Network Address and Port Translation (NAPT) allows a single device, such as a router, to be an agent between the Internet (or "public network") and a local (or "private") network. This means that only a single unique IP address represents an entire group of devices to the outside world.
Implementing dynamic NAPT automatically creates a firewall between your internal network and the Internet. NAPT only allows connections that originate inside the internal network. Essentially, this means that a computer on an external network cannot connect to your computer unless your computer has initiated the contact. Nobody from the outside can latch onto your IP address and use it to connect to a port on your computer.
Under NAPT, all internal network computers are inaccessible from the outside. However, if you need to use public services such as Web, FTP, or e-mail servers from your private network, you can set up a virtual server to permit secured access. In this method, a connection with the outside is redirected to a host (the virtual server) running the services on the private network. (IP forwarding is another term for this.)
The Virtual Servers setup page allows you to add, remove, and save virtual server settings.
Protocol |
Type |
Port |
| FTP ( File Transfer Protocol) | TCP | 21 |
| HTTP (Web Server) | TCP | 80 |
| DNS (Domain Name Server) | TCP UDP | 53 |
| Telnet- Remote connection | TCP | 23 |
| SMPT (Outgoing mail) | TCP | 25 |
| POP3 (Incoming mail) | TCP | 110 |
| NNTP (Network News Transfer Protocol) | TCP | 119 |
| PCAnyWhere | UDP TCP | 5631-5632 |
| TALK | UDP | 517-518 |
| Net2Phone ** | TCP UDP | 2000 |
| HTTPS (secure Web server) | TCP | 443 |
| VNS (remote display system) | TCP | 5900-5909 5800-5809 |
| TFTP | UDP TCP | 69 |
| SSH (secure remote login) ** | TCP | 22 |
| ** Net2Phone and SSH have not been tested yet | ||
Game |
Type |
Port |
| Age of Empires II | TCP UDP | 2300:2400 2300:2400 |
| Star Craft | TCP | 4000 |
| Half Life Team Fortress | TCP UDP | 27015 27015 |
| Diablo II | TCP | 6112 4000 |
| Quake II | UDP | 27950 27960 27910 27952 27000 26000 27951 |
| Quake III | UDP | 27950 27960 27910 27952 27000 26000 27951 |
| Return to Castle Wolfenstein | UDP | 27950 27952 27953 27960 27961 27962 27963 27965 |
| Unreal Tournament | UDP | 7777 |
Game |
Outgoing Port Range |
Protocol |
Incoming Port Range |
Protocol |
| Return to Castle Wolfenstein | 27950-27965 | UDP | 27950-27965 | UDP |
| Star Craft | 4000-4000 | TCP/UDP | 4000-4000 | TCP/UDP |
The following applications, when run behind NAPT, do not require any router user configuration.
Protocol (see note 1) |
Type |
Port |
| FTP (File Transfer Protocol) | TCP | 21 |
| TFTP | UDP TCP | 69 |
| TALK | UDP | 517-518 |
| H.323 | TCP | 1720 |
| IRC | TCP | 6667 |
| SNMP | UDP | 161-162 |
| PPTP | TCP | 1723 |
| Windows Media Player (see notes) | UDP | 7000-7007 |
| DirectX Game (see notes) | UDP | 2300-2400 |
| AOL Instant Messenger (see notes) | TCP | 5190 |
| MSN Messenger (see notes) | TCP | 1863 |
Notes:
All protocols mentioned above are for clients running behind the NAPT. If a hosting server is needed, use port forwarding instead.
Windows Media Player uses TCP port 1755 from the player to connect to the server, and uses UDP ports 7000-7007 to perform the actual data streaming.
DirectX uses TCP port 47624 from the client behind NAPT to connect to the peer, and it expects the peer to use the UDP ports 2300-2400 thereafter.
The AOL and MSN Messenger Proxy Server are required for user-user direct connection during file and image transfer.
The following steps provide a workaround to problems you might have when using ICQ's file transfer, Send/Start ICQ chat and PC2PC phone. The problem is that some of these applications set the Web browser to use a proxy server to listen to incoming connection requests.
In your Web browser, go to the user connection preferences and enable Using proxy. Set the type to SOCKS 4.
Disconnect and reconnect.
Set the type back to Not using proxy and change settings to use the ports you specify. You should now be able to make a functioning connection. Be sure to disconnect/reconnect after you make every change.
From the router, use virtual servers (port forwarding) to forward the TCP port range chosen in the previous step to your local machine.