Port Forwarding on an Airport Extreme or Time Capsule

I recently picked up a 3rd generation Time Capsule with 1TB drive to replace my aging and somewhat crappy Virgin Media router. I Initially set the original router for Modem Mode only, thus disabling the on-board WiFi and more importantly the port forwarding, so now I had to figure out how to set this up on the Apple hardware.

What is port forwarding?

The act of forwarding a network port from one network node to another. This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside via a NAT-enabled router.

Why would I want to port forward?

Port forwarding greatly increases torrent speeds. It can also be used to access files on your computer or NAS at home over the Internet (i.e., mount a file server over the Internet).

Setting Up Port Forwarding On Your Airport Extreme or Time Capsule

  • Open Airport Utility: Applications -> Utilities -> Airport Utility
  • Select your device and Edit.
  • Click the “Advanced” gear at the top of the window
  • Make Sure You Are Using DHCP and NAT as your Router Mode
  • Add a new DHCP Reservation that will set a permanently fixed IP address to the machine you want to forward to – You will need the MAC address of your machine.
  • Click the “+” to add a new rule to the Port Settings
  • In the window that pops up:
    • Description: Enter whatever you want or select from the available
    • Private IP Address: Enter the IP address of the computer you are forwarding the ports to as previously explained.
    • TCP Port(s): Enter in the port number you want to forward
    • UDP Port(s): Enter in the port number you want to forward (Same port as the TCP Port)

Available Ports to Forward:

