A lesson learned from trying to install a DVR security camera on a LAN with a
private IP address, that needs to be accessed from the public Internet.
You can download RITLABS S.R.L's TinyWeb server from here, or download it here
directly from Quest4 with this how-to text file included right in the archive.
Prerequisites: To test a port on a system on with a private IP address, you
need access to either a system coming in from the public internet, or, from the
system you are testing, the ability to either open up a Remote Desktop session
on an outside system or the ability to open up an SSH session on an outside *BSD/Linux
system with Lynx installed on it (i.e., a computer located outside your LAN (on
the WAN), with a public IP address on it).
Programs required: tinyweb.zip and any web
browser (or download tinytest.zip here).
Create a directory, for example c:\www, on the c:\ drive of the system you
want to test. In this directory, put tiny.exe and an index.htm file. If you
don't have the included index.htm file, simple make a .txt document called
index.htm with these contents:
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
Tiny.exe Quick-start CLI Examples (assuming you put tiny.exe in c:\www):
To Run TinyWeb on port 8000:
c:\www\tiny.exe c:\www\ 8000
To Run TinyWeb on port 8000 and address 18.104.22.168:
c:\www\tiny.exe c:\www\ 8000 22.214.171.124
Note: To open a CLI prompt, go to Start/Run/. In the box that pops up, type
"cmd" or "command" and press enter. This will bring up
a CLI DOS prompt. Type either of the above tiny.exe CLI syntax examples,
depending on your needs, in the CLI DOS prompt.
How to use tiny web server to test a port. For this example, suppose the WAN IP
address of your network is 126.96.36.199 and the LAN IP address of the test
system you are on is 192.168.1.4.
1) On the system you want to test, download and put tiny.exe into c:\www (or
the directory of your choice, but if you change the directory, you have to
change the quick-start CLI commands above to match this change).
2) Open a CLI window and type in one of the above tiny.exe commands, edited
for proper port and IP address. (By default, tiny.exe attempts to bind with all
local IP addresses, but you may specify one if needed by using the second
Quick-start CLI example given above. Otherwise, the first example should usually
work just fine).
3) Find your test system's WAN IP address by either viewing your router/dsl/cable
modem's configuration files, or going to http://www.whatismyip.com/
4) In the CLI, run IP config and get the IP address of the system you
want to test. For this example, we will pretend ipconfig returned the IP address
of 192.168.1.4 (and that you plan to test port 8000).
5) Configure your router/dsl/cable modem so that requests to the test
system's WAN IP address, as found in step 3, forward to the IP address of
192.168.1.4, (substituting the test system's IP address, as found in step 4).
This can usually be done by modifying the firewall rules in your router, or by
creating a port forward (e.g., any request to IP 188.8.131.52 port 8000, is
forwarded to 192.168.1.4 port 8000. Find the documentation on your router/dsl/cable
modem for specific instructions on how to do this.*
6) After configuring your WAN's public IP address to pass-through to your
LAN's private IP address, use a system with an IP address outside of the LAN you
are currently testing (e.g., on the WAN, with a public IP address). Note, the
easiest way to do this is, on the system you have installed tiny.exe on -- or
another computer on the same LAN -- use a Microsoft Remote Desktop session or
putty.exe to SSH into a *BSD box with lynx installed on it, and open up a remote
session on an outside system (i.e. a system with a public IP address, located
outside the LAN of the system you are testing). Open up a browser on the Remote
Desktop or the remote lynx session. In this browser, type in the URL of
http://184.108.40.206:8000 (substituting the IP address of your actual WAN, of
7) If you can get to the system you are testing from the outside world, you
should see "It works!" displayed in the browser window. If you haven't
figured it out yet, seeing this means, it works!
Why would you need to do this?
Suppose that you are installing an application on a system with a LAN IP
address of 192.168.250.120 and that it used port 8000. First off, this is a
private IP address on the LAN side of your network. If you were attempting to
get to this from the public Internet, it wouldn't work. However, if you properly
setup your router/dsl/cable modem and, if applicable, your firewall, and you
know your WAN's public IP address, you would get to your application by using
the WAN's public IP address...which would then map/port forward to your newly
installed application on said test system.
Now suppose how easy it would be to test this if you were installing, say, a
POP3 server. You would test it by, on an outside system, putting the following
command into a CLI prompt:
telnet 220.127.116.11 8000
If the router/dsl/cable modem's firewall or port forwarding were configured
correctly, a proper POP3 response would easily be seen by the above test. But
suppose you were testing an application that would not respond to a telnet
session. By installing tiny.exe and using an outside system, located on the WAN,
to test your router/dsl/cable modem, and/or firewall rules, you can simply use a
web browser to troubleshoot your application's setup.
For instance, if your application didn't work...is it the router/dsl/cable
modem's fault, or your application? Using tiny.exe, you will easily be able to
tell if you are getting through from the WAN to the LAN. And you will easily be
able to tell if your firewall rules are working correctly. If your test of the
router/dsl/cable modem's port forwarding/firewall rules are successful, and your
application still isn't working, then you know that at least that it is the
application and not the router/firewall.
* Why can't I just use the IP address found in ipconfig? The short answer is,
you can use this IP address if it is a public IP address. If it is a private IP
address, you have to configure your router/dsl/cable modem to map/port forward
to the private IP address. Why????
Because every public IP address has to be unique. If your LAN uses a private
IP address block, such as 192.168.1.0...so does about 10 million other LANS. If
you type http://192.168.1.4 into a browser URL, how does it know to go to your
LAN test system instead of the 9,999,999 other LANs that contain the same IP
The answer is, of course, that it can't, so you use your WAN's unique public
IP address, to map/port forward to your LAN's private IP address block.
**To specifiy a port address on a destination system, you simply put the port
at the end of the URL, separated by a colon. For example, to go to port 587 on a
system with an IP address of 18.104.22.168, you would go the URL of
http://22.214.171.124:587. Note, to telnet to the exact same location, you would
open up a CLI prompt and type in, 'telnet 126.96.36.199 587' and hit enter.
This document released under the
You are free:
Under the following conditions:
Attribution. You must give the original
Noncommercial. You may not use this work
for commercial purposes.
Share Alike. If you alter, transform, or
build upon this work, you may distribute the resulting
work only under a license identical to this one.
For any reuse or distribution, you must make clear
to others the license terms of this work.
Any of these conditions can be waived if you get
permission from the copyright holder.
Your fair use and
other rights are in no way affected by the above.
This is a human-readable summary of the Legal
Code (the full license).