Adding manual port mapping breaks NAT-PMP???

Similar Messages

• Firmware 7.2.1 breaks NAT-PMP

  Ever since upgrading to 7.2.1, NAT-PMP no longer works for any program or device that uses it. For example, I can no longer access my Slingbox from outside my network and Azureus' NAT does not work properly. Now, I know how to manually forward ports and force these things to work (and manual configurations DO work just fine), but simply getting these things to work is not the issue here. The issue is that this was all handled automatically before the latest firmware upgrade. Resetting the base station or turning NAT-PMP off then back on doesn't correct the issue, but reverting to a prior version of the firmware does. I know that others are experiencing this issue, as I have seen mention of it on several message boards, but I was not able to find any mention of it here. Is this a known issue for this board and for Apple? Has anyone figured out a fix?
  Thanks.

  Sorry to dig up this old post, but it seems that it has been quite a while since anybody writes something about it.
  I recently find out that the NAT-PMP server on the AEBS seems to crash when executing some NAT-PMP commands.
  Running Transmission, however, will not crash the NAT-PMP server on the AEBS. Transmission is the only program that I found does not crash the NAT-PMP server.
  Once the NAT-PMP server crashes, it does not restart and thus other programs fails to use it.
  If anyone can confirm it for me, I think we are helping Apple nail down this problem and that they can issue a fix ASAP.
  The way I tested:
  1. I made sure that no programs that use NAT-PMP are running on my network.
  2. Restarted AEBS.
  3. When AEBS was restarted, I ran Transmission from computer 1 and got a Green light, saying port mapped successfully.
  4. Now I ran Azureus on computer 2, it did not say port mapping failed. However, when I quit Transmission and re-ran it on computer 1 it now fails to map the port.
  5. Quit Azureus and restarted AEBS, then Transmission. Viola! It mapped successfully again.
  6. Ran uTorrent on computer 3. uTorrent did not notify me about NAT-PMP error, and Transmission on computer 1 failed to map again.
  7. Quit uTorrent and restarted AEBS, and then again Transmission and it worked again.
  Of course I made sure they don't use the same port.

• NAT PMP on Tiger server 10.4.11 and Back to my Mac

  Hey All,
  Here is my situation. Users from my internal network who are on Leopard OS are not able to use "Back to my Mac" feature to connect to their computers at home.
  I am using XServe Tiger 10.4.11 as the gateway/router
  Firewall is UP and running - Port 5900 is open though
  NAT is enable
  DHCP is up and running
  DNS is running.
  The error message i am getting from the client machine is
  "Back to my Mac isn't working properly because it requires a router that supports NAT Port Mapping Protocol (NAT-PMP).."
  I am very sure that it has to do something with my NAT, but i am not sure how or what to look for in there and what settings i should have as well.
  Any help or points to the right direction will be great.
  thanks
  -eric

  Only via the release notes page:
  * http://www.mozilla.com/en-US/firefox/4.0/releasenotes/
  For Mac OS X 10.4.11 or Mac OS X 10.5.8 you can look at:
  * http://www.floodgap.com/software/tenfourfox/
  Firefox 3.6.x can be found here:
  * http://www.mozilla.com/en-US/firefox/all-older.html

• NAT-PMP and UDP broken

  It seems like the implementation of NAT-PMP with UDP is broken or not well thought out.
  For example if I mapwith NAT-PMP UDP port 1111 to a local machine with the same port, traffic destin to external port 1111 reaches my internal machine fine. The problem however lies with traffic generated from the internal machine with a source port of 1111. It doesn't get mapped to 1111 source while leaving the Airport Extream router, it gets mapped like regular traffic, on some high port.
  Now this incorrect mapping causes a problem while talking with some peers that are also behind a NAT or Firewall. After talking to my device at port 1111, they expect the reply to come back with a source of 1111, which it doesn't so the P2P communications fails.
  FYI every UPNP router I've tried correctly maps the outbound traffic.
  This is with the latest firmware 7.3.2 on an Airport Extreme with 802.11n (gigabit ethernet).
  I hope someone at apple reads this and can put this in a bug database.

