Port Forwarding vs Opening Ports

Back in the summer of 2021 I asked here for help regarding a BT Business Hub and a Siemens Building Management System for a Village Hall. Once the problem was resolved – it was due to two Siemens units having incompatible firmware. Once resolved all was good.

However, BT Business have been upping their charges and it was time to look elsewhere. Since there are no outgoing telephone calls made and there was a need for a static IP a SoGEA service from Andrews and Arnold with VoIP to divert incoming calls on the old BT number was ideal. Plus we now have FTTC rather than ADSL2.

Anyway, problem now is getting the Siemens equipment to work remotely through a DrayTek Vigor 2762 Router.

I am out of my comfort zone on this, not helped by Siemens talking about Opening Ports whereas from the Print Screen I took of the BT Business Hub, it was using Port Forwarding. The DrayTek offers Port Redirection (which I assume is Port Forwarding) and Open Ports.

This explained at https://www.draytek.com/support/manuals/vigor2762 between pages 133 and 144.

So grateful if someone can give an explanation on the difference between Port Forwarding and Opening of Ports – especially since when using the BT Hub it appeared to be Port Forwarding rather than the Siemens requested Port Opening! Thanks.

Cheers!

How to you access the Siemens equipment when you are on site? Can you use a web browser to access its IP address?

If so you could configure the Vigor to forward some 5 digit port number such as 54321 to port 80 at the Siemens IP address. You would need to know the Wan IP address of the Vigor perhaps by having a fixed IP address.

On site I can access via a pc connected to the same router as the Siemens to an IP address 192.168.1.xxx No problem.

Previously when using the BT Hub and broadband, from my home pc it was the fixed IP of the village hall followed by :nnnn

nnnn appears to be an External Port, since shown as such on the BT Hub printout, but where it came from I don't as yet know. WIth the BT Hub they had values for both External and Internal Ports.

Anyway, I tried using the Open Ports method on the DrayTek this afternoon, using a screen print from the BT Hub as a guide, but fell foul of the Note that is half way down on page 140 of the DrayTek manual I listed. That same note appears on page 134 for Port Forwarding; which is rather worrying since to the uninitiated it does not make much sense!

Cheers!

In reply to a post by Ancient_Mariner:

Anyway, I tried using the Open Ports method on the DrayTek this afternoon, using a screen print from the BT Hub as a guide, but fell foul of the Note that is half way down on page 140 of the DrayTek manual I listed. That same note appears on page 134 for Port Forwarding; which is rather worrying since to the uninitiated it does not make much sense,!

I presume that you will not be configuring the router to use a VPN so I suggest that you ignore that note. The manual shows the default values that those VPNs could use.

The difference in the terms is generally down to whether the device you are connecting to the Internet has its own dedicated IP or whether you are using NAT to share a public IP between a number of internal devices.

If the device has a public IP then you would open the ports to it on the firewall.

If the device is using NAT and sharing a public IP then you would use port forwarding.

In reality at a consumer level and for your requirements there isn't much difference between the 2 options.

Assuming you are using NAT then the instructions for the Siemens BMS should tell you what ports are required incoming (you don't need to do anything for outgoing ports as by default outgoing wouldn't be restricted). You then set the rules in the router so that those ports are forwarded to the IP address of the device. Best to set a static IP allocation in the router for the device so that it doesn't change IP addresses or you'd have to change the forwards every time the IP of the device changed..

In reply to a post by Ancient_Mariner:

So grateful if someone can give an explanation on the difference between Port Forwarding and Opening of Ports – especially since when using the BT Hub it appeared to be Port Forwarding rather than the Siemens requested Port Opening! Thanks.

So just a couple of thoughts:

1. Make sure the internal IP addresses of the Siemens devices dished out by the DrayTek box are "sticky" - that is they should be fixed rather than dynamic addresses (either from your DHCP setup or manually). Otherwise its likely the local addresses will alter over the course of devices rebooting etc and screw things up when trying to access locally as well as remotely if you're just connecting via an IP address.

2. Opening the ports on the DrayTek should be done minimally; that is the lowest possible number of ports to function, to reduce the attack surface open to the internet. Also consider limiting the remote access to IP address ranges that you trust/know (like that of your own ISP public IP address) only rather the the entire wide open internet.

3. Consider using an arbitrary/high port(s) number that is opened rather than the typical 80 or 8080

4. Setup the port forwarding to the fixed/sticky internal IP address of the Siemens device that needs remote access - you ought to be able to forward to the standard port of that device - so for example external port 58,062 is opened and is forwarded ---> port 80 on 192.168.x.y. In other words 100.20.30.40:58062 --> 192.168.x.y:80. You might need to do this for more than one port as necessary. So for external access via browser you'd point to 100.20.30.40:58062 and if you were sittng on the LAN you'd just go to 192.168.x.y:80

One of the challenges here is that "opening ports" is a vague, poorly defined phrase.

I've seen it used to mean opening ports on the router to give access to resources on the router. But I've also seen it used to refer to port forwarding, mapping virtual ports on the router to devices/machines on the internal network.

Sounds like in this case it is referring to port forwarding.

(opening ports) indeed.

Really, port forwarding refers to a combination of destination NAT plus allowing traffic to the translated address/port.
The translated destination port can be the same as or different from the original destination port.
It's usually different if it was originally http/s (80/443) so as not to conflict with the router's own web interface itself.

