Understanding Port Forwarding – Beginners Guide

Firewall-function-overviewWhat is Port forwarding ? and What Does it do?

Port forwarding is a technique that is used to give external devices access to computers services on private networks.

It does this by mapping an external port on the router to an internal IP address and port.

Most online gaming Applications will require you to configure port forwarding on your home router.

To understand port forwarding you need to understand what a TCP/IP port is and how ports and IP addresses are used together.

You will also need to appreciate the difference between internal and external IP addresses and internal and external ports.



TCP/IP Ports

A TCP/UDP port identifies an application or service on a machine in a TCP/IP network.

On a TCP/IP network every device must have a unique IP address.

The IP address identifies the device.

However a device can run multiple applications/services.

The port identifies the application/service running on the machine.

The use of ports allow a computer/device to run multiple services/applications.

Standard Port numbers are allocated to server services (0-1023) by the Internet Assigned Numbers Authority (IANA) and are reserved.  An an example web servers normally use port 80 and SMTP servers use port 25.

The combination of IP address plus port is known as a socket. See Network Ports Explained

As an example. Imagine sitting on your PC at home, and you have two browser windows open. One looking at the Google website and the other at the Yahoo website.

the connection to Google would be:

Your PC – IP1+port 2020 ——– Google IP2 +port 80 (standard port)

the connection to Yahoo would be:

our PC – IP1+port 2040 ——–Yahoo IP3 +port 80 (standard port)

Notes: IP1 is the IP address of your PC. Client port numbers are dynamically assigned and can be reused once the session is closed.

Returning to Port forwarding..

On home or small office networks the  router uses NAT (Network Address Translation) which allows internal devices to share a single external IP4 Address.

The IP addresses on the Internal network are private addresses and are not routable on the Internet.

External computers or devices only see the public IP address that is assigned to the NAT router Interface.internal-external-IP-addresses

The NAT router maps an Internal IP address + Internal Port to the external IP address + external port.

External devices send packets to the external IP address and external port.

The NAT router maps those packets and re-transmits those packets on the Internal network to the Internal IP address and internal port.

The ports used by NAT are normally randomly assigned which is OK when the session is initiated from the Internal network.

However if you want, for example, to host a website on your internal network and that website needs to be accessible to external clients then you will need to use a standard port (port 80 for http) as the external client expects this.

To do this you statically map the external IP address + port 80 to the Internal IP address of the web server + port 80. — This is port forwarding.

For home users the most common reason to use port forwarding is gaming.

Enabling Port forwarding and Checking Open Ports

Before you set up port forwarding you ideally will need to configure a static IP address for the Internal device.

This step is important as the forwarding will be set to send packets to a specific internal IP address.

Depending on your Application you may need a list of ports that need to be available from the the external network (i.e. Internet) and forwarded to the internal network.

To configure port forwarding on your router you will need Admin privileges.

This site has a comprehensive guide covering 100s of routers, and also port lists for many of the games/applications.

Regardless of exactly how you configure it, as it varies by device, what you are essentially doing is creating a mapping table that maps an external address and port to an internal address and port.

This video shows how to configure port forwarding on a BT Home Hub.

This video shows you how to set it up on a Linksys router. It also shows you how to set a static IP address for your machine.

Once you have forwarded the ports you may want to check that they are really open using an open port checker.

Connecting to a Forwarded Port

To connect to the forwarded port from the Internet you will need to know the external IP address of the Router and the Port number that has been allocated.

However using an IP address instead of a domain name is not very convenient, in addition the external IP address can change as most ISPs assign these addresses using DHCP.

Therefore when using port forwarding you might also what to consider using Dynamic DNS.

Port Forwarding Example

Below is a screen shot of my home router configuration which shows the ports I’ve forwarded.

Notice my router doesn’t have a field for the external IP address as it isn’t really necessary.

However some do and it is usually then configured to 0.0.0.0 .

port-forwarding-example

Checking Open Ports

You can see from the screenshot above that I’ve opened ports 1800 and 1884 and 8884.

