When two computers on the Internet communicate they need to use IP addresses to find each other. Much like the postal address when sending mail, every envelope has a destination address where that mail needs to go.
When Internet was created, every computer was supposed to have their own IP address, a unique number that identifies it in on the whole Internet. These numbers are in a range between 0 and 4 billion and something. Since that wasn’t enough for every computer in the World, we started having IP addresses per home and the our router is the device that has that IP address. The router forwards all the data it receives from the computers inside your home to the rest of the Internet and sends the response back to the computer that sent it.
In order to do this, it also needs a way to number the computers inside your home, so it uses a specific reserved range of IP addresses, that nobody on the Internet uses to give every computer its own IP address. This home network of cumputers we call private network or LAN (Local area Network) and the addresses as private IP addresses. The rest of the Internet we call WAN (Wide area network) and these IP addresses that routers use on the Internet as public IPs. We can think of it as a post office and public IP addresses as street names. Imagine if every street had it’s own post office (router) and all the mail goes through it. Then every building has it’s own house number, that would be the private IP. In different streets you could have two bulidings with same house number, but the mail will not get confused when arriving because the street names are different.
All data sent on the Internet is packaged in some kind of envelopes, a string of data that goes before it that says where it is supposed to go. These envelopes we call packets. Unlike mail, return address for packets is required, we call it the source and destination address as destination.
IP addresses are usually written as a set of 4 numbers devided by a dots.
Typical private IP address would be 192.168.0.1.
Often in settings you will need to setup either a netmask address or add a number after a slash / on your IP address, that defines where the network part of the IP stops and the host part beggings. The network part is a portion of your IP address that is the same for every computer on your home network, usually first 3 numbers, while the forth one changes.
Netmask is a way of writing the network part as an IP address that in it’s binary format has the ones in on the bits that are unchangable on the network. So regular netmask would be 255.255.255.0, as every number in the IP address is 8 bits long and 255 is the biggest 8 bit number. Sometimes you will see it written in hexadecimal form, such as 0xffffff00.
It is often just written as a range, for example 192.168.0.1/24. The 24 number at the end represents how many bits are static (unchangable). So 24 bits represents thse first 3 numbers (3 * 8 bits = 24 bits).
Your ISP (Internet Service Provider) has a router that connects to your home router and routers of your neighbours. Your ISP is in control of assigning public IP addresses to your router so you need to call them and get them to change it if you want.
Your ISPs do the same thing with the public IP of your router, but usally don’t even have a lease time. Whenever it reboots it gets a new public IP address.
In order for clients on the Internet to access your server they need to know your IP address. Usually you buy a domain and point it to your public IP, so that you don’t have to remember your IP address. Whenever your public IP changes, you need to change your DNS (Domain Name Server) settings so that your domain now points to your new IP, this can be set automaticly by running specialiezed programs for that or simply scripts. This automatic change of IP addresses in your DNS is called Dynamic DNS (DDNS).
To get your ISP to use a nonchanging (static) IP address, you usally have to pay extra (around $5 a month). This is sometimes required by some protocols, like with email servers.
When your computer first connects to the your home router, it gets and IP addresses assigned to it automaticly using a protocol called DHCP. You can usually request a specific IP from your computer directly or by logging in to your routers web interface and assigning it manually, if your router doesn’t support computers assigning IP addresses by themselves. When doing this, you should check if that IP address is already used by some other computer, you can do this by pinging it.
ping 192.168.1.13
By default on most home routers you get a different IP address every time your computer or router restarts. Usually if it is disconnected from the router (powered off or just unpluged from it) for less a certain period of time (usually 24h) it will be reassigned it’s last IP address, otherwise it will get a new one, either randomly or the first free one in order. This period is called lease time.
For regular users that only run applications as clients and not as servers, this has no real problems, but when seting up a server it will always cause a huge issue with unavailiabity and every time you would need to update your settings to conatin the new IP.
