Skip to main content

User Manual

When should port forwarding and firewall rules be used?

Keenetic routers have a built-in Firewall and Network Address Translation (NAT) mechanism to hide and protect your home network devices from external internet users and threats. Both features are important elements of LAN security.

However, remember that Network Address Translation and Firewall are not the same functions.

To understand when Port Forwarding rules in NAT should be used and when Firewall rules should be used, let's first look at the purpose of each of these functions.

Network Address Translation

Network Address Translation (NAT) — this mechanism allows all LAN devices (computers, tablets, smartphones) to use a single IP address on the external interface through which they connect to the internet or an external network. The most common case: The router is assigned one public IP address (which is used to reach the external network), behind which devices in the home network with local/internal IP addresses (by default from subnet 192.168.1.x) work and have access.

In the simplest case of NAT, the source and destination IP addresses are substituted in the network packets. Packets coming from the external network change the destination address, and packets coming from the internal network change the source address. Specifically, NAT changes the source IP address (internal local/private address) in a network packet received from a LAN device to the global/external address before transmitting the packet to the external network. When a response is received, NAT converts the destination address (external address) back to the local/internal address before transmitting it to the source internal network host.

By default, the NAT mechanism is set up to prevent or limit outside access (from the external network) to LAN devices while still allowing access from the LAN to the outside network. NAT allows you to hide internal computer/server services on the LAN from access from the internet.

With custom port forwarding rules, it is possible to make certain internal services (e.g. a Web or FTP server) located in the local network (LAN) behind a NAT visible (accessible) to external users from the internet. To do this, NAT rules must be created to translate specific ports through a router to a local network computer/server (also referred to as Port Forwarding). Essentially, such rules define the translation of traffic from the external network to the internal network (this type of NAT rule is called Destination NAT).

Important

Port Forwarding will only work if the ISP uses a public IP address to access the internet. For more information, see the What is the difference between a public and private IP address? article.

Here are examples of when port forwarding should be used:

  • Provide access from the internet to a NAS, IP camera or server (WWW, FTP, etc.) on a local network;

  • Provide access from the internet to a computer on the home network, using dedicated services for remote desktop connection. For example, using Remote Desktop (from Windows) or via Radmin, VNC, etc.;

  • Perform port number substitution ('mapping') to address a different port. For example, mapping the remote control of the router from the internet to another port (in case your ISP blocks the standard port 80, and you want to use port 8080 to access the web interface);

  • Open ports for torrents, game consoles, and other applications that use incoming traffic from an external network for some functions.

nat-01-en.png

More information:

Important

On Keenetic routers, you DO NOT need to set up a firewall allow rule in addition to the port forwarding rule. It is enough to create a port forwarding rule in the NAT.

When using some router services (e.g. PPTP VPN serverL2TP/IPsec VPN server, FTP server, UPnP service), port forwarding rules are automatically enabled to forward addresses from the internal network to the external one. These rules are not displayed in the router's web interface.

Firewall

A firewall is designed to protect local network devices from external attacks. In general, a firewall acts on traffic after the address translation and routing. It controls and filters traffic according to predefined rules based on IP addresses. The firewall is primarily designed for security and access control. By default, the firewall in the router allows connections from home interfaces (LAN) to public interfaces (WAN) and blocks connections in the opposite direction. User-defined rules allow or deny access to specific hosts or services on the network (by blocking ports or protocols). In fact, firewall rules perform a check whether to allow (permit) a network packet or discard (deny) it.

Here are examples of when firewall rules should be used:

  • Allow only certain computers on the LAN to access the internet and block access for all others, or conversely, block only certain computers on the LAN from accessing the internet and allow all others;

  • Block access to certain websites from the local network;

  • Allow access to specific computers on your LAN to only access one or more specified websites;

  • Allow access from the LAN to the internet only via specified protocols (services, services);

  • Block (deny) traffic on specific ports or protocols;

  • Block access from particular IP addresses to the internet access point from the internet or external network;

  • Allow remote control of the router from the internet only from specific IP addresses.

nat-02-en.png

More information:

Important

In Keenetic, address translation rules (NAT) are implemented before firewall rules.

Note

Some ISPs do not allow customers on their network to run and use server applications (such as web servers, FTP servers, PPTP VPN servers or mail servers). Your ISP may block user traffic via standard protocols and ports (e.g. 21/FTP, 80/HTTP, 25/SMTP and other ports) or perform periodic network checks for active servers (if discovered, access can be subsequently blocked or even suspended). For more information on using server services and blocking certain traffic, contact your internet service provider.