Definitions
| Item | Definition |
|---|
| Router | Routers connect different networks together.
Your N4L Managed Router links the school network to the Internet, so users can share the connection.
Routers act as a dispatcher, choosing the best path for information to travel so it's received quickly.[1] |
| WAN | Wide Area Network - e.g. the Internet (on the out-side of the router) |
| LAN | Local Area Network - e.g. the School's network (on the in-side of the router) |
| VLAN | A Virtual LAN separates parts of a physical network from each other.
You can have many VLANs on one LAN.
Each device in a VLAN is only able to communicate with other devices in that VLAN.
In schools, this is commonly used to segregate traffic, so that e.g. WiFi Guests can't see School servers.
To let devices in VLANs communicate with devices in other VLANs, you need a Router to connect them together. |
| Interface | The part of a router that connects to a network (real or virtual) e.g. the WAN Interface is the part of the router that connects it to the Internet. |
| Firewall | A network security device (software or hardware) that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic
based on a defined set of security rules.[2] |
Firewall Rules
The Firewall function of a Router is made up of Rules.
A Rule can apply to Inbound traffic or Outbound traffic (or both).
Without Rules that specifically allow traffic in one direction or the other, the firewall will drop the traffic - preventing data transmission.
Inbound vs Outbound
LAN and WAN
Inbound or Outbound is the direction traffic moves between networks. It is relative to whichever network you are referencing.
Inbound traffic refers to information coming-in to a network.
Figure 1: Inbound Traffic
Outbound traffic refers to information going-out of a network.
Figure 2: Outbound Traffic
The network could be the School network (as a whole), the Internet, or the Virtual LANs (VLANs) inside the school network.
Because the Managed Router is directing the traffic, it becomes our point of reference.
Think about where traffic is flowing to and from.
| From | To | Direction (School Computer's Perspective) |
|---|
| Internet | School LAN | Inbound |
| School LAN | Internet | Outbound |
VLANs
For VLANs, think about which VLAN is sending, and which is receiving.
Figure 3: VLAN Traffic Directions
| From | To | Outbound | Inbound |
|---|
| VLAN 2 (Servers) | VLAN 3 (Students) | VLAN 2 | VLAN 3 |
| VLAN 3 (Students) | VLAN 2 (Servers) | VLAN 3 | VLAN 2 |
Port Forwards
Public and Private IP Addresses
Often, servers need to be accessible both inside and outside the School network. For example, if the School's Website is hosted on a Web Server inside the school, Parents, Staff and Students wanting to view it from home must connect to the server inside the School.
But the Web Server has a Private IP Address - it's on the School Network side of the Managed Router, and only devices inside the School Network can communicate with it.
How can a user outside the School Network connect to the School Web Site?
The Managed Router sits in between the School Network and the Internet. It has a Public IP Address allocated to it. No one else in the world is allowed to use that IP Address while it is allocated to your Managed Router.
The Managed Router listens on that IP Address for connections from the Internet, and then decides where to send that traffic inside the School Network.
People wanting to connect to the School Website get directed to the Web Server, without knowing its Private IP Address.
Connecting to a Specific Server
This works well when we only have one device (our Web Server). But School Networks have many devices.
If we have two devices, both listening for connections on Port 3389, where does the Router direct the connection?
How does the Managed Router decide which internal device to send traffic to?
Figure 4: A confused router
We set up a Port Forward.
What are Ports?
When a message, notice or package is received for a Teacher at School, the delivery person doesn't come into the School and deliver personally to each Teacher.
The message is placed in their named Pigeonhole, probably by an Office Administrator, and the Teacher collects the message.
If we think of data as the messages, Ports are like the Pigeonholes, each one with its own number.
Each Pigeonhole has a unique name, otherwise the Office Admin wouldn't know where to deliver the message. Similarly, only one of each Port number can be used on a device at any one time.
The Managed Router is like the hard-working Office Admin.
Each Device - the Router, each Computer - has its own set of Ports.
What is Port Forwarding?
When a data message reaches a Router or Computer, the message has a Port Number attached, and so is directed to the associated Port.
A Port Forward is a specific mapping between an external Port on the Router, and an internal Port (on a computer).
Messages sent to the external Port are forwarded to the internal Port.
Figure 5: A Port Forward
How can Both Computers Receive Connections on the Same Port?
In the above example, they can't. There is only one Port 3389 on the Router, and it is Forwarding traffic to 192.168.2.10:3389 in VLAN 2.
But in a Port Forward, the external port can be different from the internal port.
In this way, 192.168.3.23:3389 in VLAN 3 can receive connections from outside as well, if we set up a Port Forward from another external port.
Figure 6: Two port forwards
Which Ports can I use?
Valid ports are in the range 1 to 65535. These are further classified:
Ports 1 - 1023 are system or well-known ports. These are used by many protocols e.g. 80 (HTTP), 443 (SSL/HTTPS), 25 (SMTP - Email)
Ports 1024 - 49151 are user or registered ports.
Ports 49151 - 65535 are dynamic or private ports.
You can use any of these ports inside of your School Network.
Some ports may be in use by existing services - remember that ports in use must be unique to that device.
If you are not sure which port to use in a Port Forward, or have any questions about Inbound or Outbound Firewall rules, please give the Helpdesk a call on 0800 LEARNING or email support@n4l.co.nz.
