Skip to main content

Hardware Router Need To Know 2006

Dynamic ("Triggered") Mapping

Sometimes called "Special Applications", this feature attempts to bypass the "one map per IP" limitation of static port mapping. You typically set up a port mapping as you would for a static mapping, but then specify a "trigger" port (and sometimes, protocol). The router then watches the outbound data stream, i.e. data from computers on your LAN headed to the Internet, for the trigger criteria.

When it sees the trigger, it remembers the IP address of the computer that sent the trigger data. When data that matches the trigger request tries to come back into your LAN, the mapping that the trigger is tied to is enabled, and the data is allowed through the firewall. The router then disables the mapping as soon as the transfer is finished so that another computer can use the same mapping. This gives the illusion of multiple computers simultaneously using the same mapping, but, of course, only one computer can use the mapping at a time.

UPnP

Universal Plug and Play is a feature that router manufacturers were pretty much forced into by Microsoft. As a result, it has taken a long time for it to be implemented in a large number of routers and the features that are implemented vary widely. One of UPnP's key tricks is its NAT Traversal feature, which automatically opens ports in a UPnP-enabled router's firewall for applications that know how to speak UPnP.

My main objection to this "feature" is that it opens these ports without either asking the user's permission or even providing an indication that it has done so. Since NAT Traversal depends on the application that requests the ports to be opened to also request that they be closed, it's possible for the ports to be left open if the application crashes or otherwise abnormally exits before issuing the request.

Fortunately, NAT Traversal didn't catch on much outside of Microsoft and as a result only Microsoft Messenger, Remote Assistance and Remote Desktop know how to automatically open ports on UPnP-equipped routers. My advice is to find the control on your router and disable UPnP if you don't use these applications.

DMZ ("Exposed Server")

This is the ability to virtually place one computer outside your router's firewall. Note that we say "virtually" because the target machine is still physically connected to the LAN side of your router. What this option actually does is map ALL ports through to the IP address that you specify.

When a computer is placed in DMZ, however, it is for all intents and purposes, directly exposed to the Internet. So make sure that any computer placed in DMZ is running up-to-date antivirus software and has no sensitive data on it.

Because DMZ depends on the router's firmware to do the job, you can have problems with some routers that have buggy implementations of this feature and still not be able to use a desired application even if you place the target computer in "DMZ".

Mapped Server "Loopback"

If you have forwarded or mapped servers on your router's LAN side, you would normally reach them by using the private IP address assigned to the computer that the server is running on if your computer were also on the LAN side of the router. On the other hand, users on the WAN side of the router would reach the server via the router's WAN IP address.

"Loopback" is the ability for LAN-side users to reach a forwarded server via the router's WAN IP address (or assigned Domain Name if it has one and the proper DNS services are in place). This is a desirable feature that allows users on the same LAN subnet as the server don't have to hassle with remembering special addresses and can reach a server just like anyone else does. Manufacturers typically don't specify whether loopback is supported, so do some Googling before you buy if you really need this feature.