  I fixed my problem.
  This old thread: http://discussions.apple.com/thread.jspa?messageID=6925383
  talked about the exact problem I was seeing.
  I had set a manual port map for my SlingBox in the AirPort's settings, not realizing that the SlingBox supports NAT-PMP and can auto configure its own port mapping wit the AirPort. Removing the manually mapped port worked.
  Though it's not exactly the problem you are seeing, maybe you can check to see if there are any apps you are using for which you manually mapped a port, that can auto configure its own port mapping. It could be causing a conflict in the AirPort that screws up NAT-PMP.

• Port mapping not working with 7.5.1

  I am having trouble getting Port mapping working with the new 7.5.1 firmware. Port mapping is not working. Port mapping was working fine before update, now all attempts to connect from WAN on ports are rejected. Tested with: telnet <wan-ip> <port>
  I have removed and re-added all port mapping entries - no luck. Power cycled several times - no luck.
  Other info:
  I have an: Airport Extreme (Simultaneous Dual-Band II) running Version: 7.5.1.
  It is setup to "Allow this network to be extended"
  Network is being extended with an Airport Express with 802.11n running 7.4.2

  yeah. I noticed the same thing. now the splash screen comes on without the flashing green squares and just hangs. i tried unintalling and then reinstalling and still no go. kind of annoying but they will probably come out with an update pretty soon

• Port Mapping in Leopard

  Just purchased new iMac and the installed SW doesn't seem to include equivalent functions that were in Airport Admin Utility in Tiger OS. I need to be able to do some manual port mapping and don't know what utility to use to do this. Any help appreciated.

  Hello there,
  Maybe use a third party application such as [Port Map|http://www.codingmonkeys.de/portmap> to assist you instead.
  B-rock

• NAT configuration and Port Mapping for xBox

  I'm looking for help with port mapping to open up the NAT for an xBox One. I'm working with the following network devices:
  xBox One
  DSL Modem: Embarq (ZyXEL) 660R series
  Airport Extreme version 7.7.3
  I understand the following from researching the issue:
  The default settings for both devices block the ports needed for xBox Live.
  Airport Extremes are not on the compatible list for xBox.
  Port Mapping is better then creating a DMZ for the xBox.
  The xBox needs its own manually set IP address.
  I switched my Network>Router Mode from Off (Bridge Mode) to DHCP and NAT. I then created a DHCP Reservation and the Port Settings for that IP.
  After doing this, the Airport would restart and display a warning - Double NAT. I figured this was because the 660 settings showed the NAT Mode to be SUA Only. The Edit Details link displayed an empty table where you edited the SUA/NAT Server Set. I switched from NAT Mode>SUA Only to None. So there was my Double NAT and I would have thought that would have removed one.
  I also disabled the Firewall and Enabled the UPnP.
  After restarts the Airport continued to display the Double NAT error. However, with the 660's NAT Mode set to None, the Internet was not there. Web browsers and email accounts replied with server not found.
  Only with the 660 set to SUA Only and the Airport in Bridge Mode is the Internet accessible. I now have the details for the SUA filled out for the xBox's IP address and ports.
  Hypothesis
  Since both devices are acting as DHCP servers the port mapping is not working. Rather then have the 660 distribute IP addresses and then having the Airport distribute another range of numbers, I need to have both devices bridge and distribute one range of numbers. Currently the 660 is using the 192.168 range and the Airport is using the 10.0 range.
  Am I correct? Any thoughts and suggestions are welcome.

  Port forwarding through a double NAT.. is near impossible.. !!
  And the xbox is so attuned to using UPNP it is very hard not to.. even port mapping is not a great fix. Since apple decided gamers did not count as users for Airports.. I think honestly it is best to bypass the airport and stick to upnp from the modem router.
  What method of authentication does your ISP use? Because it is really better to use one router.
  And in fact the router should be the Zyxel. If you plug the Xbox to the Zyxel running in full router mode, with the airport removed from the network does it work and open NAT??
  If not replace the Zyxel with a modern listed router that is xbox compatible and bridge the airport to it.

