On the local network
Any device with a WiFi or LAN interface will have a unique MAC address that is hardcoded to each interface. The MAC address enables devices on the local network to identify each other but provides no way for devices from outside to access them.
With the Internet
The Internet Protocol (IPv4) uses IP addresses to identify each interface of a device (e.g. an iPhone can have WiFi and mobile data interfaces active). To manage communications between the local network and outside there needs to be a router device. The router holds tables that say where to send IP data packets that other devices send to it; each local device is configured to send non-local packets to the router. Therefore, the router bridges the external and internal networks.
Because the Internet is broken into lots of 'local networks', to successfully connect across the Internet requires many routers that pass up traffic until there's a router than controls access down to the destination device.
Limits of IPv4
There are two limitations on IPv4:
- IPv4 is limited to 4 billion(ish), 2^32, addresses and that has been exceeded years ago.
- There's no security to control devices communicating.
The router will have an Internet routable IP address and will still bridge the external and internal networks. But now the router will hide all the outbound traffic from local devices and use it's own Internet IP address. When passing traffic back the router will remember this and translate the traffic back to using the local device's non-routable address. This is called Network Address Translation or NAT.
There are million/billions of devices that use these RFC 1918 defined addresses and rely on NAT to make them accessible to the Internet.
Add a few rules for controlling what external/internal traffic is allowed and the router becomes a firewall. Now the local devices have some protection from unwanted access.
Hosting web service using IP Ports
The IPv4 specification also defines that each IP address can listen for incoming traffic on 2^16 Ports (0-65535). E.g. this enables a device run a web server and the standard ports are 80 for HTTP and 443 for HTTPS. Many Internet and Web services use standard ports but there are also many others too and it is not necessary to adhere to these assignments.
If the device running the web server has an Internet routable address then it just needs firewall rules to allow Internet devices to access it. But if the web server device has an RFC 1918 address then we need to configure the router/firewall to do NAT on the address and also the port. This means that the router cannot have any service of its own on that port and also only one local device can be Internet accessible on that port.
What does this really mean? You have two web servers (192.168.1.101 and 192.168.1.102) both listening locally on their own standard port of 80 for HTTP. You want both to be accessible from the Internet but your firewall/router has only one IP address on the Internet. The problem is is that port 80 can only be NAT'ed to web server .101 or .102, not both. You need to assign a non-standard port for one of them. So you could configure:
- router port 80 -> web server .101 port 80
- router port 81 -> web server .102 port 80
This will work but there is potential issue for web server .102: corporate firewalls usually control outbound access to a few selected, known port numbers (standard HTTP and HTTPS etc). Port 81 may not be allowed by the corporate firewall. So instead you configure:
- router port 21 -> web server .102 port 80
However, using non-standard ports does serve a useful purpose. Many attacks start with scanning for open (listening) ports and standard ports are quickly checked. By using non-standard ports that are higher than 1024 will add time to these scans and so more likely to be omitted.
With these limitations on ports then you should decide what services really need to be Internet accessible: do you need two web servers? which is more important to be on standard ports.
There are other ways to resolve the web server ports issues, such as having the port 80/443 web server redirect web requests for specific URLs to the second web server. This is how the Synology NAS does it with its Reverse Proxy feature.
A bit more information
Internet Protocol v4 also supports a set of different communication protocols, the most common for new users are:
- Transmission Control Protocol (TCP) is used for services such as HTTP 80 where communication needs to be reliable and ordered.
- User Datagram Protocol (UDP) is a connectionless communication where the sender fires packets and doesn't track the delivery. Most commonly, requesting DNS resolution uses UDP 53.