Accessing your Pi Projects from Outside your House: Port Forwarding

by MWAGNER

Posted on July 9, 2017 at 11:00 AM

Disclaimer:

Now for the good stuff:

Forwarding a port gives a direct connection from the outside world, to a computer on your network. If you do not have proper security measures on the computer that you are forwarding to, you risk exposing your network to possible intrusion. Do so at your own risk, as this guide is for educational purposes only and will not be held responsible for any network vulnerabilities on your network.

The internet can be thought of as a large country. Everyone in the country has their own address, where they 'live'. Internet addresses are known as IP addresses(which many of you probably already know). Every modem/router hookup has it's own external IP address, one that the world uses to connect to you. These addresses are typically in IPv4 format, and look something like xxx.xxx.xxx.xxx, 4 sets of numbers, no more than 3 numbers per set. These numbers may be anything between 0-255, Hackmypi.com runs on 73.xxx.xxx.xxx for instance(censoring my IP a bit here, but you get the point.)

Internal networks run on a different IP system. An IP for an internal network looks like 192.168.x.x or 10.0.x.x. Typically the 10.0.x.x internal IP addresses are issued by Comcast routers, whereas the 192.168.x.x IP addresses are issued by most other routers. Now internal IP addresses function independent of external IP addresses. Internal here meaning 'within your home' or 'on your wifi/home network'. External meaning 'IP address the world sees'.

Every modem/router gets issued an external IP, every device within your house does not. So my house may have external IP 73.187.163.202, and that serves as the only IP for me to access my network from the outside world. My home devices all have their own IP's of the 10.0.x.x variety, but ALL traffic goes through my modem/router to the outside world from those devices, thus every device in my house, to the outside world, looks like 73.187.163.202.

Think of it like an apartment building. The address for the apartment building may be 123 Main St, so everyone in the building lives at 123 Main St. What the modem/router does with internal IP's is assign every device a room. So my laptop is room 200 at 123 Main St, my desktop is room 201 at 123 Main St, etc. If I want to send a letter to my friend from my laptop, the address on the envelope is still 123 Main St. Ports are basically sub addresses within the rooms. So 'Port 80 on my webserver at 10.0.0.1' is the same as saying 'the Master Bedroom in apartment 201'.

If I have a Pi running a camera feed over my internet on port 8081, and the Pi's IP address is 10.0.0.3 for example, then INSIDE my network, I can see it on a web browser at 10.0.0.3:8081 (the ':' denotes port in web addressing). If you wanted to view this camera feed from the outside world, you have to 'forward' the port on the modem/router. What forwarding does is allow for the outside world to get data directly from one device on a network, over that port. It'd be the same as having people send a letter directly to your Master Bedroom, in room 201 at 123 Main St apartment complex.

So there are external IP's that the world sees, one per household usually (think address of an apartment complex). Internal IP's that are given to your device by your modem/router (Think individual apartments inside the complex) and then Ports, which are different access points within your device (Think rooms in the apartment). Make sense?

Now, why does this matter for a Pi project? Think back to my PiCamPart1 project. The wifi Cam streams across my network at 10.0.0.13:8081, where 10.0.0.13 is the LOCAL IP of the Pi, and 8081 is the port. Anyone on my internal network can view the pi at 10.0.0.13 port 8081, but anyone outside my network cannot see it, because outside my network, everything looks like 73.187.163.202 (Which is my router, not my pi). Every device on a local network has a port 8081, including the router. To view the PiCam from outside my network, what I have to do is link the router's port 8081 to my pi's 8081 at 10.0.0.13. So 73.187.163.202:8081 points to 10.0.0.13:8081. When forwarded, if I connect to 73.187.163.202:8081 from anywhere in the world, I will see the same thing as if I was on my network connecting to 10.0.0.13:8081.

Some notes about this: Every device on my network has a port 8081, but my router only has 1 port 8081. Basically the router can only forward to 1 port 8081 and if you have multiple PiCams, you need to set them to broadcast on multiple ports. If all 3 cams are on port 8081, the router can only broadcast to one device on that port, so the other 2 cams will not be seen from outside the network.

The hard part comes next, actually forwarding the port. The problem is, every router is different and it would be impractical for me to write a guide for every router ever. I'll outline the basic steps for you, but you may need to do some additional research for your specific router model.

First: Login to the router.

The router will have a web-based login system, located by navigating to its IP from within a web browser. Go to the command line (terminal in linux) and type in 'ipconfig' (for windows) or 'ifconfig' (for linux). Somewhere on the readout you should see either 192.168.0.1 or 10.0.0.1. This will be your router's IP (sometimes the IP of the router is different, for purposes of this guide I'm assuming you have the router setup as default, without any special subnets). Once you have your router's IP, open a web browser and type that IP into the address bar. You should find yourself looking at a login page for your specific router. If you have never changed them, the default login will be whatever the factory set (google your router model for this info, or consult the manual for the router). Type in the username and password, and you should find yourself at your router's config page.

Second: Forward those ports!

Once logged into the router, you need to find where 'port forwarding' is listed, usually in the 'advanced' tab, if you have one. From within this menu, you can 'add' a forwarded port. The info you will need for this includes: The IP of the device you want forwarded to (i.e. PiCam IP address) and the port the device is using (i.e. 8081). Tell the router to forward port 8081 to IP of the device, and hit save. Some routers need to reboot for this, some just take a minute to apply.

Final: Check it works

Next, check it works! If we are going from my earlier example of my PiCam on 10.0.0.13, and I logged into my router and forwarded the port, I should be able to connect to my external IP at port 8081 (73.187.163.202:8081) in a web browser, and see the same thing as if I were typing in 10.0.0.13:8081 in a web browser!

For more information: Click Here