I used the online open port check to check those ports and also one that shouldn’t be open and you can see the results below.

open-port-checker

Note: I’ve hidden my external IP address for security reasons.

Port Triggering

This is a type of dynamic port forwarding were ports are opened by an application, and don’t require prior setup.

The application connects to the designated trigger port on the router which tells the router to open a specific port for inbound traffic.

After the application has finished it closes the ports it opened.

Because the ports aren’t left open it is considered more secure than port forwarding.

UPnP ( Universal Plug and Play)

You may have noticed that your games work OK on the Internet even though you have not configured port forwarding.

This is most probably because the router has UPnP enabled.

Using the UPnP protocol an application can open ports on the router.

The screen shot below is taken from my router and shows a standard port forwarding rule and one setup automatically using UPnP.

router-upnp

Using UPnP is considered insecure and to be avoided if possible.

However most routers come with UPnP enabled by default.

Summary

Port forwarding Maps external IP addresses and ports to Internal IP addresses and ports allowing access to internal services from the Internet.

It is configured on home routers and it is necessary because home routers use NAT which isolates the home network from the Internet.

Common Questions and Answers

Q- Is the External IP address mapped to the Internal IP Address?

A- No the external port is mapped, and not the external IP address. the external IP address might change see Dynamic DNS

Q- Should I use a static Internal IP address or can I use addresses assigned by DHCP?

A- You should always use a static one.

Q- Do I need to forward both the TCP and UDP ports?

A- It depends on the application. You need to check which ports the application uses.

Q- How do I know if my device has a static address or a dynamic one?

A- You have to go to the device and examine the settings or look at your DHCP server.

Q- How do I know what port I need to forward?

A- You need to know what port the service you want to use is using.However most home routers will have a list of common games and applications and you just need to select it and it will automatically select the ports.

select-game-forward

Q- How do I know if I have configured it correctly

A- You can use an online port forwarding checker to check that the ports are open.

Q- What is strict NAT?

A- Microsoft define three levels of NAT- Strict,Moderate and Open. Devices that perform strict or moderate can affect Gamers on Xbox. See this article for help

Q- Does port forwarding affect my home network security?

A- Yes because you are exposing the home network to the Internet meaning that external devices can access internal devices.

Q- I’m using port forwarding should I also use DDNS (dynamic DNS).

A- Almost certainly yes unless if you are using it on a permanent basis.

Related Tutorials:

References:

Please Let me Know if you found it Useful
[Total: 77 Average: 4.5]

66 comments

  1. Hi Steve,

    I have a local website running on a WAMP local webserver (set for public access) on a PC. The PC is connected to a router that is not connected to the Internet or to any Service Provider. I now want mobile phones to be able to access my local website by connecting to the router and then entering an address to the webserver (some local ip address perhaps?). I have tried adding port forwarding for port 80 into the router (TP-Link N-600) but it wont allow me to add forwarding because it says there is ‘No available interface’ Is any of this possible without requiring the router to be connected to the Internet?

    1. That makes sense as you have not internet. I assume the router is wi-fi. You don’t need port forwarding as everything is local. You just need to type in the address of the pC.
      However some wi-fi routers don’t work without an Internet connection. If that is the case you need a Wireless access point. You can usually set up your mobile as a access point (hotspot)
      rgds
      steve

  2. Hey Steve, thanks for your guide. I’m trying to create a port forward/virtual server for my PS5 to solve really bad lag and 1000ms ping. When setting it up it’s asking for a WAN Port name, which I’m not sure what to type? It asks for two values with a “-“ in between.

        1. Then you need to choose the Internet Wan port. Usually you have a drop down for selection. If you are still having probs send me the make and model and I will search for the manual

  3. Dear Sir,
    My android app retrieving data from sql server works only when the the laptop where the server is and mobile phone are on the same network. In order to get on different networks, I created no-ip hostname. How can I set up port, as I am repeatedly receiving android error message: java.net.ConnectException: failed to connect to namsu.ddns.net/103.169.214.154 (port 1433) from /:: (port 34421): connect failed: ETIMEDOUT (Connection timed out)
    In the above message, namsu.ddns.net is the hostname created in no-ip, 103.169.214.154 is the IP/Target in no-ip, port 1433 is the laptop’s port (internal port?)

