 All right, Kirk writes, I recently attempted to create a port map for a client who uses a Comcast Business Router, the Technicolor model, and it didn't go well. Let's say I got caught. The goal was to allow FileMaker Pro, now from Clarice, the traffic to pass from the outside world into a Mac mini server with a static IP address on the LAN to port 5003, which is the port that FileMaker uses. In preparation, he says, I set the DHCP pool to be, you know, dot two through dot 150, okay, great. And I assigned the Mac mini server an address above the DHCP range to dot 155, so as to avoid a possible duplicate IP address, okay. Next, I logged into the web interface on the router and went to the port forwarding settings and tried to create the port map, so that external port 5003 would map to this port 150, IP address 155 on port 5003. That's how you do it. That's how it works great. In creating the port map, though, the router complained and wouldn't allow me to save the settings. I deleted the port map and recreated it, power circled the router, yada, yada, called Comcast Business Support and eventually got to a real human. The tech initially couldn't figure it out either until they suggested that the router wasn't allowing the port forward to be saved because the IP address was above the DHCP range. I changed the IP address of the server to be dot 150, the last address in the DHCP pool and the router immediately allowed the port map to be saved. As expected, the port map allowed FileMaker Pro traffic to pass from the internet into the intranet. Perfect, great. He says in my experience, this breaks some basic rules of networking and avoiding duplicate IP addresses and he's right because he is statically assigning just on the Mac Mini an address that now is inside the DHCP pool, the router doesn't know about it and it could choose to assign that to another device. So how to solve this problem? And I've seen this, so I've actually solved this. This is not a theoretical thing. And one thing I've done is to leave in this scenario, leave the Mac Mini on DHCP but set a DHCP reservation for outside of the DHCP pool. DHCP reservations are supposed to happen outside of the pool. And this way, the router knows about that device and I think this is the issue. A lot of routers won't let you set a port forward to a device that the router is unaware of and this 155 was outside of that range but if you set a reservation to be dot 155, then it should work. Now it is possible that the router will not let you set a DHCP reservation outside of the DHCP range. This is incorrect. It's supposed to allow you to do this by all the RFCs and all that stuff but I've definitely seen some routers. So in this case, set the reservation to what you've done to 150 but at least that way, the router knows that it has assigned 150 to that Mac Mini and it won't assign 150 to anything else. One side effect of this that is a wonderful bonus because I had exactly this problem with a FileMaker server that we were hosting years ago. We had an extended power outage here at my house slash office and so we had to and we were using the FileMaker server for the business so I had to move the FileMaker server somewhere else. I was doing exactly what Kirk is doing here and I had manually set the IP address on the Mac that was running the FileMaker server and I brought the FileMaker server over to my dad's house because it's only, you know, whatever 10 minutes away and I plugged it in and it was like, right, this isn't gonna work on this network because that IP is hard-coded for my network and I didn't bring a monitor or a keyboard with me because this machine runs headless. So I had to go back home and I had to retrieve monitor and keyboard or maybe I cannibalized it from one of my dad's computers or something but it taught me the lesson that you all, if I had left that on DHCP and let the router manage it here as soon as I plugged it in at my dad's house the router there would have given it an IP address and I could have done it all without needing to ever plug a monitor or anything in the machine just would have come up on the network. So since then I have left all of my machines in DHCP mode and just let the router do the static assigning of the addresses in this way. It's all managed in one place. I don't need to manage it in 15 different places. It's a better way to do it. So hopefully that helps with your client, Kirk. I don't know that, but one part about this that I don't have experience with is the Technicolor router. And so it seems like it's got some limitations that might, you know, you might have to navigate around. Yeah, so, there you go. Dave, you did exactly what I would have done, so. Is that right? Perfect. I'm glad to hear it, Pete. Oh. The other thing to consider, because I think we do this for one of our databases, Dave, is maybe get someone else to host your file maker. It looks like there's a few people that do that sort of thing. Fair, yeah, yeah. I mean, for this very specific thing, yes. Now, the issue with that is, A, you're paying for someone else to host your file maker database. And, you know, even us with our very limited lightweight use, I'll call it, we're using FMP host and they are fantastic. But I think it's still like 60 bucks a month, you know, so not non-trivial in the