• Time Capsule port mapping is broken for L2TP Servers behind NAT config.

  I'm hoping that someone here can refute the below bug assertion... am I missing something?
  There is a bug with Apple’s Time Capsule/Airport Express Base Station (TC/AEBS) rendering L2TP servers on the LAN unusable:
  When TC/AEBS is used as a router providing NAT services to the LAN, it will NOT under any circumstance provide port mapping services for 500/UDP, 1701/UDP, & 4500/UDP making L2TP VPN servers on the LAN side of TC/AEBS are unreachable from the WAN/Internet side.
  *The conditions for my tests*:
  3 different external networks used for all tests: MacBook Air at home on TWC network, the Air on AT&T mobile dongle, & CentOS server at ThePlanet.
  MobileMe configuration was removed from both the TC/AEBS & Snow Leopard Server on the LAN.
  I used port 501 for my control-test; spot checks of other ports worked as well, though they were all < 10000.
  Simultaneous local and server monitoring of port traffic using
  tcpdump -vvv -i en0 -s 0 -X port 500 or port 1701 or port 4500 or port 501
  The TC/AEBS was configured to forward UDP ports 501, 500, 1701, & 4500 received from the WAN interface to the Snow Leopard Server on the LAN.
  The port forwarding was accomplished both 1) manually via AirPort Utility, and 2) automatically via Snow Leopard Server’s Server Preferences utility. Each was tested separately.
  *The tests*:
  Netcat with the following commands, in turn, on the server:
  nc -l -u 501
  nc -l -u 500
  nc -l -u 1700
  nc -l -u 4500
  which causes traffic to the udp port specified to be dumped to std out. Provides a confirmation of the tcpdump output.
  On the various external networks, nc -u WAN-address-of-AEBS.example.com 501 to send UDP packets on port 501. The output of the nc -l 501 command and the server-run tcpdump confirmed that packets left the client and made it to the server as expected. Remember, 501 is the control-test.
  For each test permutation on ports 500, 1700, & 4500, no packets made it to the server.
  Based on some web research, I’m not the only one to have found trouble with this configuration, but I haven’t been able to find any conclusive tests.
  I’ve filed a bug with Apple (#7720101) and encourage you to do the same.
  Message was edited by: WebMarc

  Confirmed here. This only seems to be a problem with Airport 7.5.x firmware though - I find the older TCs running 7.4.2 work as expected even with BTMM / MobileMe services active.
  I'm so glad you posted this - I haven't found it mentioned anywhere else and was beginning to feel very alone with this problem. I also found that having two TC 7.5s in the mix - one at both ends - also results in no response to SSH or Remote Desktop ports.

• Does adding tcp udp ports on the nat exempt accesslist which is binded to nat 0 statement remove the entire nat 0 statement itself?

  Hi Experts,
  Is the above statement true?. I learnt later that adding tcp and udp ports on the nat 0 statements are supported . But does it take away the entire nat statement? Please answer my question at the earliest.
  Regards
  Krishna

  Krishna,
  "NAT exemption (nat 0 access-list command)—NAT exemption allows both translated and remote hosts to initiate connections. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption does enable you to specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT), so you have greater control using NAT exemption. However unlike policy NAT, NAT exemption does not consider the ports in the access list. NAT exemption also does not support connection settings, such as maximum TCP connections."
  Reference
  So, since the documentation clearly says that this rule does not consider any ports in the ACL, then one should not be testing unsupported configurations.
  If one adds an ACL with specific ports, then unexpected results may be expected.
  My suggestion, dont add any ACL entry with specific ports to your NAT exempt statement.
  Thanks.
  Portu.
  Please rate any helpful posts

• I am being told that "Back to Mac" isn't working because NAT Port Mapping is turned off on my router. What does that mean and how do I fix it?

