• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Is it possible to open 2 ports on the same network?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page 1, 2  Next
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Networking

View previous topic :: View next topic  
Author Message
Nstal
Just Arrived
Just Arrived


Joined: 02 Jan 2006
Posts: 0


Offline

PostPosted: Mon Jan 02, 2006 11:08 pm    Post subject: Is it possible to open 2 ports on the same network? Reply with quote

If i have two computer on a single router is it possible for them to both have the same port open? For example, let's say i have port 80 open on 192.168.1.100 and i also have it open on 192.168.1.101. Lets say my IP adress to the internet is 67.44.33.22.
Is it possible for an outside computer to be able to distinguish between the two? Or once a port is open on one of my pc's on the network is it impossible to open that port on another computer running on the same network? Thanks
Back to top
View user's profile Send private message
Zapotek
Just Arrived
Just Arrived


Joined: 02 Jan 2006
Posts: 0
Location: Hellas

Offline

PostPosted: Mon Jan 02, 2006 11:23 pm    Post subject: Reply with quote

It is possible.
You just have to set in your NAPT config that the requests for port 80 will be redirected to the PC that you want to be accessible from the net. Smile
Back to top
View user's profile Send private message Visit poster's website
RFmax
Trusted SF Member
Trusted SF Member


Joined: 08 Dec 2005
Posts: 4


Offline

PostPosted: Mon Jan 02, 2006 11:36 pm    Post subject: Reply with quote

If you are referring to port forwarding then most SOHO routers will only allow one downstream computer to be associated with the public IP addr and port. More sophisticated routers will have a fail over function.

But if you think about what you are asking logically, it would not make sense to have two internal computers receiving port forwarded traffic based on the same port.
Back to top
View user's profile Send private message
Zapotek
Just Arrived
Just Arrived


Joined: 02 Jan 2006
Posts: 0
Location: Hellas

Offline

PostPosted: Mon Jan 02, 2006 11:43 pm    Post subject: Reply with quote

Well, he may want to use one of them as a devel server and the other one as a public server...

The process is very simple through NAPT configuration, really...
Back to top
View user's profile Send private message Visit poster's website
RFmax
Trusted SF Member
Trusted SF Member


Joined: 08 Dec 2005
Posts: 4


Offline

PostPosted: Mon Jan 02, 2006 11:48 pm    Post subject: Reply with quote

I am not familiar with what you are referring to, could you please explain it. I would appreciate it very much.
Back to top
View user's profile Send private message
Zapotek
Just Arrived
Just Arrived


Joined: 02 Jan 2006
Posts: 0
Location: Hellas

Offline

PostPosted: Tue Jan 03, 2006 12:01 am    Post subject: Reply with quote

Multiple sites are hosted in the same IP address using Virtual Hosts, in Apache at least.

As for NAPT I could start talking but these guys are much better:
http://en.wikipedia.org/wiki/NAPT
Back to top
View user's profile Send private message Visit poster's website
zeedo
SF Reviewer
SF Reviewer


Joined: 01 Sep 2004
Posts: 24
Location: Scotland

Offline

PostPosted: Tue Jan 03, 2006 12:31 am    Post subject: Reply with quote

Zapotek wrote:

Multiple sites are hosted in the same IP address using Virtual Hosts, in Apache at least.


This has nothing to do with NAT, routing or the posters question.


Network Address Translation doesn't help much here either. As with most of these NAT routers you have one IP address with multiple hosts behind it. There is no way for this implementation to allow two unique end points behind the NAT'd IP with the same ports. For this you have to use a router that is not NAT based or use differing ports externally.

You can do
80 on NAT device to 80 on end point2
81 on NAT device to 80 on end point1

You can't do
80 on NAT device to 80 on end point1
80 on NAT device to 80 on end point2

Without differentiating between source addresses, which means some sources can only connect to one end point and some to another. You can't have a single source point access two distinct end points behind a single NAT end point.

The users options are to use differing ports on the NAT device redirecting the end points on the boxes or use unique, public IP's for each interface with a non-NAT router in place.
Back to top
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger
Zapotek
Just Arrived
Just Arrived


Joined: 02 Jan 2006
Posts: 0
Location: Hellas

Offline

PostPosted: Tue Jan 03, 2006 12:38 am    Post subject: Reply with quote

I know that
Quote:
Multiple sites are hosted in the same IP address using Virtual Hosts, in Apache at least.

has nothing to do with what Nstal asked...
I was replying to jkleinhans...

I think we are a bit confused here...
And I also think I gave a solution to Nstal...
So I'm done here. Smile

Cheers.

Just to st8en things up.

Quote:
Is it possible for an outside computer to be able to distinguish between the two?

No but you can set it up in a way that the requests will go to the server you want, and guess how you can do that.
With NAPT! Razz
Back to top
View user's profile Send private message Visit poster's website
larsmhansen
Trusted SF Member
Trusted SF Member


Joined: 11 Jan 2003
Posts: 0
Location: Boston, MA, USA

Offline

PostPosted: Tue Jan 03, 2006 12:57 am    Post subject: Reply with quote

No, you can not forward traffic to two internal hosts using the same external IP address and port number, at least not the cheaper home-market routers.

Usually, to do something like this, one would need two external IP address and do a 1-to-1 NAT setup (one external IP address maps to one internal address), then you can forward port 80 for each address.

