Ralph Johns UK

Setting Up Your Router

With a bit about the Mac Firewall to get you Started

This page is designed to tell you the ports needed and their function within iChat. I have tried to give some background information for those of you that have never set up ports for On-line games or any other IM application.

I hope the layout I have here proves useful.

Ok. So now you want to know all about ports. Well, I am not going into all that here (much). Suffice it to say that a computer can be contacted through several means by different applications. These connections are through ports. They are numbered and can use several different protocols. Some of these protocols are used over the internet. HTTP for web browsing normally on port 80, FTP for file transfers on port 21 and so on.

Note: just to clarify these ports are not the same ones that any ethernet cables or phone/cable service leads plug into on the backside of the device, which are also called "Ports" generally.

If you are using iChat with it's Rendezvous/Bonjour (hold the mouse over the links for more info) capabilities you will need all the ports listed here, on this page, to be open. In some cases (the ports), this means opening them to two internet protocols, TCP and UDP, for iChat to communicate with the outside world. You can have them open in your Mac's Firewall if that is required by you to be On. Most likely (read this as "almost certainly") you will need to open them in your Router or Modem (or combined) device.

A word or two about Routers and Modems.

For the sake of clarity about which device we are talking about when a Modem is the device that connects your internal network to the internet. This can be a cable service or Broadband over your local telephone system. In some cases it is over a satellite connection. See Pic 1

A router is a device that is between your modem and your computer(s) and can arrange for the right data to reach the right computer.

Sometimes these two functions can come in a combined device as some modems can route. (This can be irrespective of whether it has enough ethernet ports to plug cables into. See red note above).

Generically both tend to get called Routers.

Also you can break your local network into a Wireless and/or wired parts. The important thing when doing this is to keep them all on the same Local Area Network (LAN) and not accidentally sub divide them (Subnets). Subnets can also be created with two routing devices handing out IP addresses to other devices and computers. The thing to avoid is overlapping subnets. See Pic 2

---

Ports for Modems, Routers and the Firewall

READING

Start by reading this, Apple Doc 93208 and this, Apple Doc 93333. Then I will try to explain which ports do what.

Note: Apple Doc 93208 has been updated to correct errors. It still misses port 5223 (used for GoogleTalk over the Jabber side in iChat 3) as being directly listed. See Apple Doc 106439 Note 10 at the bottom.

• It is important to remember that as Modems can often route, that the word Router can mean either, according to your set up.

The second link, which can be accessed from the first, shows you a list of routers that Apple says work "out of the box" with iChat AV.

---

To explain some of the iChat ports a little further.

iChat starts with ....
Port 5190 is the port used for logging in to the AOL server "oscar". This is done on the TCP protocol and is connected at the AIM end to other servers where your Buddy (and everyone else's) list is kept. This return info comes back on the UDP protocol to update your Buddy List with who is on-line, their Status Messages and Buddy Pics.
(Note: Your Buddy list is not kept on your computer !! Make a backup using Address book. See Adding Buddies) This port allows all the changes to who is on line, changes in Buddy icons to be sent to you and some of the Text chatting to happen.

A/V chats start here.....
Port 5678 is not clearly documented as to it's use in the Apple Doc. It is in fact where the invites are sent and received via a server called "snatmap". This server does one job during Audio and Video chat invites. When you send an invite, this server does the negotiating between the two computers and tells them which ports are available for use. As soon as you click on the invite window to make a choice of Accepting, Blocking or Text chatting it immediately hands over to Port 5060.

Port 5060 is used during introductions to potential chatters, via a server called "SNATMAP". This server does one job during Audio and Video chat invites. When you send an invite on port 5678, this server does the negotiating between the two computers and tells them which ports are available for use. The server drops out of the link once it has been established. (You can set yourself to off line whilst in the middle of a live chat). iChat uses the SIP protocol that is used by Voice over Internet (IP) phones and software applications that provide 'soft-phone' actions. These SIP ports are Internationally set and are in fact a range (5060-5063)

This group of ports, 16384-16403 provide the actual Audio and Video connections. 4 ports are used at once to carry Audio in, Video in, Audio out and Video out. (Or Audio over 4 ports). Which 4 ports are used is organised by the negotiating that happens on port 5060. When the connection is successful the connection is Peer to Peer over these 4 ports and the others (5678 and 5060) are not in use. (In fact you can Log Out of AIM at this point).

The Other Buddy Lists needs....

Ports 5297 and 5298 are used by iChat over Rendezvous (Bonjour if iChat 3). If your Local Area Network (LAN) uses a router these ports will need to be open as well.

