Network (3) Port Forwarding

Parts (1) and (2) of my articles about networks gave you some basic knowledge about networks and discussed the possibility to connect from the LAN to the WAN or in other words from the devices at home to the webservers in the outer world.

The reverse way, connecting from WAN to LAN, is basically not possible. Only in case of requests from a device within the LAN data goes the reverse way, e.g. entering an URL like as the request and getting the answer (the website content) delivered by servers.

The main reasons why a WAN-LAN connection won’t work:

  • 1 Most of the ISPs (Internet Service Providers) assign varying IP addresses to your connection so that it is not possible to keep a stable connection over the time.
  • 2 For security reasons nobody should be able to compromise your LAN.
    So a Firewall/Router will not accept incoming requests which were not initiated by a device within the LAN.


The solution is Port Forwarding an applications communication with another application.

Dynamic DNS …

The first problem of varying WAN IPs can be solved by using a service called Dynamic DNS (DDNS). Some companies offer this service without charging.

For example you can register at After completing the registration process you can define a hostname and download the so-called DUC software (Dynamic Update Client) which has to be installed on the computer you want to connect to.


The main idea is to get a HOSTNAME which can be used instead of the varying WAN IP. The DUC client on the computer inside the LAN frequently determines the actual WAN IP and transmits the result to the DDNS provider. Your request from outside your LAN first is transmitted to your DDNS provider via the HOSTNAME. DDNS returns the actual WAN IP of your LAN and a connection can be established.

So DYNAMIC DNS SERVICE provides a constant ALIAS for a varying WAN IP of your LAN.

Opening the firewall …

You already know that data on the Internet is sent to and from IP addresses. Sending or receiving data is done on ports. Ports are virtual pathways on which Internet data flows.

For a Watchguard SOHO Firewall a custom service has to be defined and the related traffic has to be allowed. The service must include the definition of an IP of the computer you want to connect to as well as the port for communication.


While things may differ slightly depending on your Firewall’s/Router’s firmware, the below mentioned fields are pretty standard:

  • Application or Service Name
    The name of the application you’re forwarding this port for. You can use any descriptive text you want—this field is here to help you remember why you set this up; like the name suggests, you normally want to use the name of the application you’re setting up port forwarding for. I’s a good idea to also include the computer’s name along with the service if port forwarding is used for the same applications on different computers.
  • Port to
    ‘Port to’ is the port on your local IP address. If you were setting up VNC for a local computer, you’d fill this in with 5900 as that’s the standard port number for VNC services.
  • Port from
    ‘Port from’ is the port on your external IP address. Generally you use the same port as entered in ‘Port to. This works just fine when you’re configuring only one machine for one type of service. But say you wanted to be able to remotely access two or more computers using VNC. If you used 5900 on a single, external IP address they would be in conflict. The router would see a request for port 5900 and not know which Local IP address should handle that request since the port forwarding table has two. To solve this problem, you can use the standard port for one and not for the other—kind of like an apartment building has a single address but multiple apartments. You can use port 5900 for one and 5901 for the other computer. In that case you have to first set the port (the computer you want to access) when using VNC on an external IP address. This way you can set up identical services with a single External IP and different Local IPs without conflicts.
  • Protocol
    This is where you specify whether or not your service uses the TCP protocol, UDP protocol, or both. When you look up your ports you’ll also want to make note of the protocols used. In most cases it will just be TCP.
  • IP Address or Service Host
    This is where you specify the LAN IP of the computer you want to access. You can easily find this information in your computer’s network settings. The IP address will generally be in the 10.0.x.x, 192.168.x.x, or 172.31.x.x format. Because these IP address are generally dynamic (changing over the time), you have to set up static IPs or so-called DHCP reservations.
  • Enable
    You need to enable the port forwarding rule (on Watchguard routers you do it by setting the rule to ALLOW). By using DENY you are able to save the rule but it won’t be active or function in any way.

The firewall is now opened for authorized incoming traffic to a specific computer using a specific port.

The communication is done by the VNC Server software which can be downloaded from the RealVNC website.

After installing the DUC client software from No-Ip and the VNC server software from RealVNC on your PC it looks like this:


VNC viewer on an iOS device …

To configure the VNC Viewer app on an iOS device you just have to enter the HOSTNAME, the PORT for communication and the credentials you defined in the VNC Server software on your computer.


Summary …

The connection to a computer inside a LAN from an iOS device outside the LAN works with a

  • Dynamic DNS account and an Update Client (DUC)
  • Configuration of the firewall for a specific computer and a specific communication port
  • Server software (VNC Server) on the computer
  • Client software (VNC Viewer) on the iOS device

In a typical small office environment, a router assigns private network addresses to internal computers while the router gets a public IP from the ISP.
If the public IP is not static, Dynamic DNS services must be used to configure the VNC Client
by using the Dynamic DNS address instead of an IP address.

Connection to a computer in the LAN requires an installation of VNC Server software.
A unique port number must be assigned to each computer that should be reached from outside the LAN.

Useful links …

Former articles about networks

Network (2) Apple Airport Router

Network (1) Addressing

If you want to use Port Forwarding you should visit

Port Forwarding VNC on Apple Airport

You will find the settings for many Soft- and Hardware products as well as a software product called PFConfig which supports automatic configuration (29.29$).