Or, you can use an alternate port for the second web server, either 81 or 88 are common choices.
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
zeedo
SF Reviewer
SF Reviewer


Joined: 01 Sep 2004
Posts: 24
Location: Scotland

Offline

PostPosted: Tue Jan 03, 2006 12:57 am    Post subject: Reply with quote

Zapotek wrote:

And I also think I gave a solution to Nstal...


I don't beleive you did, this is a limitation of NAT which has been widely discussed and is entirely correct. It cannot be done with standard NAT or "NAPT" techniques.

I refer you to some discussion of the IETF and some Internet drafts on the usage and limitations to NAT.

http://www3.ietf.org/proceedings/98dec/43rd-ietf-98dec-128.html
http://www3.ietf.org/proceedings/98dec/I-D/draft-ietf-nat-hnat-00.txt
http://www3.ietf.org/proceedings/98dec/I-D/draft-ietf-nat-protocol-issues-01.txt

Also basic TCP/IP says that if my packet has the following information.

Source port 1234
Source IP Address 10.0.0.2
Destination Port 80
Destination 10.0.0.1

I can decide to perform network address translation and forward it to 10.1.0.1 port 80 if I configure my NAT implementation such. However if an identical packet arrives I cannot then determine that this should go to IP address 10.1,0.2 without further changes or flags in the packet, outside of the packets routing information. At present there is no RFC or internet draft addressing such an issue as the solution is to use unique public address to determine an end point.

In short, in order to differentiate end points on a NAT based network we generally need at least one unique IP based identifier, per service. This would require the client, NAT router and server to be configured specifically in order to honour this. At present there is no standard way of accomplishing this employed by the common operatings systems on clients, servers or the NAT routers.

Whilst this is theoretically possible the reason it hasn't been done is that it requires widespread deviation of the RFC's and it's not an elegant enough solution to require an updated, modified or new RFC.
Back to top
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger
Zapotek
Just Arrived
Just Arrived


Joined: 02 Jan 2006
Posts: 0
Location: Hellas

Offline

PostPosted: Tue Jan 03, 2006 1:06 am    Post subject: Reply with quote

You missunderstood me...
Quote:
can decide to perform network address translation and forward it to 10.1.0.1 port 80 if I configure my NAT implementation such. However if an identical packet arrives I cannot then determine that this should go to IP address 10.1,0.2 without further changes or flags in the packet, outside of the packets routing information. At present there is no RFC or internet draft addressing such an issue as the solution is to use unique public address to determine an end point.

I agree with you and that's what I'm saying...
I never said that you can distinguish 2 same packets and then redirect them to different servers...

I'm just saying that he can forward all the packets with dest port 80 to the machine of his choice... Very Happy
Back to top
View user's profile Send private message Visit poster's website
zeedo
SF Reviewer
SF Reviewer


Joined: 01 Sep 2004
Posts: 24
Location: Scotland

Offline

PostPosted: Tue Jan 03, 2006 1:11 am    Post subject: Reply with quote

Zapotek wrote:

I'm just saying that he can forward all the packets with dest port 80 to the machine of his choice...


He is well aware of that, the question was can he differentiate between the two..

NStal wrote:

For example, let's say i have port 80 open on 192.168.1.100 and i also have it open on 192.168.1.101. Lets say my IP adress to the internet is 67.44.33.22.
Is it possible for an outside computer to be able to distinguish between the two?


to which you replied...

Zapotek wrote:

It is possible.
You just have to set in your NAPT config that the requests for port 80 will be redirected to the PC that you want to be accessible from the net.

(The emphasis of both quotes containing the word "possible" added by me)


He asks if it is possible to which you reply that it is and you cite NAPT as the solution. which I later point out is not the solution without using unique end points on the NAT router. A point you may have been aware of but didn't convey to the original poster and therefore this required clarification.


Last edited by zeedo on Tue Jan 03, 2006 1:20 am; edited 1 time in total
Back to top
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger
Zapotek
Just Arrived
Just Arrived


Joined: 02 Jan 2006
Posts: 0
Location: Hellas

Offline

PostPosted: Tue Jan 03, 2006 1:15 am    Post subject: Reply with quote

OK then, it's my bad.
Sorry... Embarassed
Back to top
View user's profile Send private message Visit poster's website
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Tue Jan 03, 2006 2:14 am    Post subject: Reply with quote

Ok friends, shall we go back to trying to help the original poster? Smile
Back to top
View user's profile Send private message
Zapotek
Just Arrived
Just Arrived


Joined: 02 Jan 2006
Posts: 0
Location: Hellas

Offline

PostPosted: Tue Jan 03, 2006 6:27 am    Post subject: Reply with quote

You just wrote that?
That's like a paper, I'd create a whole new thread with that in it if I were you...
Nice job, nice nerves... Very Happy
Back to top
View user's profile Send private message Visit poster's website
ryansutton
Trusted SF Member
Trusted SF Member


Joined: 25 Aug 2004
Posts: 67
Location: San Francisco, California

Offline

PostPosted: Tue Jan 03, 2006 6:32 am    Post subject: Reply with quote

Zapotek wrote:
You just wrote that?


That's what I was wondering, great work Meds
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Networking All times are GMT + 2 Hours
Goto page 1, 2  Next
Page 1 of 2


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register