  I am being told that "Back to Mac" isn't working because NAT Port Mapping is turned off on my router. What does that mean and how do I fix it?

  AirPort Utility is in your Utilities folder:

• Manual port-forwarding to Time Capsule behind firewall (NVG589)

  A happy new year to all. I'm writing seeking help with my computer setup in a well-connected home. In short, here is what I want to do: I want to get access to my latest-gen Time Capsule (wireless AC) from outside my house, so that I can read or write files on the 2TB HD on my time capsule, using the Back to My Mac feature in the Time Capsule (with my Apple ID). I have no interest in sharing screens or anything else, just in the data on the drive.
  Now, my current setup, which otherwise works like a charm.
  ATT Uverse's Motorola NVG589 is the incoming modem/gateway/firewall for my entire house (using their 'Power' service, the fastest): it is possible via various tricks and hacks to put the NVG589 into 'near-bridge mode' or to root the modem via and exploit and through it into full bridge mode (which the Motorola NVG589 is capable of, but ATT does not expose that functionality [imagine the tech calls!]). I'm resisting the temptation to do so, because I don't want to the run the risk of messing up service to our house, and a call to ATT tech support. If it ain't broke, don't fix it.
  The Motorola NVG589 has its DHCP service on and doles out IP addresses to everything else in the network (thankfully it also has a hidden mDNS system, too, allowing me Bonjour functionality inside my whole house). The Time Capsule, however, has a static-IP that I've assigned, and I also have a DHCP reservation for the Time Capsule in the NVG589's DHCP table.
  One crucial thing is that the Motorola NVG589 does not expose UPnP or NAT-PMP to the user, which means that I'll have to do the work manually to allow externally-originating traffic to pass through the Motorola NVG589 to the Time Capsule.
  Apple's latest Time Capsule 2TB unit, in bridge mode, so that its IP address is the one given it by the Motorola NVG589 (192.168.1.x, not the usual 10.0.0.x that the TC would give out were it the router). No double-NAT, in other words. The Time Capsule is solely a wireless access point and a passive shared disk (and my target for Time Machine on my Mac).
  Nothing else on my home network needs to be accessed from the outside world, no gaming, no servers, no Back to My Mac for any individual Mac computer (we have four).
  So what I'm looking for is help knowing what holes to poke into the NVG589's firewall to direct to my time capsule. I've searched through many docs here on Apple's support site, and the number of potential ports I could open is dizzying. Security concerns require that I open the necessary ports, and no more.
  I'd be grateful for any help.

  LaPastenague,
  I connected one of devices that I was trying to reach directly to the U-Verse modem and the port forwarding doesnt work anymore.  This must be somthing in the way I reconfigured the U-Verse modem to work with my new TC, becuase it used to work jsut fine.
  I have a U-Verse modem model number 3801HGV.  I have a new TC with a 3TB HD but I don't know the specifcs of what generation is it.  It is new and dual band WiFi...  that is why I am trying to use it as a wireless access point behind my At&T modem/router.
  As far as the details go, I will explain.  The port forwarding worked before I added the TC, so I'm sure I just dont have them working together yet.  The devices that I want to reach from my iPhone and iPad are a Foscam 8910W IP camera, and a Neptune Apex aquarium controller.  Both devices have static IPs and configured with ports 8080, and 8090 respectivly.  The IP camera is connected to the TC wirelessly and the Apex is a little different...it is connected to a Sonos (wireless music media) bridge via a ethernet patch cable.  The Sonos bridge is connected to the Sonos wireless network (assume it is a dedicated frequency) which originates at another Bridge that is physically connected to the TC with a ethernet cable.  Sounds weird, but it works as that is one of the features the the Sonos has is to offer.  I think it is similar to a wirless gaming adapter in that sense.
  As far as port fowarding goes, I configured within the U-Verse router to open up the two IP ports 192.168.X.X:8080 for the Apex and 192.168.Y.Y:8090 for the Foscam in the Firewall section called "Applications, pinholes and DMZ".  I would use my cellphone when away from home by putting my public IP along with the correct port number to get access to the assocated device (ex.99.56.289.34:8080).  The phone was on a cellular signal and not tethered to the wireless network.  My public IP always stays the same so I don't have to worry about that variable.
  Again, all this used to work, but now when I added the TC I cant access it externally.  Any suggestions to get this to work would be apprected.
  Best Regards