Port 5353, This port is listed by Apple as being used for "Local" traffic but also appears in the list of router ports you might need to make changes to. If you use Rendezvous/Bonjour to chat with Audio and Video through a router on a Local Area Network (LAN), you will need to have this port open. To quote Apple Doc 106439

"Multicast DNS (MDNS) - Bonjour (formerly "Rendezvous") (mDNSResponder)"

Jabber uses TCP ports 5220, 5222 and 5223. The 5222 is the normal login but some older style servers and also GoogleTalk use port 5223 for login.

With Jabber and another Buddy using iChat it will also use the A/V side of iChat to Video chat. This means that both of your are using iChat and have set up Jabber accounts in iChat.

---

What is set up already on your Mac

If you read the Apple Doc 93208 then you will have seen that it also talks about the Ports being opened in the Mac Firewall as well as any modem or router. You will need this bit if the Mac Firewall in On.

Ports for iChat AV over Rendezvous/Bonjour are already set up in the Firewall.
(Go to System Preferences.
Select Sharing Pane.
Select Firewall tab.
Scroll down the list to iChat Rendezvous/Bonjour.)
This will show you the two ports listed in the document (Apple Doc 93208) above that Rendezvous/Bonjour uses - 5297 and 5298

What to add to Change things for iChat AV

If you need to have your Mac's Firewall on, you will need to open the complete range of ports, as listed here:-
5060, 5190, 5297, 5298, 5353, 5678, 16384-16403 For just iChat Text, file sending and A/V chats (Can be copied and pasted into a "New" setting in the Firewall)

Please note the commas and spaces are important in the Mac Firewall.

Panther/iChat 2.x set up

1. Open the Sharing Preference Pane, (in System Preferences).
2. Click the Firewall tab.
3. Select "New" on the right.
4. Select "Other" from the drop down, "Port Name".
5. Copy and Paste the ports numbers in the entry field, "Port Number, Range or Series"
6. Choose a name for the entry, by making a entry in "Description"
7. Add the entry by using the OK button.

Tiger/iChat 3.x set up.

1. Open the Sharing Preference Pane, (in System Preferences).
2. Click the Firewall tab.
3. Select "New" on the right.
4. Select "Other" from the drop down,
5. Copy and Paste the ports numbers in the UDP port field,
6. Type 5190, 5298 in the TCP port field
7. If using a Jabber account add Ports 5220, 5222, 5223 to the TCP port list
8. Choose a name for the entry, by making a entry in "Description"
9. Add the entry by using the OK button.

Your Mac is now set up to have these ports open if the Firewall is On.

If you are not sure have a look at the second pic and instructions on page 4

Here is also a Table of each set for iChat 3 and Tiger

Tiger TCP and UDP Ports For Mac Firewall
Service	TCP Ports	UDP Ports
iChat over AIM	5190	5060, 5190, 5678, 16384-16403
Bonjour	5298	5297, 5298, 5353
Jabber	5220, 5222, 5223	No ports
All Ports	5190, 5220, 5222, 5223, 5298	5060, 5190, 5297, 5298, 5353, 5678, 16384-16403

---

What to set up on your Routers, Modems and Combined Devices.

Oh My!! Where to Start ??

These devices can work in several ways. The way the ports are opened can vary according to the type, make, model and capabilities of the devices you have.

Your ISP provides you with an IP address. This connection has all it's ports open. (Well, This is becoming less true as certain ISPs block port 5060 for their own VoIP services). Your Modem has several hundred ports open as it comes from the factory. On some it will be all ports (0-65535) but on many it will those ports below but including port 1024. This will allow you to contact most web services such as browsing, email and FTP straight out-of-the-box.

If your device does not have the ports required for iChat open (See the Mac Firewall details above) it will effectively be a hardware Firewall.

There are different ways that some modems and routers open the ports. In fact sometimes it seems that there is a way that is different for each and every device out there. This is based on how modems have developed over the years.

• First you start with the original phone coupling device. This has all ports open and nothing in the way of security.
  
• Next you get ADSL and cable modems that follow this set up
  
• After that comes the security that is offered by having to route to several computers on a home or small business networks.
  
• Then there are variants on how to allow multiple computers to share one IP (from your ISP) but using the same ports.

On top of that your device manufacturer may have added several other "security" features to "help". The device might have a software firewall as part of it's set up and turning it off may open all the ports. Most likely you would feel uncomfortable doing this.

Different means of Opening the ports

A rough guide to the list above.

Port Forwarding (Virtual Sevrers, Pinholes, and on some just called NAT).

The data can be sent through the modem or router to a specific computer. This is usually done through Port Forwarding and uses NAT (Network Address Translation). See Apple Doc 58514 on the subject. This normally points to only one computer or a router on domestic devices. If your have a router, modem/router combined device or modem that requires you to use NAT (Network Address Translation) or Port Forwarding, you will need to open them there.

