If you have set up server in your network and would like it to be accessible from internet, then you need to set up virtual server (port forwarding) on router. Most of the routers are also able to do port-redirection, meaning incoming traffic to a particular port can be redirected to a different port on the server.
The main benefit of this virtual server feature is you only need one WAN IP address to be accessed by Internet users to several servers in your network.
Example1: You set up a web server with IP 192.168.1.15 using TCP port 80 and wants internet users to access it at all times.
Name: Web Server
Private IP: 192.168.1.15
Protocol Type: TCP
Private Port: 80
Public Port: 80
After setting this up, the internet users can access this web server by typing http://your-WAN-IP-address in their favorite web browser.
Example 2: You set up a ftp server with IP 192.168.1.16 using TCP port 21 and allow internet users to access it by using port 4500 on Friday only. You need to set port redirection in order to achieve this objective.
Name: FTP Server
Private IP: 192.168.1.16
Protocol Type: TCP
Private Port: 21
Public Port: 4500 Schedule: From: 12:00AM to 12:00AM, Thursday to Friday
After setting this up, the internet users can access this ftp server by typing ftp://:4500 in their favorite web browser or using other ftp client application on every Friday.
Firewall is used to deny or allow traffic from passing through the router. That means it can deny unauthorized traffic to your home network(LAN) and also deny unwanted traffic from home network(LAN) going to Internet. When virtual services are created, it will also display in firewall rules.
Here is default firewall rules on router:
The priorities of the rules are from top (highest priority) to the bottom (lowest priority). Based on default firewall rules above, it means:
1) The first rule is to deny any(*) to home network(LAN). This will be useful to deny those malicious traffic such as worm or virus coming from Internet.
2) The second rule is used to allow any traffic from home network(LAN) going to any(*). This will allow all computers in your network to access Internet.
However this is still not the best way to set firewall rules. Below is the better and restricted way to set firewall rules.
1) Allow traffic from home network(LAN) to any(*) based on network services (ports). As an example, you can only allow all computers to access Internet's http service.
2) Deny any(*) to any(*). It means deny all other traffic.
Take some time to tune the firewall, it is very useful to secure your network.
Filters are used to deny or allow home network(LAN) computers from accessing Internet. There are four filters available on this router:
IP Filters: Used to deny LAN IP addresses from accessing the Internet on specific port or all ports. Sometimes I use this feature to deny some computers to access Internet.
MAC Filters: You can also allow or deny the computer from going to internet based on MAC address. Frankly tell you I hardly use this filter.
URL Blocking: Very common to be used to deny LAN computers from accessing specific websites. As you know there are bunch of unhealthy websites on Internet, so it’s good to key in specific keywords and the web access will be denied if those keywords found on URL.
Domain Blocking: Used to allow or deny LAN computers from accessing specific domain on the Internet. It will deny all services(http, ftp, etc) that provided by that domain if you block it.
If you need to run applications, such as internet gaming, video conferencing, internet phone, etc that require multiple connections, you need to define this special application feature here. This is because those applications will not work correctly through NAT (Network Address Translation) in home network.
The way to set it is specify the port normally associated with an application in the “Trigger Port” field (port used to trigger the application), select the protocol type as TCP or UDP, then key in the public ports associated with the trigger port to open them for incoming traffic.
It’s not easy to use this feature unless you know all the ports involved in that application, however you can use some well known applications that pre-defined on this router.
This feature will open all in/out accesses for one of your network computer, and commonly used for Internet game application. The concern is this will fully expose that particular DMZ computer to Internet and increase security risk.
Don’t use this option unless it’s really needed, try to use special application features which I explained above if possible. If you want to use it, just key in particular computer IP to enable this DMZ feature.