• IChat Video works without any manual port configuration

  I'm posting this as a question and a true "discussion" with regards to iChat "video chat" operation with 2 users, both behind their own NAT router. I have seen several cases where iChat (ver3 and ver4) work just fine without any manual intervention. Of course, there are many other cases in these discussions where it seems a lot of complication and little positive result are part of the equation. Isn't iChat designed to work behind NAT routers ? Doesn't it use the SNATMAP server to get external (ie; public) IP and port number mappings ? If both users can login to the AIM server and initiate a Chat request, and contact the SNATMAP server, the next key requirement is to simply establish a point-to-point SIP session to the public IP/port of each endpoint.
  It seems the first thing to check is that this is happening correctly. In other words, the iChat debug log for userA should show something similar to;
  2008-01-29 18:59:21.739 iChat[2603] IPAndPortList: (
  {ip = "x.y.z.w"; port = 63217; },
  {ip = "a.b.c.d"; port = 16402; }
  ...where a.b.c.d represents the internal/private IP of a user (userB on Leopard iChat4 for example with 16402 representing all of the SIP, A/V, and A/V control ports) behind a NAT and x.y.z.w represents the external/public IP of userB. At least I think Leopard uses 16402 for the SIP. This shows that userA has the mapping for the SIP signaling port to send the SIP:invite to userB (ie; 63217).
  There is also something like;
  185912.819694 Sending SNATMAP heartbeat to 11FAF895:5678
  185912.912199 SNATMAP heartbeat resulted in IP change (from: 0 to: mm.nn.kk.pp)
  185912.912251 SNATMAP heartbeat resulted in port change (from: 0 to: 64999)
  ..where mm.nn.kk.pp represent the HEX values for the userA public IP address and the 64999 (in this example only) represents the SIP signaling port for userA
  185921.738995 =========== OpenPorts!
  185921.832238 Public mapping: m.n.k.p:64998
  185921.923213 Public mapping: m.n.k.p:64991
  185922.014215 Public mapping: m.n.k.p:65018
  185922.104986 Public mapping: m.n.k.p:65098
  ...where m.n.k.p represents the public IP of userA (Tiger iChat3 in this case), and the 64xxx and 65xxx umbers represent the ports opened for A/V and A/V control. In other words, these are the mappings for the "typical" 16384, 16385, 16386, 16387 ports.
  As long as both users have connectivity to the SNATMAP server, these "mappings" should proceed without problems, right ??
  If both endpoints/users get these mappings, which appear to happen auto-magically between iChat and the SNATMAP server at "snatmap.mac.com:5678", iChat should move to the next phase which is to simply establish the point-to-point SIP call. Up to this point, I don't see why any port-mapping or for that matter, anything else needs to be done ?
  Of course, AFTER this point, one does need to make sure no local computer "application" firewall is blocking 5190, 5060, 5678, 16384-16403 (Tiger) or 5190, 16384(or 16393?)-16402 (Leopard) .
  If all is well to this point, and iChat actually sends a valid SIP:invite to the remote public SIP IP/port, with a valid SDP section, it's up to whether the endpoints can agree on the session parameters (ie; video codec, bitrate, frame-rate, etc..etc...)
  Of course, there are many other things that could happen outside of iChat, like bad (or even good) installed software causing some weird problems, or running some application like virtualization or Internet Sharing that may have some "interop" issue...and maybe even a Service provider simply blocking the ports that the NAT has used (unlikely since they are probably different for every user and determined by each users NAT router)...but if you look at the iChat errorLogLevel7 debug output (preferably on both ends at the time of the call), you should be able to determine if iChat is sending a valid Invite...which is the prmary key in all of this.
  Lastly, I have read about "symmetric" NAT routers which might actually pose a real problem even when using the SNATMAP server. This is because a symmetric NAT router will only allow traffic from the destination port that a source port was opened to...which in iChat's case is usualy the SNATMAP server. So it may not be possible to "open ports" via te SNATMAP server, but then get incoming SIP/video traffic from userB. In this case, then UPnP or NAT-PMP, or port-forwarding/triggering may help.
  Just some thoughts for discussion.