Opening ports can more broadly refer to allowing something in the Firewall even if NAT is not required, and the destination can be the router itself or a reachable IP on the other side of the router (regardless of inbound of outbound).

On my ISP firewall/router for example I have a port forward translating to the private IPv4 of a wireguard host, but also a port open to the (global scope) IPv6 addres of the same wireguard host (no NAT).

If I had multiple web servers internally the router's IPv6 firewall could have the http/s port open to any/all of them since the destination is not the router.

Ah ok ian72 and Pheasant already covered this I see.

Edited by prlzx (Thu 24-Aug-23 13:14:18)

Solved!

The Building Management System Engineer found that the BT Hub and the DraytTek's default gateway were different. He updated as required and now all OK.

I wish that there was a book in the style of "Idiots Guide to Networking" oh, just Googled before I posted and I can see that there is! I will have to investigate!

Cheers!

Do you have a need for both the business hub and the drayrek router? it sounds as though there is unneccessary added complication in the setup.

In reply to a post by Pipexer:

Do you have a need for both the business hub and the drayrek router? it sounds as though there is unnecessary added complication in the setup.

I don't think both are being used as I thought the BT Business Hub had been replaced with the DrayTek after the service was moved from BT to Andrews and Arnold.

Edited by PCJM40 (Sun 03-Sep-23 22:03:09)

That would make sense given they are (a) different boxes and (b) different ISPs.

Sounds like the addressing was hard coded on the Honeywell gear rather than using DHCP (with static address assignments) on the router. The latter is often a more elegant / efficient / centralised way of managing this.

Something to consider next time you update the router and/or ISP changes.

Both open port and port redirect are port forwarding

only difference is open port forwards the port on certain port
say open port 80 and port 80 gets forwarded.

on port redirect you can open port 1000 and it forwards the traffic to another port say 80.

In your situation I would say OPEN the required port on the draytek unless you need to open
the same port for different internal devices then you can port redirect.

say 1 device 8080 redirect to port 80 device 1 ip
and device 2 8081 redirect to port 80 device 2 ip

you wrong here the Router always does the nat and every device shares its external dedicated ip or dynamic one (i very much doubt they have a block of ips but even the nat would direct the traffic)

port redirect and port open are port forwarding but redirect you can have different ports.

it is actually referring to both the router does care if the destination is on the router or other device it just forwards to the IP of the device required.

the fact its shown in different places on the menus is just the way the interface was shown
router destinations do take priority over external devices though.

Most people who are hosting a web page would redirect the router port so as to pass port 80/443 traffic
it is also a good procedure to change the router port for security of the router
if port 80 is externally forwarded to the router its easier to attack.

My post was correct as written and the contexts for which I qualified,
and no it is not called port forwarding if the destination IP address in the original packet is not on the router itself but the address of a host behind it.
In that case your are only opening a port for the specified destination and the router does not need to process the payload or modify the layer 3 or higher headers itself.

It is only port forwarding if NAT is required to translate the destination IP by modifying the layer 3 (network) and possibly 4 (transport) header prior to onward delivery.

I gave an example for my Wireguard setup where it is not port forwarding because it is IPv6
which is functionally analogous in IPv4 to having a public subnet routed to you for a network setup behind your own router,
but still governed by the default block from external firewall policy.

It was an attempt to describe the terms more precisely in case users need to work with a real router / firewall platform beyond how most SOHO boxes use or misuse the terminology.

Edited by prlzx (Mon 04-Sep-23 21:18:54)

In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway (external network), by remapping the destination IP address and port number of the communication to an internal host.[1][2]

What makes this worse is that consumer routers will open the ports automatically for a port forward and AFAIK not all of them will even give you access to opening ports, nor will they tell you what was opened for NAT on the ones that do, in order to make sure users do not break the configuration. Networking is so dumbed down for people with zero knowledge that some people don't even know the difference between broadband and WiFi, its a bit of security nightmare to be honest.

Its taken many years with pfSense for me to get my head around how all this fits together given while it too automatically adds the rule, you get to see and modify it should you need something different.

For example, in my case I have a geoblock whitelist on my port forward so only UK/US traffic gets past the firewall, blocks almost all hack attempts hitting my home server as they tend to come from other countries where I do not need the server accessible from anyway.

I'd never touch a consumer router again now as once you get your head around this stuff its so much more flexible, and my networking knowledge is still fairly basic, though I think its fair to say well above average.

Edited by alexatkin (Tue 05-Sep-23 07:26:59)

Respectfully whilst this is fascinating it’s a bit like telling @prlzx how to suck eggs. 😅

The issue has been resolved, it wasn’t one of port forwarding (or whatever combination thereof anyway) so this discussion is all a bit well pointless and after the fact.

I wasn't talking about it in relation to the Draytek UI. I was talking about the general use of the terms.

I was going to give them some leeway if this is only the second forum they have posted in but yes, just posting the introduction section of the WIkipedia article without saying it's a quote is both easy to spot and not stellar when ignoring the context in which a response was provided.

But as you said the OP was subsequently resolved and I was just being a bit prickly about being unnecessarily "corrected".

Has someone unleashed another ChatGPT bot? 🤣

In reply to a post by Pheasant:

Has someone unleashed another ChatGPT bot? 🤣

Someone referred to LLMs as just long form predictive text generators with auto-correct and now I am unable to un-see it.

Edited by prlzx (Tue 05-Sep-23 21:01:03)