You may have heard that setting up port forwarding is beneficial in certain situations where your Helium Miner/Hotspot is ‘relayed’, and you are probably wondering what that means, what port forwarding is, and how you might go about it…
There are thousands of different routers and an equal number of ways to set up port forwarding on those devices, so this is NOT a how-to guide! This guide instead, is intended to explain port forwarding a little so it’s better understood, and to give you a few resources to follow to try and organise it for yourself – if you need to.
Ports and Routers/Firewalls
Devices on the internet communicate with each other over different ‘ports’. In fact, there are 65,535 ports that can be used for communication in TCP/IP.
Different ports are used for different network protocols and the first thousand or so are reserved for specific applications.
HTTP (used for browsing) operates on port 80, HTTPS (used for secure browsing) uses port 443, and FTP runs over port 20 or 21, etc, etc, etc.
According to Helium’s security doco, Helium hotspots communicate with their peers across the internet on TCP port: 44158.
Routers and firewalls
Routers typically have some kind of inbuilt firewall. The (very simplified) purpose of a firewall is to ALLOW devices from within your network to safely make connections out to devices and services on the internet. It’s also there to BLOCK nasties from the Internet coming into your network through open ports.
Port Forwarding then, is:
The act of poking (the right kind of) ‘port’ holes in the firewall to permit certain kinds of traffic from the internet through the firewall via those ports, and through to a specific device on your network like your Helium miner/hotspot.Me
Open or forwarded ports are the most common attack vectors for a network, so you will want to keep as many closed as possible. With that said, let’s talk about opening some! 😉
Example – A simple web server
The easiest example to illustrate the port forwarding concept is that of a simple web server.
A web server needs to accept incoming connections from the internet – typically on ports 80 (HTTP) and 443 (HTTPS). Placing a web server behind a firewall blocks those ports by default. To allow web traffic through the firewall and to your web server, we need to open (or port forward) ports 80 and 443 and forward them to the IP address of the web server on your network. Now the traffic can make it to the web server and the web content can be displayed without errors.
There’s a little bit more to this in terms of domain name, DNS records and DNS servers, but that’s all out of scope for this article. Port forwarding is what we’re here to understand.
Port Forwarding and Helium hotspots
Helium hotspots/miners need to communicate with one another as peers in beaconing, witnessing and other routine activities, and they need to do it quickly. Sometimes, firewalls can get in the way and your Helium hotspot can become relayed. This means that other hotspots on the network cannot communicate with you easily and directly, and so information intended for your miner may need to be redirected through another miner – which adds friction, complexity and general slowness
Being relayed seems to also account for fewer witness activities and potentially lost earnings. If you learn that your hotspot IS relayed, then it’s worth trying to fix it.
A Port Forwarding – How to, this is not
As I promised, this is NOT a how-to-set-up-port-forwarding-guide. Take a look at Portforwarding.com for advice on how to set it up for your router.
UPDATE: BUT I did just create this video which is a bit of a how-to guide. Hope it helps!
Port forwarding needs fixed/static IP addresses
When setting up port forwarding you need to know the IP address of the device on your internal network to which you want to forward the port to. Network routers/firewalls use something called (DHCP – Dynamic Host Configuration Protocol) which allocates internal IP addresses as needed to devices that join the network out of a pool of available addresses. This means that every time a device connects to your network, it could be given a DIFFERENT local IP address. Not very helpful when port forwarding…
To fix this problem, you need to do one of two things.
- Set a static/fixed IP address in your Helium hotspot/miner so it ALWAYS uses the same IP Address, OR
- Set up an IP address reservation in your firewall/router so that when your hotspot/miner connects to the network the firewall/router ALWAYS gives the hotspot the same IP address.
Note too, that setting static IP addresses is ALSO outside the scope of this article. 🙂
There’s a thing called UPnP you should be aware of, too.
UPnP – Universal Plug ‘n’ Play
Many firewalls offer something called UPnP which automatically opens ports on the firewall based on requests from devices on the internal network.
UPnP simplified(!) works a bit like this:
- A device on the internal network wants to allow internet traffic through the firewall via certain ports
- The devices contacts the firewall and says “Hey! I need traffic on ports X and Y sent to me!”
- The firewall obliges: “Sure thing – Here you go. Have at it!” and opens/forwards the ports as requested to the device on the internal network – this all happens without the intervention of a human. The devices work it out for themselves.
While super convenient, you might have spotted the obvious risks with this approach. Basically, any device can ask for any ports to be opened or forwarded turning the once robust firewall into something resembling compromised Gruyere cheese.
Many networking types frown upon UPnP, as it has the potential to compromise a network, and so they often prefer to switch UPnP off in favour of manually forwarding ports to retain greater control…
DMZs remove the need for port forwarding, BUT…!
I mentioned in another post about De-Militarised Zones (DMZs). DMZ’s are a way of having a device on your network exposed to the internet without the protection of the firewall. If you place your miner/hotspot in a DMZ you don’t need to worry about port forwarding HOWEVER given it is so exposed, it makes it very vulnerable to other kinds of attacks. DMZs may not be the most secure way.
That’s it for now!
So there’s a little about port forwarding in a nutshell – what it is and why you may need it. Hope that helps! Pop a question below if you have a