Configuring Port Forwarding For Remote Desktop Access
I like to have full remote desktop access to my main/home computer anytime and from anywhere (even when I’m on the road and only have my phone on hand). Yes, I’m that addicted technology. No apologies.
Before you can do something similar, however, you would usually need to first configure port forwarding on your home network. What does that even mean? And how is it done?
In this article, I explain everything you need to know about port forwarding. In a subsequent article, I will discuss how to perform the actual remote desktop (RDP) connection after port forwarding has been properly configured.
But first, some background…
Routers, Network Interfaces…
To understand the concept of port forwarding, a good grasp of the workings of your router is necessary.
For a computer to connect to the Internet, it needs a unique IP address. Your router is assigned one IP address by your Internet Service Provider (ISP), but each of the computers in your home or office have their own IP addresses as well (assigned by your router), and they all connect to the Internet via the IP address assigned to your router by your ISP.
Your router has at least two network interfaces – one that connects to the Internet with a routable IP address, and another that shares or assigns IP addresses to your local computers.
Usually, the IP addresses of your home or office computers go along the lines of 192.168.xxx.xxx. This range of IP addresses is reserved by the IANA as private addresses to be used on private networks.
Network Address Translation (NAT)
The addresses on your computers are not routable. This means that if they were to attempt to communicate directly with another device on the Internet, the packets (or data, in non-geeky terms) they send would be dropped.
For your PC to communicate with another Internet-enabled device, its IP address has to be translated to the IP address of the router, making whatever comes from your local network appear as though they came from the router. Port forwarding helps us achieve this.
What Is A Port?
At the software level, a port is a logical point to which a service, a process, an application, or even a computer connects.
As an example, when you type a web address in your browser and hit Enter, you are making a request to a remote web server using the HTTP (or HTTPS) protocol which is handled by a specific port on that server (port 80 in the case of HTTP and 443 for HTTPS).
Ports are identified by port numbers, and the numbers range from 0 to 65535. However, there are some well-known ports that are used very commonly, and they range from 0 to 1024. These are reserved for specific applications and protocols. For example, HTTP works on port 80, SMTP on port 25, and POP3 on 110.
What Exactly Is Port Forwarding?
As previously touched on, you usually have just one public IP address (your router’s IP address), even though your router assigns many IP addresses to your devices and computers locally.
Port forwarding takes a port on that public IP address and forwards it to your selected local machine so that people can access your local network from outside.
In simpler terms, port forwarding is a way of making one computer (e.g. your home computer) accessible to another computer on the Internet.
Common applications of port forwarding include VOIP, gaming, set-up of IP cameras, and of course, remote desktop access.
Port forwarding allows you to do virtually anything you can do on your system remotely, as though you were right in front of the machine. If you’ve never done it before, it may seem somewhat difficult. But don’t worry, this post attempts to explain it in an easy to understand manner.
How To Configure Port Forwarding
Generally, you enable port forwarding based on your specific needs. This means that you open up the specific ports you need for specific services and leave the others closed. This is important for security reasons – if you leave unused ports open to the world, hackers could easily take advantage.
So, the first thing you need to know is the exact port you want to open. PortForward.com has an impressive list of ports and the applications and services that run on them.
In our case, the service we want to use is Windows Remote Desktop. As you can see from the above list on PortForward.com, the port responsible for this service is port 3389. So, in this particular case, port 3389 is the port we want to forward.
Now head over to the port forwarding settings page of your router. Different routers have different user interface designs. Here’s how mine looks (notice that the RDP port 3389 is already forwarded – I did this a while ago):
Again, your router’s firmware determines how this section looks. Some older (and perhaps more common) routers will present the information like this:
The explanation to follow below will use the second (older) image above because I think it may be a more common representation. But it should be pretty obvious how both are related. At least both images should give you an idea of what to look out for in the port forwarding section of your router.
So, as shown above, there are 6 columns of interest:
- Port from
- IP Address
- Port to
Here’s an explanation of what each of the columns mean:
This is the name you want to call the application you want to use on the port. As you can see in the screenshot, you can type in anything you like as the name of the application you want to use. But it’s advised that you use descriptive names, though.
And if you are forwarding ports to different computers for the same application, you may want to indicate the name of the computer too to avoid confusing yourself later. This is the case with the VNC setup for the “Hunter” and “Grey” computers as shown in the second screenshot above.
Notice in the first screenshot that I have named one of my “forwards” EhiCustomFTP. So yeah, any application name works. As long as you know what it means.
This is the port on your public IP address (the port on your router). When you’re setting up just one machine for one service, the value you enter here would be the same as that used in the Port to field.
But if you need to remotely connect to two computers with VNC (as was done in the second screenshot above) for example, if you used port 5900 on the same public IP address, a conflict would occur. When the router gets a port 5900 request, it has no way of knowing which local computer it should ask to handle the request because the port forwarding table contains 2 local PC IP addresses.
To fix the problem, use the standard VNC port (5900) for one “forward” and a non-standard port (like 5901) for the other “forward”. Notice how this is done in the second screenshot above (for Hunter and Grey).
When you connect to the standard VNC service on this router, it will route you to Grey and you will receive a login request. This is because Grey used the standard VNC port. But to access Hunter, you would need to connect via port 5901 instead of 5900 – just enter the non-standard port number on the application running on the remote device that you’re using to connect.