end, especially when you're gonna do that for years at a time. But they do a good job and that, because of all the power outages here, that's why we did what we did and moved it out there. I also didn't want to have to leave a Mac running all the time. There is now a Linux version, a very limited target Linux version of FileMaker server. So that might be an option for hosting on, you know, on a not Mac box or not Windows box. The other issue with hosting FileMaker somewhere else is if most of the users are in one location, you get speed benefits of the lower latency of a connection that's right there, as opposed to everyone having to go over the internet to connect to the FileMaker server. If it's something that you're hitting all the time, there are benefits to having it running locally. That I definitely saw. None of the other people in the company saw because they were connecting to it remotely, whether it was at my house or it was at FMP host. But I definitely noticed that it got a little bit more sluggish just because of the introduction of the internet to the equation, but yes, you are correct, John. Yeah, hosting somewhere else would solve the FileMaker problem, but it doesn't solve the port forwarding problem. Brian has a networking, thank you, Pete. Brian has a networking question for us. He says, I think it would be useful for your listeners to hear your opinions. Oh, wait, wait, I have a question. We've already answered the first part of it. He says, would you have a discussion about what open ports are, how to create and manage them, what the related security issues are? He says, the reason this comes up is that whenever I've looked for such information, most writers spend the bulk of an article talking about how open ports on your router create major security risks and therefore should be absolutely avoided unless super necessary. Yet they seem to be part and parcel of running a NAS, a FileMaker server, routers, et cetera. Can you shed some light on this? So yeah, in general, if we're thinking about our routers as firewalls, and most of us that are running routers where we get one IP address from the outside world and then share it with a bunch of things on the inside world, which is exactly what was happening in Kirk's scenario, right? We had traffic coming into the main IP address of the office on a specific port and we're routing that to a different IP address internally that can't be seen from the outside otherwise. And that's the key part of where I wanna dig here. That effectively creates a firewall for you, but until you poke that hole, right? Because traffic coming in, if the router doesn't have specific instructions about what to do with that traffic, it's simply going to ignore it. So the default behavior is effectively a firewall. Now it's not technically, and I'm sure there's network security folks out there, hi, Scott, it was great to have lunch with you, who will tell us that that's not what a firewall is and that's not, you shouldn't be telling people to think of these as firewalls. And you're all correct. But in a sense, that's exactly what's happening. It's just not letting that traffic in. And so when you do open a port, like for example, with Kirk, we open port or he opened port 5003 to point to their file maker server, that creates a potential security hole because now if people in the outside world know that 5003 is file maker, they can target that server. And if they know about any exploits that are specifically available on file maker servers, maybe file maker servers that haven't been updated in six months or something like that, then they could try those exploits on port 5003 on your network and potentially get in. Whereas if you didn't open that port, they couldn't get in. So this is where network security experts will correctly state that all else being equal, open ports create security risks because it's just like, I equate it to our houses, right? We could all choose to live in houses with nothing but brick walls, right? And that would be pretty safe from people trying to get in from the outside. But it would also mean you can't get out or in either. So you create a door, right? Okay, well, now that there's a door, you can get in and out, super convenient for you. Sure, but what about all these people that wanna intrude? Well, they can use the door too. And, you know, well, now you wanna add windows because they're nice and convenient and they're pretty and they let light in. Well, okay, people might be able to see in through your windows and that might be a security risk. Right, so this is the way to think about this stuff is you need to do some of it in order to live on your network and make your network work for you. Just be aware of what you are doing and why you are doing it and maybe audit your port forwards once every few months on your router just to make sure that you don't wind up with some lingering ones that you don't need anymore and close those down so that you're being intentional about what ports you're opening. So I hope that helps. I know we've gotten this question a couple of times and I've actually been saving Brian's question for several months here and it seemed perfect to kind of put it after we talked about Kirk because that's the flow through here. That's the reason you would want that.