5. Port Mapping (Forwarding, Virtual Server)

This feature goes by many names, but what it does is allow you to open holes (ports) in your firewall. You'll need to do this for most any Internet applications that depend on the ability of someone on the WAN (Internet) side of your router to send a data request to a computer on your LAN.

There are a few ways that manufacturers implement port mapping, and what you need will depend on what sort of applications you use. Let's take a look at the different types of port mapping features.

Static Single Ports

This is the simplest form of port mapping. You must map each port used by an application to the IP address of the computer that the application is running on. Some routers allow you to specify either the protocol used for the mapping (TCP or UDP). Others automatically map the port for both protocols.

NOTE: You can statically map a specific port to only one IP address. This means that if you have multiple users who want to use the same application, or multiple servers of the same type, each copy of the application or server would need to use a different port. Some applications allow this to be done, and others don't.

If you have only a few applications and they use only one or two ports each (i.e. running a web or FTP server) this method should be fine. Although the number of single port maps vary from manufacturer to manufacturer, you'll typically get somewhere around ten mappings.

Static Port Ranges

Similar to Single port mapping, this option lets you map a range of ports in each mapping. Each mapping still applies to only one IP address, however. This option gives you the ability to handle applications that use a lot of ports such as games and audio/video conferencing. Again, the number of mappings varies from product to product, with ten or so being typically offered.

DMZ ("Exposed Server")
This is the ability to virtually place one computer outside your router's firewall. Note that we say "virtually" because the target machine is still physically connected to the LAN side of your router. What this option actually does is map ALL ports through to the IP address that you specify. Because it depends on the router's firmware to do the job, you can have problems with some routers that have buggy implementations of this feature and still not be able to use a desired application even if you place the target computer in "DMZ".

Dynamic ("Triggered") Mapping

Sometimes called "Special Applications", this feature attempts to bypass the "one map per IP" limitation of static port mapping. You typically set up a port mapping as you would for a static mapping, but then specify a "trigger" port (and sometimes, protocol). The router then watches the outbound, i.e. data from computers on your LAN headed to the Internet, data stream for the trigger criteria. When it sees the trigger, it remembers the IP address of the computer that sent the trigger data. When data that matches the trigger request tries to come back into your LAN, the mapping that the trigger is tied to is enabled, and the data is allowed through the firewall. The router then disables the mapping as soon as the transfer is finished so that another computer can use the same mapping. This gives the illusion of multiple computers simultaneously using the same mapping, but, of course, only one computer can use the mapping at a time.

NOTE: Since the trigger event must come from a computer on the LAN, triggered maps can't be used to allow access to multiple servers on your LAN that use the same port. So if you're running two webservers, you'll still need to set up static mappings for two different ports, and configure the webservers accordingly.

NOTE: Triggered maps are best used for quick data requests / transfers because it depends on the mapping being available when another computer triggers it. If you have an application that uses a continuous data stream (i.e. streaming audio or video, Internet phones, etc.), that ties up a port for a long time, a triggered map isn't going to help you.

Mapped Server "Loopback"

If you have forwarded or mapped servers on your router's LAN side, you would normally reach them by using the private IP address assigned to the computer that the server is running on if your computer were also on the LAN side of the router. On the other hand, users on the WAN side of the router would reach the server via the router's WAN IP address.

"Loopback" is the ability for LAN-side users to reach a forwarded server via the router's WAN IP address (or assigned Domain Name if it has one and the proper DNS services are in place). This is a desirable feature that allows users on the same LAN subnet as the server don't have to hassle with remembering special addresses and can reach a server just like anyone else does.