Many people run Plex, email and other servers on their home networks with the aim of accessing them on the public internet. Unfortunately, modern networking has been made considerably more complicated by NAT, a solution intended to address the problem of running out of available IPv4 addresses. 


While we can't debug your home network, we can provide some pointers that may help you get your local servers running properly. The trick is to understand NAT (Network Address Translation).


NAT simply rewrites the original destination IP - and optionally a port - of a packet in order to route it somewhere else. For the sake of example, let's pretend you have a Plex server running on your home network and it has a local IP address of 192.168.1.17. You check your Plex settings and it tells you that it's listening on port 17353. So any packets on your network that have the destination 192.168.1.17:17353 (IP:Port) will make it to your Plex server and you should have a good connection.


The problem is that modern network gateways (wireless routers, cable modems and yes, Winston) perform NAT automatically. This enables all devices behind the gateway to share a single IP address. This many-to-one relationship means that packets have no problem getting out of your network... but they won't be able to get in unless you tell them where to go. 


That's actually pretty useful as it also prevents many types of cybersecurity attacks. You wouldn't want just anyone connecting to your laptop. But what if you actually do want to do something like this and run a server on your home network?


Let's see how this plays out in setting up a Plex server. Follow the diagram below with the steps that follow.



Step 1: Allowing packets into your home network


The first thing you'll have to do is tell your cable modem to let the right packets from the internet in and send them to the next device in line (in this case, a Winston). Your Plex server settings will suggest a public IP address:port pair but you can really set the port to be anything you want. Plex says it wants 73.102.1.7:23200 in this case, so we'll go with that for our origin.


The destination is of course, Winston. If you've daisy chained Winston between your wireless modem and router as we recommend, then your modem will have assigned it an internal IP address. You can find that by fishing around in your cable modem settings but we've tried to make it easy for you. Just call this URL and you'll get your Winston's WAN (outbound) IP address:


http://api.winstonprivacy.com:81/api/wanaddress


{"interface":"lan0","addresses":["10.1.0.2/22"]}


"10.1.0.2" is the IP address that your cable modem assigned to Winston (ignore the trailing slash and the number that follows). 


Next, head to your cable modem advanced settings and find the section which allows port forwarding. Set up a rule to accept packets on port 23200 and forward them to 10.1.0.2 on port 23200. The exact way this is done depends on your brand of cable modem (Some are pretty quirky, too... For instance, Xfinity cable modems have to have "Advanced Security" turned off, or it will ignore your rule!)


Step 2: Passing packets through Winston


If Winston is set up between your cable modem and wireless router, it will be in passthrough mode. If so, you can skip this step. Winston is smart enough to automatically pass those packets back to your router without any help from you.


Not sure what mode you're in? You can check by calling the following URL:


http://api.winstonprivacy.com:81/api/diagnostics


If you see an entry that reads "Passthrough: true", then you're in passthrough mode. You should go to Step 3.


If not, it means you have multiple IP addresses (devices) plugged into Winston so you'll need to set up a port forwarding rule. You can do this on Winston's Privacy Settings -> Port Forwarding page. Find the IP address of your wireless router using it's administration settings. Tip: It will be one of the IP addresses listed under "LanIP" using the URL above.


The rule will look something like this. In most cases, the protocol will be TCP but please consult the documentation for your server.


Packets are now being allowed on your home network and are passing through Winston to your wireless router!


Step 3: Pass packets through your wireless router to your server


Finally, you'll set up a similar port forwarding rule on your wireless router to pass incoming traffic on port 23200 through to your Plex server listening on port 17353. 


In our diagram above, you'll need the local IP address of your Plex server (192.168.1.17). It should report this to you somewhere in its settings. Using your wireless router interface, add a rule to pass incoming packets from port 23200 to 192.168.1.17:17353.


If all has gone well, your server will now be able to receive incoming traffic from the internet.


Why can't this be simpler? 


Why can't we just set one rule on the Cable Modem that forwards the traffic from 73.102.1.7:23200 to 192.168.1.17:17353? 


The reason is that your cable modem does not know about the latter address, nor can it directly detect your Plex server. NAT prevents any downstream device from directly communicating with upstream ones. In other words, if you have 100 devices sitting on your local network behind your wireless router, any device in front of your wireless router will see them as a single device (that's by design as it allows us to stretch the number of IPv4 addresses out).


You can think of each gateway as a kind of a moat or firewall which prevents unwanted traffic from passing in. While this is desirable 99% of the time, it can be a bit tricky to configure it in those unusual situations where you really do want to let a particular type of inbound traffic in.