• A word about NAT and other set up options on internet connections devices.


• NAT or Network Address Translation is a method of making sure the right data comes and goes to the right computer. It tends to be the background method that Port Forwarding and Port Triggering use to pass the data through.


• When used in conjunction with Port Forwarding it can, in most cases, be done by the end user from his or her web browser using HTML pages stored on the device. A useful site for this is PortForward.com This next Link takes you to a Linksys device's set-up instructions on the same site. The process is similar on all devices. At the very bottom of the link page you are shown the set up for 3 ports - the sort of thing you have to do. Your device may vary in the format but the information is the same that you have to put in.
  
  • Note: The complete set of ports on the site are not correct at the current time (March 2007) due to a typo in the last line of many devices. The first 7 or 9 entries shown (depening on your device) info is right. What is listed as either iChat 8 or 10 has port 5678 mixed with port 16384 You have to correctly enter port 5678 as a Start and End port then create a new entry (9 or 11) that lists port 16384 as Start and port 16403 as End based on the principles shown

DMZ

In addition a device may have settings for DMZ (Demilitarised Zone) which points all ports at one computer. It can be considered as a stripped down or extreme version of Port Forwarding. Useful for testing one computer but not much use to a house-full of computers. It is also considered less secure as all the ports are open.

Port Forwarding and DMZ are the routing of Ports involved to one device (computer or router) further onto your network. This is separate from the Addressing or issuing of IP addresses dealt with further down

Using Ports for Multiple Computers

Trigger Ports

Some devices use a method of using one port to trigger other ports to be open. This is not a form of Port Forwarding but is claimed to be more secure as the ports are opened only when data arrives on the correct port.

In this case the port have to be entered in a particular fashion, listing the Trigger (first port data arrives on) and the ports that need to be open from that. SO...

Trigger port is 5678 as the Invites for AV chats (sending and receiving) are here.
Port 5678 on UDP to trigger ports 5060, 5678, 16384-16403 all on UDP

You also have to have the Log in and Text chatting port.
Trigger port 5190 on TCP to trigger port 5190 on UDP and TCP (if possible: Just do UDP if not).

With Trigger ports you also almost always have to enter the protocols used. This means the first entry I listed here should be on UDP. The second, for port 5190, may need two entries made, one for UDP and another for TCP, although some devices have an ANY or BOTH setting for it to be done on one line.

The other single ports for Bonjour/Rendezvous (5297 on UDP, 5298 on both and 5353 on UDP) should be entered as single lines as the one port 5190.

The same applies for the three Jabber ports for iChat 3.x (5220, 5222, 5223 all on TCP) Example This example is again of a Linksys router. It shows the sort of table that this gets set up in.

It is slightly different to the description above in that it does not list the Protocols at all. It also uses a slightly different layout which means you have to set the table slightly differently.

Trigger port 5678 to trigger port 5060
Trigger port 5060 to trigger ports 16384-16403
This is because router like this one will not let you enter single and groups of ports on one line as described above.

A further consideration is that the ports are not always separated by spaces like the Mac firewall but just commas (5190,5678,5060 etc.)

The above Trigger Port information has been edited 13/6/2006 after an email from Steven Riggins. Thanks Steven.

UPnP

There can also be a Universal Plug and Play (UPnP) setting which is an easy setting that does away with the need to set individual or groups of ports. In this option the applications that are ready for UPnP can open the ports and they close after the event has finished, doing away with the need for lengthy Port Forwarding or Triggering set ups.

DHCP Or Static IP Addresses ?

This information applies from your modem and/or router to your network. Although it is similar to how the modem can connect to your ISP, it does not mean that your connection to the ISP has to specify a preference for Static or DCHP

There are the options of how the data is routed and which device is controlling the LAN. Most devices can act as a DHCP server (Automatic) or allow Static addressing. Cable Modems can be in Bridge mode that allows all ports to be open. As a DHCP server it will distribute IP addresses to all the other items on the LAN, this includes any routers.

A DHCP server issues IPs in a range. This range is often the same one the device's own IP is in.

So, if the device (modem or Router) is running a DHCP server and is itself at 192.168.1.1 then it is likely that the range will the other 254 numbers (each range is 255). It will number the devices (computers most likely) as they get attached (192.168.1.2 - 192.168.1.255). How long they stay at that IP will depend on how long the DHCP server issues a "Lease" for and if the computer is on.

