I've never done this before (port forwarding), so I need some help. When I run a python http server, it opens only locally with address 0.0.0.0 and the port I've chosen. But nobody outside my local network can access it, so I was told I should forward the chosen port through the router settings:
The LAN port I'll set to the one I've chosen and the protocol must TCP (I guess) but the rest of the boxes are very unclear to me what they do. As well as what's the difference bw "LAN port" and "WAN port", therefore - what should I write in each box. I'm guessing that I should choose "Manual" for the port I decided to assign but that still leaves what should be written in "WAN port". I know how to get my public IP address, that's not a problem. But that box above reads "internal IP address", not "Public IP address", which confuses me.
As I said - I've never done this before, so please, explain it to me the way you're explaining it to someone with a room temperature IQ.
Stay calm. This is not very difficult, but
please read my security warning at the end.
Your router has two sides.
The public internet side is the Wide Area Network (WAN). This is the internet side of your router. It connects to the public internet that the world uses. Everything on the public internet has its own unique IP address, including your router. Your router gets one public IP address that all of the devices in your house share. The public IP address for your router is assigned by your ISP. For some customers (possibly including you), the public IP address may change without notice.
The private internal network side is the Local Area Network (LAN). This network is where all of your WiFi, devices, and computers connect. The network is private, with internal IP addresses like "192.168.x.x" or maybe "10.x.x.x". Everything on this network must share the one public IP address on the other side of the router.
(Note: I am writing "internal IP address" because that is the label on your router's configuration page in your image. I usually think of it as a "private IP address" or a "LAN IP address.")
Web browsers use the TCP protocol to connect to web servers on the internet. They connect to the public IP address of the server. If you are offering a web server from your home, then other people on the internet will connect to the public IP address of your router.
TCP is divided into ports, which are numbered from 1 through 65535. Web browsers connect to web servers on TCP Port 80 (old) or TCP Port 443 (TLS, aka "SSL"). Port 80 is used for old-style HTTP browser connections, which are not encrypted. Port 443 is used for modern encrypted HTTPS connections, which rely on TLS (aka "SSL") to encrypt the connection and also need "certificates". HTTPS on Port 443 is the correct way to configure your web server, but more complex. (Other TCP ports are used for email, remote control and management, SSH, and many other "services".)
When somebody's web browser connects to your new web server, it must connect to your router's public IP address on a TCP port on the WAN (internet) side of your router. Unless you are doing something special, that "WAN port" should be either Port 80 (HTTP) or Port 443 (HTTPS, which uses TLS (aka "SSL")).
Inside your home network, you have a computer that is the actual web server. It is on your LAN (your private internal home network). Your web server has a private internal IP address on the LAN. That private internal IP address probably starts with "192.168.x.x" or maybe "10.x.x.x". It might start with "172.16...", which is fine but less common.
When somebody's web browser connects to TCP port 80 or 443 on the WAN side of your router, then your router must know which device in your private internal network (LAN) it should send the TCP connection to. In other words, the router must know your web server's private internal IP address. That is what the Virtual Server (port forwarding) setting does in your router's configuration. The Virtual Server / port forwarding setting tells the router, "If you get a TCP connection on Port 443 on your public internet WAN IP address, forward it to private internal LAN IP address "x.x.x.x" on private internal LAN TCP port "y". (The "y" is probably 443 or 80, but could be anything else.)
Your internal web server probably uses TCP port 80 or port 443, but it may be using an unusual port (e.g., Port 4321) instead. Your router can forward the TCP connection it receives to whichever private internal address you want on whatever port you want. The "WAN Port" does not have to match the "LAN Port" that you use on your web server device.
So ....
Internal IP Address:
The private internal IP address (192.168.x.x. or 10.x.x.x) of your web server computer.
LAN Port:
This is the TCP port for connecting to your web server on your private internal network (LAN). You are probably using Port 80 or Port 443 on that web server. It is likely to match the WAN Port setting (below), but it does not have to match it.
WAN Port:
This is the public internet side TCP port where others will connect to the public IP address of your router. Browsers on the internet expect to connect to Port 80 (HTTP) or Port 443 (HTTPS), so choose whichever is appropriate. If your server offers both, then you will need two separate port forwarding entries in your router configuration, one for each port.
Protocol:
HTTP and HTTPS both use TCP. Some services use "UDP". Some use both. Choose "TCP" here.
NOTE: Your web server may offer both HTTP and HTTPS. In that case, you will need two separate port forwarding entries in your router configuration: One for Port 80 and the other for Port 443.
Not mentioned, but important:
- How will others find the public IP address of your web server?
- Your WAN public IP address may be subject to change by your internet service provider (ISP).
- If you use DNS (a name, like "www.linux.org"), then it adds more complexity:
- You will want to register a domain name.
- You must configure a DNS server to point to your public IP address.
- If your public IP address is "dynamic" (subject to change without notice), then you will need to configure and use a special "dynamic DNS" service to automatically update the DNS when your router's public IP address (WAN address) changes.
- You can use FreeDNS (mentioned above) for free dynamic DNS services. I use them.
https://freedns.afraid.org
- Are you using HTTP (not secure) or HTTPS?
- If you are using HTTPS, then you will also need a certificate.
- HTTPS is more complex to configure than HTTP.
- You can get free certificates from Let's Encrypt. Since Let's Encrypt appeared a few years ago, other free certificate services have appeared. I still use and recommend Let's Encrypt.
SECURITY WARNING! DANGER!
You must keep your web server fully updated and secure. If an attacker succeeds, they will own ("pwn") your web server computer with full superuser (root!) access and can do anything they want, including defacing your website and substituting their own illegal content, mining cryptocurrency, etc. Once they are inside your home network, they can attack and take control of your router and your other computers and your phones and anything else on your private internal network (LAN). That's bad. Really bad.
It is a serious risk for beginners.
Some routers offer a special feature called a "DMZ" which stands for "demilitarized zone". It is an old army term that means "a separate, isolated area". The DMZ for your router is a special, separate, isolated "LAN". It is independent from the regular LAN. If you put your web server computer in the special DMZ LAN and an attacker succeeds in compromising your web server, the router should prevent the attacker from gaining access to the LAN and attacking your other systems. That's better, but not perfect. Attackers are good at exploiting routers. Please keep your router updated and replace it when updates are no longer available.
If it were me, I would rent a cheap virtual private server (VPS) on the internet. You would have to learn how to setup SSH to connect to it and how to enable the firewall to keep it secure (and remember to keep it updated!!). If something really bad happens, the bad guys may "pwn" your VPS, but not your home LAN, your personal computer, your phones, etc. Cheap VPSs can be found for $10-20 per year. In that price range, some providers are good and some are not. Knowing which is which is an art form.
I hope this helps. If you need more info, just ask.
(Edits: Following the initial edits, I came back much later and fixed minor typos. Essential content remains unchanged.)