    I should feel obliged if you kindly guide me to the right way.

    Fysal Usman

  4. Hello Steve,

    i have a question, i want to forward port 2302 for hosting ARMA 3 cooperative games, i use my internal IP 192.168.0.192, local and external port range all 2302, TCP/UDP both, enable, save, close router page… then i go to check via the port checker you linked, port is closed…. any help would be appreciated.

    Thanks

    1. It looks like you followed the right steps. Are you sure of the network address 19.168.0.192 as 192.168.1.192 is more common 0 tends not to be used as a network address, and was previously supported. Is the game console connected and operating on the network?

    2. for a port checker to find that the port is effectively forwarded it has to receive some kind of answer when it does the checking, either you don’t have arma 3 open when you do the check, or arma 3 doesn’t understand what the port checker is asking, doesn’t answer and therefore the check answer is port not open

      most port forwarding problems are due to a firewall/antivirus on the server host

      when I want to check that a port is open I use miniweb, miniweb.exe -p 2302, then run again the portforwarding checker

  5. Hi, this is afzal. I question is it possible to port forward to a block of address such as /29 or /28 address ?

  6. Steve

    My son wants to host a game server with a vpn and static IP address. We have purchased the vpn, but it still requires opening a port on our router. Is him hosting his server going to open the rest of the machines on our network to risk of hacking? If so, how high is the risk and what could hackers theoretically do?

    1. Opening the port will only expose that machine provided the port forwarding is set correctly. However hackers could use that machine to attack the network. But I’m not a security expert and not an hacker and so I could not really tell you what could be done. However what you are doing is common.

  7. Steve, nice article.

    My DVR allows remote viewing and programming with these ports
    Public port to Private Port
    21326 >> 8887
    21325 >> 80

    With Linksys routers, these Single Port Forwards are easy to do with just two rules.

    I now have a Cox rented modem/router that does not seem to associate a public port to a private port as the LinkSys does. So I have now forwarded ports 80 and 8887 with no reference to the other two ports. My DVR works with this, but I fear that I am open to attach without specifying public ports.

    Cox wants to have me subscribe to a service program for $10 a month to discuss this. I also understand that the settings are in the cloud and not on the physical router. It is all marketing and no technical which is a big contrast to LinkSys. I am considering getting rid of their rental router and replacing with approved 3rd party LinkSys.

    Your thoughts?

    1. Tom
      Generally you don’t forward a port but a port on a specific device i.e your DVR. Almost all routers have this feature I would take another look at the router.

  8. Hello Steve, thanks for the tutorial, it is useful for first-time user like myself.

    I want to create port forwarding rule but I still can’t figure out a few more things. Hopefully you can give me some guides on this.

    I want to setup a FTP service. from home. I put 192.168.1.100 as my server IP, port 21. In my home router setting, I entered this IP & port in my rule. What about ‘external min & max port’? How do I find/assign this external port number that is available for my use?
    Thank you

      1. Hello Steve,

        Great info. I assigned port 16666 as my external min & max port. When I used the portchecker portal with my laptop, the portal shows my external IP and I enter the same port number, but result shows that it is closed. Could it be firewall blocking? Thank you.

  9. First, thanks for the information. Well explained, but I’m still unclear for what I am trying to do. Setting up/dealing with network issues is one of my stumbling points.

    I have access to the Internet via a cable modem/router (Xfinity). I also have a LAN setup via a TP-Link router for a Raspberry Pi 4 music system. The cable setup is in one room (with extenders) and the music router is another room due to the location of the receiver. I would like to modify my setup such that I can access the music system via the cable modem/router setup so that I have access to the music system from anywhere in the house network AND so I don’t have to keep switching networks to access the music system or the internet.

    Is this possible? Is port forwarding the answer or is there another way of doing it? Thanks for your time and any response.