Here, you specify what protocol your application would be using. You will have to specify whether you’re using TCP, or UDP, or both. More often than not, it’s TCP you will be needing.
As previously stated, each device connected to the Internet has an IP address. So what you will be putting here is the IP address of the machine you want to access remotely. You can find your IP address in your PC’s network settings. Or you can view it by running the ipconfig command on your Windows machine.
Note however, that the IP address on your computer as assigned by your router is likely dynamic. This means it can change after a shutdown of your machine or a restart of your router. So, you may want to configure a DHCP reservation so the IP address remains constant. This is explained further below.
This is the port to which you want to forward the requests – the port on the remote computer. In most cases, it is the same port number as Port from.
To activate the port forwarding rules you have just set, you need to check the boxes in this column that corresponds to the rules.
If you use up the available fields and have more entries to make, there’s an “Add” button on most routers that allows you to extend the table with more fields.
Forwarding A Range Of Ports
Some newer routers (like mine as shown in the first screenshot above) allow you the option of forwarding several consecutive ports by entering them as a range. That means you can select a group of ports following each other, instead of selecting them one after the other.
The screenshot below from my router provides a visual representation of port range forwarding. Notice the port range highlighted. This was setup for my home-based FTP server.
The whole process is the same. But this time, you just select a range of ports instead of just one port.
DMZ And Security
Some routers have a section called DMZ. A short form of “De-Militarized Zone”, it allows you to open up every single port on your computer. Once in this section, if available on your router, enter your local computer’s IP address in the field provided, then save the settings you just changed.
Note: While this may seem like a very convenient option, sparing you from the stress of entering multiple port numbers and entering one IP address multiple times, it is not secure at all. And I strongly advice against using it. It leaves your computer open to all kinds of traffic. I’m sure you don’t want that as it poses a real security threat.
Talking about security, you may notice that I have my RDP port open to allow traffic from “Any” remote IP address. While this is not as wide open as using a DMZ, it is still not very secure. So use this setting with caution. But then, it comes in very handy when I want to use Microsoft’s official RDP mobile app to access my home computer from anywhere.
With that “Any” setting, I could even be in bus or train while working on my home server using my phone or tablet. Talk about flexible remote access!
The alternative to the “Any” setting is to define a specific IP address or range of addresses from which RDP connection requests will be allowed. This is very safe. But when you’re using your mobile service provider’s LTE service, you really have no way of telling what IP address will be assigned to your phone at any time. This is why I just let “Any” IP address connect and save myself some headaches.
Of course, users still need to authenticate by username and password before they will be granted access. They also need to know what my public (router’s) IP address is. And in addition, I have a bunch of other security features in place to mitigate the risk of the above “Any” setting.
Your router assigns IP addresses to your different machines dynamically. So, the IP addresses of your computers may change at any time (e.g. after a router or computer reboot). When this happens, your port forwarding setup are rendered non-functional or incorrect.
With DHCP (Dynamic Host Configuration Protocol) reservations, you can specify static IP addresses so that your router will always assign the same computer the same IP address every time.
In my case, I have a home computer named “Server” that I don’t want the router to change IP addresses for after each router or computer reboot. At the time this was setup, the IP address of that computer (as assigned by the router) was 192.168.0.10. And in order for my RDP port forwarding to continue working forever, I need to make sure that whenever my router reboots, it again assigns my “Server” computer the 192.168.0.10 IP address.
So, I set up this configuration on my router in the DHCP reservations section:
To set a DHCP reservation, decide the IP address you want for your computer and then find the computer’s MAC address.
A MAC address is a 12-digit string (alphanumeric) in 2-digit pieces. Like this 1A:2B:3C:4D:5E:6F or 1A-2B-3C-4D-5E-6F.
With some modern routers, you don’t even need to go searching for your device’s MAC address. As long as your device has an identifiable name, you can easily locate their MAC address in your routers DHCP section because modern routers display MAC addresses and device names in their DHCP tables.
If your router doesn’t provide this information, locate your MAC address manually. To find your MAC address on Windows, run the ipconfig /all command from your command prompt. Your MAC address will be marked “Physical Address”.
Once you’ve got the MAC address, put it in your DHCP reservation list along with your desired local IP for that machine. Restart your router for the changes to become effective. Thereafter, your local machines with DHCP reservations will always keep the same local IP addresses.
Using DNS To Assign A Domain Name To Your Router
We have discussed how to ensure that the local IP address of your machine never changes by setting up a DHCP reservation. However, for home networks, even the public IP address of your router could change from time to time as well. In my experience though this is not very frequent (the frequency depends on your ISP).
After setting up your computer for remote access, accessing it on the remote end requires the use of its public (router) IP address. If this changes often, you will have a problem. And even if it doesn’t change that often, how nice would it be to have a domain name with which you can access your computer?
So, instead of having to type something like 192.168.xxx.xxx every time, if you could type something user friendly like server.dyndns.com wouldn’t that be much better?
My article on setting up Windows Remote Desktop connection after you have already set up port forwarding has now been published. Refer to it if you’re done with port forwarding and need help with the remaining steps.