It’s a long list…

PortTCP or UDPService or Protocol NameUsed by / Additional information
20TCPFile Transport Protocol (FTP)
21TCPFTP control
22TCPSecure Shell (SSH)Xcode Server (hosted and remote Git+SSH; remote SVN+SSH)
25TCPSimple Mail Transfer Protocol (SMTP)Mail (for sending email); iCloud Mail (sending)
53TCP/UDPDomain Name System (DNS)MacDNS, FaceTime
67UDPBootstrap Protocol Server (BootP, bootps)NetBoot via DHCP
68UDPBootstrap Protocol Client (bootpc)NetBoot via DHCP
69UDPTrivial File Transfer Protocol (TFTP)
80TCPHypertext Transfer Protocol (HTTP)World Wide Web, iCloud, QuickTime Installer, Maps, iTunes U, Apple Music, iTunes Store, Podcasts, Internet Radio, OS X Software Update (OS X Lion and earlier), Mac App Store, RAID Admin, Backup, Calendar, WebDAV, Final Cut Server, AirPlay, OS X Internet Recovery, Profile Manager, Xcode Server (Xcode app, hosted and remote Git HTTP, remote SVN HTTP).
88TCPKerberosKerberos (including Screen Sharing authentication)
106TCPPassword ServerMac OS X Server Password Server
(Unregistered Use)
110TCPPost Office Protocol (POP3)Mail (for receiving email)
111TCP/UDPRemote Procedure Call (RPC)Portmap (sunrpc)
113TCPIdentification Protocol
115TCPSimple File Transfer Protocol (SFTP)
119TCPNetwork News Transfer Protocol (NNTP)Used by applications that read newsgroups.
123UDPNetwork Time Protocol (NTP)Date & Time preferences. Used for network time server synchronization, AppleTV Network Time Server Sync
137UDPWindows Internet Naming Service (WINS)
138UDPNETBIOS Datagram ServiceWindows Datagram Service, Windows Network Neighborhood
139TCPServer Message Block (SMB)Used by Microsoft Windows file and print services, such as Windows Sharing in Mac OS X.
143TCPInternet Message Access Protocol (IMAP)Mail (for receiving email)
161UDPSimple Network Management Protocol (SNMP)
192UDPOSU Network Monitoring SystemAirPort Base Station PPP status or discovery (certain configurations), AirPort Admin Utility, AirPort Express Assistant
311TCPSecure server administrationServer app, Server Admin, Workgroup Manager, Server Monitor, Xsan Admin.
312TCPXsan administrationXsan Admin (OS X Mountain Lion v10.8 and later)
389TCPLightweight Directory Access Protocol (LDAP)Used by applications that look up addresses, such as Mail and Address Book.
427TCP/UDPService Location Protocol (SLP)Network Browser
443TCPSecure Sockets Layer (SSL, or “HTTPS”)TLS websites, iTunes Store,OS X Software Update (Mountain Lion and later), Spotlight Suggestions, Mac App Store, Maps, FaceTime, Game Center, iCloud authentication and DAV Services (Contacts, Calendars, and Bookmarks), iCloud backup and applications (Calendars, Contacts, Find My iPhone/Find My Friends, Mail,  Documents & Photo Stream), iCloud Key Value Store (KVS), iPhoto Journals, AirPlay, OS X Internet Recovery, Profile Manager, Back to My Mac, Dictation, Siri (iOS),  Xcode Server (hosted and remote Git HTTPS, remote SVN HTTPS, Apple Developer registration).
445TCPMicrosoft SMB Domain Server
465TCPMessage Submission for Mail (Authenticated SMTP)Mail (for sending mail)
500UDPISAKMP/IKEOS X Server VPN service, Back to My Mac
500UDPWi-Fi CallingWi-Fi Calling
515TCPLine Printer (LPR), Line Printer Daemon (LPD)Used for printing to a network printer, Printer Sharing in Mac OS X
548TCPApple Filing Protocol (AFP) over TCPAppleShare, Personal File Sharing, Apple File Service
554TCP/UDPReal Time Streaming Protocol (RTSP)QuickTime Streaming Server (QTSS), streaming media players, AirPlay
587TCPMessage Submission for Mail (Authenticated SMTP)Mail (for sending mail), iCloud Mail (SMTP authentication)
600-1023TCP/UDPMac OS X RPC-based servicesUsed by NetInfo, for example
623UDPLights-Out-MonitoringUsed by Intel Xserves’ Lights-Out-Monitoring (LOM) feature; used by Server Monitor
625TCPOpen Directory Proxy (ODProxy) (Unregistered Use)Open Directory, Server app, Workgroup Manager; DirectoryServices in OS X Lion and earlier. Note: This port is registered to DEC DLM.
626TCPAppleShare Imap Admin (ASIA)IMAP Administration (Mac OS X Server v10.2.8 or earlier)
626UDPserialnumberd (Unregistered Use)Server serial number registration (Xsan, Mac OS X Server v10.3 – v10.6)
631TCPInternet Printing Protocol (IPP)Mac OS X Printer Sharing, Printing to many common printers
636TCPSecure LDAP
660TCPServer administrationServer administration tools for Mac OS X Server v10.4 and earlier, including AppleShare IP.
687TCPServer administrationServer administration tools for Mac OS X Server v10.6 and earlier, including AppleShare IP.
749TCP/UDPKerberos 5 admin/changepw
985TCPNetInfo Static Port
993TCPMail IMAP SSLiCloud Mail (SSL IMAP)
1099 & 8043TCPRemote RMI and IIOP Access to JBOSS
1220TCPQT Server AdminUsed for administration of QuickTime Streaming Server.
1640TCPCertificate Enrollment ServerProfile Manager, SCEP
1649TCPIP Failover
1701UDPL2TPMac OS X Server VPN service
1723TCPPPTPMac OS X Server VPN service
1900UDPSSDPBonjour, Back to My Mac
2049TCP/UDPNetwork File System (NFS) (version 3 and 4)
