Page 1 of 1

Ports, NAT, Firewall, internal and external IPs etc

PostPosted:Tue Jan 08, 2019 3:19 pm
by Colonel Panic
Could someone give me an idiots guide to how all of these things link together? Or even give me a url that does explain it? I’m trying to knock a hole in my firewall to enable an iOS app to link through to my CCTV DVR, but I think what is hindering me is not really understanding what all of things do in relation to each other.

I have a fixed (external) IP, and have given my CCTV DVR a fixed (internal) IP; but I don’t understand how the Ports or NAT relate to all of this.
Am I right to think that I need to :-
    give the CCTV both a fixed internal IP address AND a port number (for example, :1234 or something equally obscure)
    knock a whole in the firewall for that port or the internal IP or both???
    tell the router to route anything that attempts to come in on my external IP (say 123.456.7.89:1234 ) to go through to the CCTV DVR on (say 192.168.1.102:1234 ). This step being the NAT?

Or have I got that all wrong?
Is it necessary for both ends (port numbers) of the NAT to be the same (ie :1234 in the example above)?
Where does the "Default HTTP port :80" come in to all of this?

Please bear in mind my tech skills are limited :oops: :oops: :oops:

TIA

Re: Ports, NAT, Firewall, internal and external IPs etc

PostPosted:Tue Jan 08, 2019 3:32 pm
by rikur_
give the CCTV both a fixed internal IP address AND a port number


fixed IP address - yes. Either by configuring the CCTV, or using the LAN > Bind IP to Mac menu on your Draytek.
Personally I'd leave the internal port alone at 80 (or whatever it defaults to) ....
if you can access it by simply browsing to an IP address such as http://192.168.1.102/ then it is using port 80. If it's https://192.168.1.102/ then it is using 443, if it's http://192.168.1.102:8080/ then it's 8080 or whatever is shown after the colon.

knock a whole in the firewall for that port or the internal IP or both???

Not necessary on Drayteks, they create a whole in the firewall as part of setting up the NAT

tell the router to route anything that attempts to come in on my external IP (say 123.456.7.89:1234 ) to go through to the CCTV DVR on (say 192.168.1.102:1234 ). This step being the NAT?

yes. So on the NAT > Port redirection menu, create an entry:
Mode: Single
Service Name: My CCTV (or whatever you like)
Protocol: TCP
WAN interface: Usually WAN1
WAN IP: Usually only a choice of 1
Public port: The port you want to use on the outside - e.g. 8080 (don't use 80 or 443 as these are used by the router itself for the web portal)
Source IP: Any (unless you want to limit access)
Private IP: The internal IP address of the CCTV - e.g. 192.168.1.102 in your example
Private port: The internal port used by the CCTV - normally 80 unless you've changed it

Some CCTV units need multiple ports opening - e.g. one for the web application, others for streaming the video (difficult to advise without knowing more details)