    1. Using two routers on a home network isn’t a good idea.Home networks tend to have a router connected to the Internet and all other internal devices would be switches not routers.
      Can you use the ask steve page to contact me then you can send me a quick sketch of your layout. But a quick guess would be to swat the tplink router for a switch.
      Rgds
      Steve

  10. Thanks for taking the time to construct these excellent tutorials. It finally brought everything together in my feeble brain. Question(s): does the risk of port forwarding warrant the use of cascaded routers/firewalls? I’m thinking of having just one computer tied directly to my current router to act as a game server with port forwarding, then have a second router without port forwarding tied off of the first router that will protect the rest of my machines, data, etc. The alternative for me would be to enable/disable port forwarding whenever I want to use my game server. Am I being too paranoid? Last question: do I need to use several ports to handle several different players (outside computers), or accept them all through 1 port to my server? Thanks,

  11. Hi Steve!
    I was trying to access my local IP over the internet remotely. Here’s the case. In my home network, there’s a simple HTTP.SERVER (which is a webpage/web-server) (192.168.159.xx:1234) we use in the home to share & download our files. When I’m at home, I can access this server right from my PC browser. Now I wanted to access this page remotely over the internet. I have no idea if it’s using tcp or udp port. Will I be able to access this server only by forwarding port 1234 (as u did) & browsing *my.Extr.Ip:1234* on a remote computer browser? What can I do to access my home network? Please help!… One thing to add, I can access my router settings remotely over the internet (i.e. using router’s ext.ip & specific port number). Thank you!

    1. Hi
      Yes you set port forwarding on the home router. You choose an external port to use e.g 8080 and port forward this to the internal server on 192.168.159.xx:1234 if 1234 is the port you are using on this server.
      Rgds
      Steve

  12. If I can my lock port assigned in order to be able to connect using which port id like, would that work. I’m trying to have several port listeners configured for accessing a range of external ports.

  13. Well done Steve,
    Excellent article on the topic. Have looked at several explanations and “how to” for port forwarding and your efforts are by far the clearest I have seen to date. Many Thanks.

  14. Hi Steve

    Have forwarded a port on my router and created rules in Windows (10) Defender/Firewall to allow that port in and out. However, the port forwarding checker says it cannot see the port. Any ideas?

    NB I’m in South Africa, running via a VPN to London, England. Not sure if that makes a difference?
    Regards
    Steve

    1. hi
      your location doesn’t make a difference. Are you forwarding UDP? If UDP not sure that the port checker will detect it.
      I would recheck the config. You can send me a screen shot of your port forwarding screen on the router if possible and I’ll take a look. Use ask steve page.
      Do you have the url of the port forwarding checker?
      Rgds
      steve

  15. Ummm…. I’m confused! I have TalkTalk and want to open UDP port 3075 to play call of duty but I have no idea what to do? I have no clue what application I should use or anything. By the way, I’m only 14 so please don’t judge. 🙂

      1. Hi Steve,
        I have read several aticles on your page, and I really love what you are doing! Very helpful especially to beginners.
        I’ll have more of my friends subcribe to your site to benefit like I do…
        Blessings, Viva!

  16. Thank you Steve. I think I was doing it backward. I was trying to use a different port for each machine on the local network but what you’re saying makes a LOT more sense.

    I appreciate the followup.

    Tom

  17. This is a really great simple article. Your break down of it really helped me flush out some of the gaps in my knowledge.

    The one thing I can’t seem to figure out is how to forward a service to multiple machines. For example, if I’m using port 5900 for remote access, but I want to access any of 10 different computers on my home network, how would I do that with a routing table? I feel like there is one piece of the puzzle I’m still not understanding.

    1. Hi
      You would use a different port on the external interface for each computer.e.g. 5900,5901,5902.
      on the internal network they could all use port 5900 as they have different IP addresses.
      On the external network they share the external IP address which is why they need to use different port numbers.
      rgds
      steve

Leave a Reply to Abdullah Siddique Cancel reply

Your email address will not be published. Required fields are marked *