| |
BBIagent router makes your internal network
to appear as a single machine to the external network and prevents
the hosts from directly accessing your computers. However, by adding
rules in Virtual Services, it allows you to direct incoming
requests to specific computers. Other computers on the external network
can access the servers running on the internal network. Applications
running on the internal network, which require to be connected directly
from remote computers, are able to run normally as well with port
forwarding in the router.
The rules should be arranged properly, or they will not be effective.
If a rule in the list is matched, other rules afterward (below in
the list) will not be checked.
Click Virtual Services button again to refresh the rules in
the list. |
Rules in Virtual Services allow to do port forwarding |
To add a rule, enter values in the fields and click
Insert button. The rule will be inserted before the rule selected
in the list. If there is no rule selected, it will be appended at
the end. If the rule is enabled and the data are valid, it will be
applied to the router immediately.
Following are the fields in a rule. |
| Field |
Description |
| Router Port |
Single port or a range
of ports which will be forwarded to the computers on the internal
network and you want other users to be able to access. The valid
port number ranges from 0 to 65535. If it is a range of ports,
its format is first port - last port. For example, 2000-3000.
Leave it blank if the protocol of the service to be forwarded
is GRE. |
| Protocol |
Connection protocol of
the service to be forwarded. |
| Service Host on LAN |
IP address of the computer
on the internal network which is running the server to accept
the connection forwarded from the router. |
| Service Port |
The port at which the
service computer is listening. Leave it blank if it is the same
as router port. |
| Loop |
Enabled if internal computer is able to access the service host with the external IP address of the router.
|
| Source Host on WAN |
The host or subnet on
the external network from which you want to block or accept
the connections. Subnet can be expressed as IP address/mask
length. For example, 4.5.6.0/24 means all IP addresses from
4.5.6.0 to 4.5.6.255. |
| Time |
Day time for access control.
The format is HH:MM-HH:MM (starting-ending). e.g. 09:30-17:10.
The starting time should be less than ending time. |
| Days |
Days of week for access
control. 1 to 6 stands for Monday to Saturday, and 0 or 7 for
Sunday. They can be separated with comma (,) or hyphen (-).
For example, weekday can be entered as 1-5, and weekend as 6,7.
1-4,7 stands for Monday to Thursday and Sunday. |
|
The ports and protocols required by the applications
are different. Refer to their manuals on the information of setting
up to run behind a firewall. Or you may try to find them out by clicking
Tracking button in Security
Control while the applications are running.
Port forward is only valid for the connection from the externel network
You have to access the server with the internal IP address if it is
accessed from other computers on the internal network.
Following are the description of sample rules in the list.
|
Rule
|
Description |
|
1
|
The connection at port
8000 of the router is forwarded to 192.168.2.2 at port 80. If
you have a web server running 192.168.2.2 at port 80 (http)
and the external IP address of the router is 1.2.3.4, other
computers on the external network can access your web server
with URL http://1.2.3.4:8000. As Source Host is blank,
all computer are allowed to access it. |
|
2
|
Only the host with IP
address 5.6.7.8 is allowed to access the telnet server (port
23) running on 192.168.2.3 during 9:00 am to 6:00 pm from Monday
to Friday. |
|
3
|
You have a FTP server
running on 192.168.2.4, any computer on the external network
is allowed to access it from mid-night to 8:30 in the morning
on Friday, Saturday and Sunday. More than 3 concurrent connections
from the same computer will be rejected. |
|
4
|
E-mail can be sent (25
for smtp) to and received (110 for pop3) from the mail server
running on 192.168.2.5 by the computers on network segment 4.5.6.0/255.255.255.0. |
|
5
|
A computer with IP 192.168.2.6
is running ICQ. It requires to transfer file directly with other
ICQ on the external network. You have to configure its port
range of Direct Connections and Incoming Events with a port
range 3000-3014. |
|
6
|
This rule opens a range
of ports for direct file transfer between MSN clients. |
|
7
|
The GRE connection from
the computer with IP 1.2.3.4 on the external network is forwarded
to the computer with IP 192.168.2.7 on the LAN. |
|
8
|
The TCP connection at
port 1723 of the router from the computer with IP 1.2.3.4 on
the external network is forwarded to the computer with IP 192.168.2.7
on the LAN. If a PPTP VPN server is running on 192.168.2.7,
1.2.3.4 will be allowed to connect it from the the external
network with rule 7 and 8. |
|
|
|
|
|
|