A lease is the time allowed for a device (computer) to use the same IP. If the computer is on when the time runs out the lease is renewed. If the computer is turned Off and then On again before the time is up the computer also gets to keep the same IP. Otherwise the lease runs out and the device (computer) will get a new IP. Some devices do have a "Forever" setting

Consideration should be given to the last paragraph above when using Port Forwarding and DHCP together.

Alternatively it is possible that the modem or router allows the use of Static IP addresses to the other devices.

Static Routing is where the DHCP server is turned Off. This will make the IP range the same as the device (Modem or Router). In this case the computer has to also be set to use a Static Address but it is the computer that states what that IP address will be. This makes it easier for Port Forwarding to reach the right computer

Your individual circumstances will dictate some of these choices.

A note about Apple Airport Base Stations of various sorts. Airports do not do Port Forwarding as default. They do, however, NAT all data passing through them. They do DHCP at the same time. This means that by default all data should get through on the port involved.

However, a further consideration is needed for iChat as it does not work properly when there are two DHCP servers. (It messes up the port data in the data packets). This can be fine if you have a single IP address coming form your Modem and want to route to multiple computers (most cable modems work this way).

Turning Off NAT/DHCP on an Airport Device makes the Airport become a Wireless Access Point. This means it will pass through the IP addressing info from the modem to the computers and you do not have to worry about setting Static Routing from the Airport to the computers. I would still recommend setting the modem to Airport link as a Static one.

Most of what is written here and in other places presumes that you are using at least one device as a DHCP server (or a server allowing Static IPs).

To Summarise or to put it another way.

You need to know if your internet connection device is set up to issue IP addresses to your computer(s) (DHCP). If it is, then you will need to make sure the Network Preference Pane also is set to be "Using DCHP" or "Manually" at the Configure IPv4 point in the TCP/IP tab, depending if the device is issuing Dynamic addresses (DHCP server) or Static IP addresses.

Then you need to set the device to use the ports that iChat needs. The easiest of these is the UPnP setting that seems to come on most new devices or in Firmware updates for older ones.

If this can not be done then Port Forwarding/Network Translation (NAT or derivatives) need to be set through the use of a web browser and the HTML pages stored on the device. At this point it probably best if your computer is at a Static IP Address which you will have to set in the TCP/IP tab of Network Preferences Pane (in System Preferences). You will also have to turn off DHCP in the routing device and set the same IP number pointing to the computer. This is because if you turn all your computers off at night, they may not get the same IP address next time you start up with DHCP.

The DMZ setting can be used but is best considered as a testing point as it opens all port and is therefore less secure. It also points all those ports at one computer, isolating any others that you have on your LAN.

Trigger ports are set by entering Port 5678 as the trigger and have it open Port 5678, 5060, 16384-16403 for the A/V side. The other ports (5297, 5298, 5353, 5190) all need to be triggers for themselves. Edit: March 2007: Add Jabber ports 5220, 5222 and 5523 as TCP single entries as well.

Finally. If you have more than one device one needs to distribute addresses ad the others need to act as bridges.

HAPPY CHATTING

Top of Page - Ports - Modem set up - Multiple Computers - Addressing - Next Page (4)

---

© 2005 Ralph Johns: Edited 24/9/2005, 5/5/2006
Updated September 2006. Moved to Gargoyles Mar 2007

Information Column

Rendezvous and Bonjour are the same thing - one on Panther and then on Tiger

---

Modems that route are often called "Routers" as well

---

There are intra-page links in this column. Hopefully you will find the summaries useful.

They are in order that the page happens but are no specifically desinged to match them as notes on the way down

• Ports: Mac and Modem




This section starts with describing what each port does in iChat - covering iChat 3 as well. These will be for the ports in the Mac firewall and for a routing device
Do not worrry that it is too simple for you - it is designed for those who have never even found the Mac firewall or or accessed their "router" and have never done anything other than turn it on, based on the faith that it should/must be doing something



It quickly becomes this section on how to actually do the Port setting on the Firewall. This is definitely going to be longer that the step by step information on how to set the firewall.

Open System Prreferences
Open Sharing
Open Firewall tab
Choose New Button
Set ports. Apply with the OK button
Job Done



• Modem Set up




Like it says. This bit will look more closely at how the same ports are most likely to be needed to be opened or allowed in your routing device.



• Multiple Computers




This section is part of the one above. It deals with the fact that if you have multiple computers that you want to be able to use the same ports at the same time you have to use Specific methods if your device has them. As you find out from the main column these are Trigger and UPnP



• Addressing your LAN




Definitely you need to do something about your LAN if you have multiple routing devices. Maybe not so important with cable modems and routers but definitely needed if the modem routes AND you have a router.



The main point is to avoid two DHCP servers on your LAN (Bad Networking).