With simple masquerading, all of the IP addresses on the local network are masked behind the router’s IP address. If now a certain computer on the LAN, such as an FTP server, needs to be accessible from the Internet, simple masquerading means that the IP address of the FTP server remains hidden from the Internet. This makes it impossible to connect to this FTP server from the Internet.
To enable access to this type of server ("exposed host "), the IP address of the FTP server is entered in a table (the port-forwarding table) along with the services (ports) that it should also present outside the LAN. For a computer sending a packet from the Internet to the FTP server on the LAN, the router itself appears to be the FTP server. Using the protocol used, the router reads the IP address of the FTP server in the LAN from the entry in the port forwarding table and forwards the packet to the local IP address entered there. Packets sent by the FTP server in the LAN (responses from the server) are masked behind the IP address of the router.
The general difference between simple and inverse masquerading:
- For inverse masquerading, external access to a service (port) on the intranet must be defined in advance by specifying a port number. This is done in the port forwarding table, where the destination port is specified along with the intranet address of the FTP server, for example.
- When accessing the Internet from the LAN, on the other hand, the router itself automatically enters the port and IP address information into the table.
After an adjustable time period, however, the router assumes that the entry is no longer necessary and deletes it from the table automatically.
On occasion it is desirable for the "exposed host" not to be contacted over this standard port, e.g. when security reasons demand the use of another port. In this case it is not only necessary to map the ports to an IP address, but to translate between ports as well (port mapping). Another use of port mapping would be to translate multiple WAN ports to one common port in the LAN, although to different IP addresses (N-IP mapping).
The configuration of port mapping involves the assignment of a port or port range (start port to end port) to an IP address from the LAN as the target and the port (map port) to be used in the LAN.
LANconfig:
Console:
- First port D-port from (start port)
- Last port D-port to (end port)
- Peer Remote site which applies for this entry. The use of virtual routers (Advanced Routing and Forwarding (ARF)) when using port forwarding demands an exact selection of the remote site. If no peer is entered then the entry applies to all peers.
- Intranet-Address Internet address that a packet within the port range is forwarded to.
- Map-Port Port used for forwarding the packet.
Note: If "0" is entered for the map port, the ports used in the LAN will be the same as those used in the WAN. If a port range is to be mapped, then the map port identifies the first LAN port to be used. For example, mapping the port range '1200' to '1205' to the internal map port '1000' means that the ports 1000 to 1005 will be used for data transfer in the LAN.Note: Port mapping is static, meaning that two ports or port ranges cannot be mapped to the same map port of a target computer in the LAN. The same port mapping can be used for different target computers.
- Protocol Protocol which applies for this entry.
- WAN address WAN address which applies for this entry. If the device has more than one static IP address, then this allows port forwarding to be limited to certain connections.
- Entry active Switches the entry on or off.
- Comment Comment on the defined entry (64 characters)