  Your totally right,
  and from al the discussions here it seems that not every body knows that, and might be looking for the wrong answers. I wonder why Apple doesnot tell us how it is meant to work, and how to troubleshoot connections problems!
  Ichat uses the SIP protocol and should work without any firewall/NAT configurations, for an explanation see http://en.wikipedia.org/wiki/SessionInitiationProtocol
  I have seen it work out of the box for several installations (single iMac, OS X 10.5, behind one ADSL router). In one situation i had to switch of the SIP helper application in the router
  My own home network has 2 macs however, and sometimes it works and sometimes not.
  1) I found out that for local videochats i have to use the bonjour accounts, is that correct ? It should work with .MAC accounts too?
  2) for external communications i found out it is best to to stick to one Mac. When I switch from one to the other, using the same account (after logging out first), it often doesnot work, although it should. Any idea how to troubleshoot this problem? (now I rember I have to check this SIP helper application first
  3) when i setup a video chat to my mam who uses autoaccept, i am not able to take over the screen. Without autoaccept it works fine. So it looks like autoaccept won't allow you to share the screen.

• How do I use Port Mapping?

  b How do I use Port Mapping?
  (This document will assume that you are using and ABS/AEBS/AX as an internet router and have DHCP & NAT turned on.)
  Sometime you may want to offer access to a computer on your AirPort network to users on the internet, whether it be a web site, or for file sharing, or just remote access for yourself when traveling. If any of these sound like something you want to do, then you need to understand how Port Mapping works.
  b AirPort as Firewall
  Most of the time your AirPort base station will not let any traffic into your network which did not originate from your network. It will let everything out and replies to your traffic back in, but it will not let sessions initiated on the internet side of the base station in to your network. This is what is referred to as the "NAT firewall" capability of the base station and it provides effective protection for your network from the internet. What Port Mapping does is poke a hole in this wall to allow certain type(s) of traffic into the network and direct this traffic to a specific computer on the network. In the firewall world this is commonly referred to as an "inbound proxy" or "inbound translation" rule or "PAT" (Port Address Translation) in the router world.
  b The Need for Manual Addressing
  Since a Port Mapping entry in the base station configuration requires an inside private IP address to be specified, the computer to which to mapping entry applies should always have the IP address specified in the mapping entry. Thus, DHCP should not be used for a computer offering services on the internet as the Port Mapping entry will no longer work if the target computer's IP address changes. In general, an Apple base station's DHCP server will try to assign IP addresses in the 10.0.1.2 to 10.0.1.200 range. IP addresses above 10.0.1.200 can be Manually assigned to computers and other devices on the network up to 10.0.1.254. 10.0.1.255 is reserved (it is the broadcast address for the 10.0.1 subnet). To Manually set up the TCP/IP information for a Macintosh running Mac OS X, go to System Preferences -> Network and "Show" the appropriate interface (Ethernet or AirPort) and click on the TCP/IP tab. Select "Configure Manually" and enter the following information:
  IP address : 10.0.1.201 (or whatever address you decide to use)
  Subnet mask : 255.255.255.0
  Router IP : 10.0.1.1 (the AirPort base station LAN IP)
  DNS server : 10.0.1.1, or whatever DNS server IP your ISP uses
  After making these changes verify that your computer can still access the internet and local resources on the LAN before continuing.
  b Port Mapping a service
  In our example we will be hosting a web site on a computer which we have given an IP address of 10.0.1.201. Basic web sites are accessed using the HyperText Transport Protocol (HTTP) and this protocol typically uses port 80 to communicate. In order for others to see the web site, we must configure a Port Mapping entry in the base station configuration to not only allow the web browsers in, but to tell the base station what IP address the web server is using. The Port Mapping entry has three parts: Public Port, Private IP, and Private Port. In this case you would use the following values:
  Public Port : 80
  Private IP : 10.0.1.201 (this is the computer hosting the web site)
  Private Port : 80
  In order to access the web site from the internet, users must reference the base station's WAN port public IP (determined by looking at the base station configuration summary page in the AirPort Admin Utility). Since this address may change over time, you might want to use a Dynamic DNS service to simplify connecting for your users.
  Sometimes the port you wish to use may be blocked by the ISP. In this case, use a different non-standard Public Port number for the service, but keep the Private Port standard. In the above example, if the ISP was blocking port 80, you could potentially use 8080 instead, so:
  Public Port :

