Port Forwarding vs Opening Ports

Back in the summer of 2021 I asked here for help regarding a BT Business Hub and a Siemens Building Management System for a Village Hall. Once the problem was resolved – it was due to two Siemens units having incompatible firmware. Once resolved all was good.

However, BT Business have been upping their charges and it was time to look elsewhere. Since there are no outgoing telephone calls made and there was a need for a static IP a SoGEA service from Andrews and Arnold with VoIP to divert incoming calls on the old BT number was ideal. Plus we now have FTTC rather than ADSL2.

Anyway, problem now is getting the Siemens equipment to work remotely through a DrayTek Vigor 2762 Router.

I am out of my comfort zone on this, not helped by Siemens talking about Opening Ports whereas from the Print Screen I took of the BT Business Hub, it was using Port Forwarding. The DrayTek offers Port Redirection (which I assume is Port Forwarding) and Open Ports.

This explained at https://www.draytek.com/support/manuals/vigor2762 between pages 133 and 144.

So grateful if someone can give an explanation on the difference between Port Forwarding and Opening of Ports – especially since when using the BT Hub it appeared to be Port Forwarding rather than the Siemens requested Port Opening! Thanks.

Cheers!

How to you access the Siemens equipment when you are on site? Can you use a web browser to access its IP address?

If so you could configure the Vigor to forward some 5 digit port number such as 54321 to port 80 at the Siemens IP address. You would need to know the Wan IP address of the Vigor perhaps by having a fixed IP address.

On site I can access via a pc connected to the same router as the Siemens to an IP address 192.168.1.xxx No problem.

Previously when using the BT Hub and broadband, from my home pc it was the fixed IP of the village hall followed by :nnnn

nnnn appears to be an External Port, since shown as such on the BT Hub printout, but where it came from I don't as yet know. WIth the BT Hub they had values for both External and Internal Ports.

Anyway, I tried using the Open Ports method on the DrayTek this afternoon, using a screen print from the BT Hub as a guide, but fell foul of the Note that is half way down on page 140 of the DrayTek manual I listed. That same note appears on page 134 for Port Forwarding; which is rather worrying since to the uninitiated it does not make much sense!

Cheers!

In reply to a post by Ancient_Mariner:

Anyway, I tried using the Open Ports method on the DrayTek this afternoon, using a screen print from the BT Hub as a guide, but fell foul of the Note that is half way down on page 140 of the DrayTek manual I listed. That same note appears on page 134 for Port Forwarding; which is rather worrying since to the uninitiated it does not make much sense,!

I presume that you will not be configuring the router to use a VPN so I suggest that you ignore that note. The manual shows the default values that those VPNs could use.

The difference in the terms is generally down to whether the device you are connecting to the Internet has its own dedicated IP or whether you are using NAT to share a public IP between a number of internal devices.

If the device has a public IP then you would open the ports to it on the firewall.

If the device is using NAT and sharing a public IP then you would use port forwarding.

In reality at a consumer level and for your requirements there isn't much difference between the 2 options.

Assuming you are using NAT then the instructions for the Siemens BMS should tell you what ports are required incoming (you don't need to do anything for outgoing ports as by default outgoing wouldn't be restricted). You then set the rules in the router so that those ports are forwarded to the IP address of the device. Best to set a static IP allocation in the router for the device so that it doesn't change IP addresses or you'd have to change the forwards every time the IP of the device changed..

In reply to a post by Ancient_Mariner:

So grateful if someone can give an explanation on the difference between Port Forwarding and Opening of Ports – especially since when using the BT Hub it appeared to be Port Forwarding rather than the Siemens requested Port Opening! Thanks.

So just a couple of thoughts:

1. Make sure the internal IP addresses of the Siemens devices dished out by the DrayTek box are "sticky" - that is they should be fixed rather than dynamic addresses (either from your DHCP setup or manually). Otherwise its likely the local addresses will alter over the course of devices rebooting etc and screw things up when trying to access locally as well as remotely if you're just connecting via an IP address.

2. Opening the ports on the DrayTek should be done minimally; that is the lowest possible number of ports to function, to reduce the attack surface open to the internet. Also consider limiting the remote access to IP address ranges that you trust/know (like that of your own ISP public IP address) only rather the the entire wide open internet.

3. Consider using an arbitrary/high port(s) number that is opened rather than the typical 80 or 8080

4. Setup the port forwarding to the fixed/sticky internal IP address of the Siemens device that needs remote access - you ought to be able to forward to the standard port of that device - so for example external port 58,062 is opened and is forwarded ---> port 80 on 192.168.x.y. In other words 100.20.30.40:58062 --> 192.168.x.y:80. You might need to do this for more than one port as necessary. So for external access via browser you'd point to 100.20.30.40:58062 and if you were sittng on the LAN you'd just go to 192.168.x.y:80

One of the challenges here is that "opening ports" is a vague, poorly defined phrase.

I've seen it used to mean opening ports on the router to give access to resources on the router. But I've also seen it used to refer to port forwarding, mapping virtual ports on the router to devices/machines on the internal network.

Sounds like in this case it is referring to port forwarding.

(opening ports) indeed.

Really, port forwarding refers to a combination of destination NAT plus allowing traffic to the translated address/port.
The translated destination port can be the same as or different from the original destination port.
It's usually different if it was originally http/s (80/443) so as not to conflict with the router's own web interface itself.

Opening ports can more broadly refer to allowing something in the Firewall even if NAT is not required, and the destination can be the router itself or a reachable IP on the other side of the router (regardless of inbound of outbound).

On my ISP firewall/router for example I have a port forward translating to the private IPv4 of a wireguard host, but also a port open to the (global scope) IPv6 addres of the same wireguard host (no NAT).

If I had multiple web servers internally the router's IPv6 firewall could have the http/s port open to any/all of them since the destination is not the router.

Ah ok ian72 and Pheasant already covered this I see.

Edited by prlzx (Thu 24-Aug-23 13:14:18)

Solved!

The Building Management System Engineer found that the BT Hub and the DraytTek's default gateway were different. He updated as required and now all OK.

I wish that there was a book in the style of "Idiots Guide to Networking" oh, just Googled before I posted and I can see that there is! I will have to investigate!

Cheers!

Do you have a need for both the business hub and the drayrek router? it sounds as though there is unneccessary added complication in the setup.