Network Address and Port Translation (NAPT)

Network Address and Port Translation (NAPT) allows a single device, such as a gateway, to be an agent between the Internet (or "public network") and a local (or "private") network. This means that only a single unique IP address represents an entire group of devices to the outside world.

Implementing dynamic NAPT automatically creates a firewall between your internal network and the Internet. NAPT only allows connections that originate inside the internal network. Essentially, this means that a computer on an external network cannot connect to your computer unless your computer has initiated the contact. Nobody from the outside can latch onto your IP address and use it to connect to a port on your computer.

Under NAPT, all internal network computers are inaccessible from the outside. However, if you need to use public services such as Web, FTP, or e-mail servers from your private network, you can set up a virtual server to permit secured access. In this method, a connection with the outside is redirected to a host (the virtual server) running the services on the private network. (IP forwarding is another term for this.)

The Virtual Servers setup page allows you to add, remove, and save virtual server settings.

Passing Applications Through NAPT

Port Forwarding When Hosting Services Behind NAPT

Protocol Type Port
FTP ( File Transfer Protocol) TCP 21
HTTP (Web Server) TCP 80
DNS (Domain Name Server) TCP UDP 53
Telnet- Remote connection TCP 23
SMPT (Outgoing mail) TCP 25
POP3 (Incoming mail) TCP 110
NNTP (Network News Transfer Protocol) TCP 119
PCAnyWhere UDP TCP 5631-5632
TALK UDP 517-518
Net2Phone ** TCP UDP 2000
HTTPS (secure Web server) TCP 443
VNS (remote display system) TCP 5900-5909 5800-5809
TFTP UDP TCP 69
SSH (secure remote login) ** TCP 22
** Net2Phone and SSH have not been tested yet

 

Port Forwarding When Hosting Games Behind NAPT

Game Type Port
Age of Empires II TCP UDP 2300:2400 2300:2400
Star Craft TCP 4000
Half Life Team Fortress TCP UDP 27015 27015
Diablo II TCP 6112 4000
Quake II UDP 27950 27960 27910 27952 27000 26000 27951
Quake III UDP 27950 27960 27910 27952 27000 26000 27951
Return to Castle Wolfenstein UDP 27950 27952 27953 27960 27961 27962 27963 27965
Unreal Tournament UDP 7777

 

Port Triggering for Playing Games Behind NAPT

Game Outgoing Port Range Protocol Incoming Port Range Protocol
Return to Castle Wolfenstein 27950-27965 UDP 27950-27965 UDP
Star Craft 4000-4000 TCP/UDP 4000-4000 TCP/UDP

 

Applications that Do Not Require Configuration Behind NAPT

The following applications, when run behind NAPT, do not require any gateway user configuration.

Protocol (see note 1) Type Port
FTP (File Transfer Protocol) TCP 21
TFTP UDP TCP 69
TALK UDP 517-518
H.323 TCP 1720
IRC TCP 6667
SNMP UDP 161-162
PPTP TCP 1723
Windows Media Player (see note 2) UDP 7000-7007
DirectX Game (see note 3) UDP 2300-2400
AOL Instant Messenger (see note 4) TCP 5190
MSN Messenger (see note 4) TCP 1863

Notes:

  1. All protocols mentioned above are for clients running behind the NAPT. If a hosting server is needed, use port forwarding instead.
  2. Windows Media Player uses TCP port 1755 from the player to connect to the server, and uses UDP ports 7000-7007 to perform the actual data streaming.
  3. DirectX uses TCP port 47624 from the client behind NAPT to connect to the peer, and it expects the peer to use the UDP ports 2300-2400 thereafter.
  4. The AOL and MSN Messenger Proxy Server are required for user-user direct connection during file and image transfer.

 

Applications Behind NAPT Requiring Application Configuration Change ICQ

The following steps provide a workaround to problems you might have when using ICQ's file transfer, Send/Start ICQ chat and PC2PC phone. The problem is that some of these applications set the Web browser to use a proxy server to listen to incoming connection requests.

  1. In your Web browser, go to the user connection preferences and enable Using proxy. Set the type to SOCKS 4.
  2. Disconnect and reconnect.
  3. Set the type back to Not using proxy and change settings to use the ports you specify. You should now be able to make a functioning connection. Be sure to disconnect/reconnect after you make every change.
  4. From the gateway, use virtual servers (port forwarding) to forward the TCP port range chosen in the previous step to your local machine.