It is best practice to set your static IP address in your routers web interface, this will require you to know MAC address of your computer. MAC address is set of 6 hexadecimal numbers, devided by : , that represents the unchangable (not really) identity of your computer (or more specificly your network card). You can do this by running ip a command and looking for your network card that is connected to your home router. Network cards are basiclly called interfaces on your Operating system and there is always one loopback interface, that is not a real card and it shouldn’t confuse you. When running ip a command all interfaces will be shown with their IP and MAC addresses and will be numbered, loopback interface is always numbered with 1 and you should just skip it.
Wirless cards names usually start with a w and are often displayed last in the list. The name of the interface is displayed right after it’s number. For example wlp2s0.
Wired cards names usually start with e (ethernet), for example eno0.
MAC address shows in the second line after interface name. Right after link/ether words. For example,
link/ether 11:2f:2a:b2:20:27
Usually you don’t need to look this up manually, as it will be shown somewhere in the web interface of your router (usually with the hostname as well), usually on the same page as your DHCP settings/Static IP addresses. That is where you can setup your static IP for that computer.
However usuualy it is enoght to set the static IP on your computer and during Proxmox OS installtion, it is a required question. On other Debian based OSes, you can either set it up in your nework settings if you have a web interface or in the /etc/network directory by adding folliwing lines to the interfaces file.
auto eth0
iface eth0 inet static
address 192.168.1.13/24
gateway 192.168.1.1
Where gateway address it the private IP of your router.
Routers are the only machines that have both public and private IP address.
So we have IP addreeses that are for computers, but when we have multiple applications on our computer, the data requested from one app shouldn’t get a response in another. This is why we have a second range of numbers between 1 and 65535 that are always sent along with the IP address, to indicate a different application or different connection from the same computer. We call those numbers, port numbers.
In the above anology of street addreses, they would be appartment numbers inside every building. You can have both barber shop and pastry shop in the same buliding, but when sending mail you need to specify appertment number so that it reaches the right shop. The same buliding (computer) can provide multiple services and do multiple things, they each need a specific number to be identified.
When a computer sends a packet to someone it designates a random port as a source port and it’s private IP address as a source address in that packet. It also adds the destiantion address and port to that same packet and sends it to the router.
Router then remembers that computers private IP and source port and relays the packet to the Internet. Before sending it to the Internet it rewrites the source IP from the private IP of the computer to it’s own public IP (so that the responding server knows who to send the response back to) and it sets the port number to the new random port on that router.
Routers have a database that holds the source IP and port of the computer and source port it specifed as source when relaying the packet to the Internet. This is a NAT (Network Address Translation) table. When it recives the response back from the server, on that source port it specified in the packet it looks up it’s database and relays the response back to the computer.
They do this for every connection that is opened from any computer on the network.
This is fine for connection that started from inside the network by one of the computers, which is usual for all regular users that act only as clients. However, for servers this network transalation is not enough, so we use port forwarding.
When a router recives a packet to the port that it doesn’t have in it’s NAT table as a source port for some connection, it doesn’t know to which computer inside the network to relay it. No one started that connection, so it goes to no one.
As a server we need to be able to listen on a certain port and any packets that are recieved should be processed by the program that is listening on that port on our server computer. So we need to tell the router that whenever it recieves and incomming connection to a certain ports it goes to our server.
This is called port forwarding and to set it up we need to log in to the web interface of our router and find that port forwarding option. Often it is in a section called the firewall.
You can setup multiple port forwards from different port numbers to be forwarded to different computers on your network.
When adding a new port forwading rule you will have muliple fileds to set, most important ones are:
There are usually options for connection type, TCP or UDP or Both. In practice UDP is only used if you are hosting DNS and VPN servers, while TCP is far more common. However, it is hard to imagine a situation where an option Both (or Any) is a problem, so I suggest always using that one, as once I spent a lot of time debuging wireguard server just to notive that it is a TCP only port forward.
The most confusing option, is usually WAN IP, since it is often there and by default usually set to 0.0.0.0 which is kinda means any IP address. It only makes ssense when your router has multiple public IP adresses, which is rarely the case. So feel free to leave it blank or with 0.0.0.0 address, if it requires something to be written there.