2195TCPApple Push Notification Service (APNS)Push notifications
2196TCPApple Push Notification Service (APNS)Feedback service
2336TCPMobile account syncHome directory synchronization
3031TCP/UDPRemote AppleEventsProgram Linking, Remote Apple Events
3283TCP/UDPNet AssistantApple Remote Desktop 2.0 or later (Reporting feature)
3478-3497UDPFaceTime, Game Center
3632TCPDistributed compiler
3659TCP/UDPSimple Authentication and Security Layer (SASL)Mac OS X Server Password Server
3689TCPDigital Audio Access Protocol (DAAP)iTunes Music Sharing, AirPlay
3690TCP/UDPSubversionXcode Server (anonymous remote SVN)
4398UDPGame Center
4488TCPApple Wide Area Connectivity ServiceBack To My Mac
4500UDPIPsec NAT TraversalOS X Server VPN service, Back to My Mac. Note: Configuring Back to My Mac on an AirPort Base Station or Time Capsule in NAT mode will impede connectivity to an OS X Server VPN service behind that NAT.
4500UDPWi-Fi CallingWi-Fi Calling
5003TCPFileMaker – name binding and transport
5009TCP(Unregistered Use)AirPort Utility, AirPort Express Assistant
5060UDPSession Initiation Protocol (SIP)iChat
5100TCPMac OS X camera and scanner sharing
5190TCP/UDPAmerica Online (AOL)iChat and AOL Instant Messenger, file transfer
5222TCPXMPP (Jabber)iChat and Jabber messages
5223TCPApple Push Notification ServiceiCloud DAV Services (Contacts, Calendars, and Bookmarks), APNS, FaceTime, Game Center, Photo Stream, Back to My Mac
5269TCPXMPP server-to-server communicationiChat Server
5297TCPiChat (local traffic)
5298TCP/UDPiChat (local traffic)
5350UDPNAT Port Mapping Protocol AnnouncementsBonjour, Back to My Mac
5351UDPNAT Port Mapping ProtocolBonjour, Back to My Mac
5353UDPMulticast DNS (MDNS)Bonjour, AirPlay, Home Sharing, Printer Discovery, Back to My Mac
5432TCPPostgreSQLMay be enabled manually on Lion Server. Previously enabled by default for ARD 2.0 Database.
5678UDPSNATMAP serverThe SNATMAP service on port 5678 is used to determine the external Internet address of hosts so that connections between iChat users can properly function behind network address translation (NAT). The SNATMAP service simply communicates to clients the Internet address that connected to it. This service runs on an Apple server, but does not send personal information to Apple. When certain iChat AV features are used, this service will be contacted. Blocking this service may cause issues with iChat AV connections with hosts on networks that use NAT.
5897-5898UDP(Unregistered Use)xrdiags
5900TCPVirtual Network Computing (VNC). Unregistered UseApple Remote Desktop 2.0 or later (Observe/Control feature). Screen Sharing (Mac OS X 10.5 or later)
5988TCPWBEM HTTPApple Remote Desktop 2.x (seehttp://dmtf.org/standards/wbem)
6970-9999UDPQuickTime Streaming Server
7070TCPRTSP (Unregistered Use). Automatic Router Configuration Protocol (ARCP – Registered Use)QuickTime Streaming Server (RTSP)
7070UDPRTSP alternateQuickTime Streaming Server
7777TCPiChat server file transfer proxy (unregistered use)
8000-8999TCPWeb service, iTunes Radio streams
8005TCPTomcat remote shutdown
8008TCPiCal serviceMac OS X Server v10.5 and later
8080TCPAlternate port for Apache web serviceAlso JBOSS HTTP in Mac OS X Server 10.4 and earlier
8085-8087TCPWiki serviceMac OS X Server v10.5 and later
8088TCPSoftware Update serviceMac OS X Server v10.4 and later
8089TCPWeb email rulesMac OS X Server v10.6 and later
8096TCPWeb Password ResetMac OS X Server v10.6.3 and later
8170TCPHTTPS (web service/site)Podcast Capture/podcast CLI
8171TCPHTTP (web service/site)Podcast Capture/podcast CLI
8175TCPPcast Tunnelpcastagentd (for control operations, camera and so on)
8443TCPiCal service (SSL)Mac OS X Server v10.5 and later. Was JBOSS HTTPS in Mac OS X Server 10.4 and earlier.
8800TCPAddress Book serviceMac OS X Server v10.6 and later
8843TCPAddress Book service (SSL)Mac OS X Server v10.6 and later
8821, 8826TCPStoredFinal Cut Server
8891TCPldsdFinal Cut Server (data transfers)
9006TCPTomcat standaloneMac OS X Server v10.6 and earlier
9100TCPPrintingUsed for printing to certain network printers
9418TCP/UDPgit pack transferXcode Server (remote git)
10548TCPApple Document Sharing ServiceOS X Server iOS file sharing
11211memcached (unregistered)Calendar Server
16080TCPWeb service with performance cache
16384-16403UDPReal-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP)iChat AV (Audio RTP, RTCP; Video RTP, RTCP)
16384-16387UDPReal-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP)FaceTime, Game Center
16393-16402UDPReal-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP)FaceTime, Game Center
16403-16472UDPReal-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP)Game Center
24000-24999TCPWeb service with performance cache
42000-42999TCPiTunes Radio streams
49152-65535TCPXsanXsan Filesystem Access
49152-65535UDPBack to My Mac
50003FileMaker server service
50006FileMaker helper service

0 comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.