reply packet (with a private source IP address, since that's all it has) directly to the destination, since it's local. That gives the router no opportunity to change the source address to the public IP address. The router would need to rewrite the source IP address (of the packets going to the server) from the source's local IP address to the router's own IP address, which is a form of dual NAT, not mere port forwarding. – David Schwartz – 2013-09-24T03:52:15.997
@DavidSchwartz but woudnt it do that and be responding to its own public IP? – PsychoData – 2013-09-24T04:37:57.877
@PsychoData The server has no idea what its public IP is. It only has a private IP address assigned to it. – David Schwartz – 2013-09-24T14:03:14.733
@DavidSchwartz right, but wouldn't the request going to the outside interface get NATd and then have a public IP? and then the server (private address though it has) responds to that public IP generated by NAT. This way wouldn't neither know that it was talking to a computer on the same network, but rather to that public IP address from the NAT? – PsychoData – 2013-09-24T17:30:39.530
I'm a bit confused about this because I seem to be doing this exact thing while I'm at my house. But it's working. I'm connecting to a dyndns domain which sends me back to my public IP address and then I connect to my server through the DynDNS domain, which then, I assume, connects back to my same public IP address where my laptop is. Eg. on my laptop I SSH to Psycho@psychodata.no-ip.org:14522 which updates through an update client on the server to my home internet's public IP. Works flawlessly. Isn't this the same thing just with an extra step? – PsychoData – 2013-09-24T17:36:32.227
@PsychoData Yes. Which means your router supports dual NAT, not just port forwarding. If you look at the connections on the server, you'll see the source IP address has been changed to the router's IP address. – David Schwartz – 2013-09-24T23:10:01.107
@DavidSchwartz I dont understand. I cant find anything about "dual NAT" anywhere. I can find stuff about "double" NAT or NAT behind NAT, but not "Dual" Yes, as you said, I see the are from the routers public IP address. But this just seems like my router is working like I would expect ad his isnt. PS. I have a linksys WRT54G plain firmware. – PsychoData – 2013-09-25T04:10:48.147
It just seems weird that the router doesn't nat to the public IP on the way out for the request, and NAT the response coming back, and just forward the ports when something hits on the forwarded ports.
So, SSH to dyndns.address.com:14522, request goes out, gets NATed to public IP, hits router's outer interface on forwarded port, gets forwarded to server, response from server gets NATed, response hits source port from request, source port response goes to the request-er. Connection works as expected? – PsychoData – 2013-09-25T04:11:58.997
@PsychoData Port forwarding does not involve rewriting the source IP address of connections. If your router is rewriting the source IP address of connections and the destination address, then it's doing dual NAT, NAT both before and after routing. – David Schwartz – 2013-09-25T17:53:36.430
I'm saying that shouldn't the router NAT on the way out before it tries any port forwarding? NAT to a public IP, then hit the routers outside interface on the port and get forwarded, same thing on the way back, but with the standard generated source port reply of course – PsychoData – 2013-09-25T18:44:37.387
@PsychoData One can certainly argue that it should, but many routers don't support dual NAT, nor will they NAT connections that both originate and terminate on the LAN side. – David Schwartz – 2013-09-28T02:18:31.707
@DavidSchwartz Where can I read more about NAT vs dual NAT? I'm just confused because I can't find anything about it anywhere. – PsychoData – 2013-09-28T03:29:30.490
@PsychoData RFC 5382 is a good place to start.
– David Schwartz – 2013-09-28T03:39:06.337