  Public Port : 8080
  Private IP : 10.0.1.201
  Private Port : 80
  Your users would then have to enter "http://<publicIP>:8080/" (where <publicIP> is the public IP address of the AirPort base station) to access the web site.
  b Internal Access
  It should be noted that when accessing these services from within the network you cannot reference the Public IP/Public Port, but rather you must use the Private IP/Private Port. Thus, "http://10.0.1.201:80/" in the above example.
  b Limits and Options
  There is a maximum of 20 Port Mapping entries that can be made in an Apple base station configuration. If you use an AirPort Extreme or AirPort Express base station there is an option which can be helpful in the case where you need many ports opened to a single computer. This is the "Default Host" option. When using this it is not necessary to use Port Mapping at all as all ports will be opened to the specified "Default Host". This is found in "Base Station Options". The default IP address for the "Default Host" is 10.0.1.253. You may change this IP address. The target computer must be Manually configured as specified above with the same IP address. Since all ports are now open to this computer, you should enable and configure the Mac OS X firewall on the default host computer to protect it from intruders.
  b Useful Related Links
  <a href="http://docs.info.apple.com/article.html?artnum=52002>"Designing AirPort Extreme Networks: Manuals</a>
  "Well Known" TCP and UDP Ports Used By Apple Software Products
  IANA Port Number Assignments

• Port Mapping Question

  Well, I thought I had this all figured out...
  About a year ago I set up an older AirPort Extreme Base Station (Version 5.7) successfully to port to an iMac running OS X Tiger Server. As Leopard came out I decided that I wanted to do a little upgrading around the house and purchased the new AEBS along with a Mac Mini to run the new server software.
  I have no problems getting the AEBS set up, but the port mapping just doesn't seem to work correct.
  Right now I reverted back to the old system and seem to be serving just fine on the Mac Mini with OS X Leopard Server... But I'd really like to leverage the new AEBS.
  So, anyone out there can offer some advice on one of the settings I seem to be missing that seems to make this not work?
  Thanks

  It might also be a DCHS/NAT problem...
  Here's a post I added this morning...
  http://discussions.apple.com/thread.jspa?threadID=1320615&tstart=0

• Is Time Capsule vulnarable with Upnp aka Port Mapping vulnerability?

  As you also might have already heard about this quite huge upnp vulnerablity, I tried and failed to find out if Time Capsule or other Apple's network products are using this bugged libupnp library or not.
  As a backup device it would be quite nasty if someone could hack in to the device and wipe all backups. US-CERT's list of manufacturers does not include Apple, so this is not helping much.
  http://www.kb.cert.org/vuls/byvendor?searchview&query=FIELD+reference=922681&sea rchorder=4
  So what to do, should we turn port mapping protocols off until Apple fixes this problem, or are we already safe with the Time Capsule's latest 7.6.1 version?

  Apple do not use upnp.. they use their own entirely different protocol.. NAT-PMP so whatever the upnp vulnerability is, I doubt apple has it.