Understanding Port Forwarding – Beginners Guide

Firewall-function-overviewWhat is Port forwarding ? and What Does it do?

Port forwarding is a technique that is used to give external devices access to computers services on private networks.

It does this by mapping an external port on the router to an internal IP address and port.

Most online gaming Applications will require you to configure port forwarding on your home router.

To understand port forwarding you need to understand what a TCP/IP port is and how ports and IP addresses are used together.

You will also need to appreciate the difference between internal and external IP addresses and internal and external ports.



TCP/IP Ports

A TCP/UDP port identifies an application or service on a machine in a TCP/IP network.

On a TCP/IP network every device must have a unique IP address.

The IP address identifies the device.

However a device can run multiple applications/services.

The port identifies the application/service running on the machine.

The use of ports allow a computer/device to run multiple services/applications.

Standard Port numbers are allocated to server services (0-1023) by the Internet Assigned Numbers Authority (IANA) and are reserved.  An an example web servers normally use port 80 and SMTP servers use port 25.

The combination of IP address plus port is known as a socket. See Network Ports Explained

As an example. Imagine sitting on your PC at home, and you have two browser windows open. One looking at the Google website and the other at the Yahoo website.

the connection to Google would be:

Your PC – IP1+port 2020 ——– Google IP2 +port 80 (standard port)

the connection to Yahoo would be:

our PC – IP1+port 2040 ——–Yahoo IP3 +port 80 (standard port)

Notes: IP1 is the IP address of your PC. Client port numbers are dynamically assigned and can be reused once the session is closed.

Returning to Port forwarding..

On home or small office networks the  router uses NAT (Network Address Translation) which allows internal devices to share a single external IP4 Address.

The IP addresses on the Internal network are private addresses and are not routable on the Internet.

External computers or devices only see the public IP address that is assigned to the NAT router Interface.internal-external-IP-addresses

The NAT router maps an Internal IP address + Internal Port to the external IP address + external port.

External devices send packets to the external IP address and external port.

The NAT router maps those packets and re-transmits those packets on the Internal network to the Internal IP address and internal port.

The ports used by NAT are normally randomly assigned which is OK when the session is initiated from the Internal network.

However if you want, for example, to host a website on your internal network and that website needs to be accessible to external clients then you will need to use a standard port (port 80 for http) as the external client expects this.

To do this you statically map the external IP address + port 80 to the Internal IP address of the web server + port 80. — This is port forwarding.

For home users the most common reason to use port forwarding is gaming.

Enabling Port forwarding and Checking Open Ports

Before you set up port forwarding you ideally will need to configure a static IP address for the Internal device.

This step is important as the forwarding will be set to send packets to a specific internal IP address.

Depending on your Application you may need a list of ports that need to be available from the the external network (i.e. Internet) and forwarded to the internal network.

To configure port forwarding on your router you will need Admin privileges.

This site has a comprehensive guide covering 100s of routers, and also port lists for many of the games/applications.

Regardless of exactly how you configure it, as it varies by device, what you are essentially doing is creating a mapping table that maps an external address and port to an internal address and port.

This video shows how to configure port forwarding on a BT Home Hub.

This video shows you how to set it up on a Linksys router. It also shows you how to set a static IP address for your machine.

Once you have forwarded the ports you may want to check that they are really open using an open port checker.

Connecting to a Forwarded Port

To connect to the forwarded port from the Internet you will need to know the external IP address of the Router and the Port number that has been allocated.

However using an IP address instead of a domain name is not very convenient, in addition the external IP address can change as most ISPs assign these addresses using DHCP.

Therefore when using port forwarding you might also what to consider using Dynamic DNS.

Port Forwarding Example

Below is a screen shot of my home router configuration which shows the ports I’ve forwarded.

Notice my router doesn’t have a field for the external IP address as it isn’t really necessary.

However some do and it is usually then configured to 0.0.0.0 .

port-forwarding-example

Checking Open Ports

You can see from the screenshot above that I’ve opened ports 1800 and 1884 and 8884.

I used the online open port check to check those ports and also one that shouldn’t be open and you can see the results below.

open-port-checker

Note: I’ve hidden my external IP address for security reasons.

Port Triggering

This is a type of dynamic port forwarding were ports are opened by an application, and don’t require prior setup.

The application connects to the designated trigger port on the router which tells the router to open a specific port for inbound traffic.

After the application has finished it closes the ports it opened.

Because the ports aren’t left open it is considered more secure than port forwarding.

UPnP ( Universal Plug and Play)

You may have noticed that your games work OK on the Internet even though you have not configured port forwarding.

This is most probably because the router has UPnP enabled.

Using the UPnP protocol an application can open ports on the router.

The screen shot below is taken from my router and shows a standard port forwarding rule and one setup automatically using UPnP.

router-upnp

Using UPnP is considered insecure and to be avoided if possible.

However most routers come with UPnP enabled by default.

Summary

Port forwarding Maps external IP addresses and ports to Internal IP addresses and ports allowing access to internal services from the Internet.

It is configured on home routers and it is necessary because home routers use NAT which isolates the home network from the Internet.

Common Questions and Answers

Q- Is the External IP address mapped to the Internal IP Address?

A- No the external port is mapped, and not the external IP address. the external IP address might change see Dynamic DNS

Q- Should I use a static Internal IP address or can I use addresses assigned by DHCP?

A- You should always use a static one.

Q- Do I need to forward both the TCP and UDP ports?

A- It depends on the application. You need to check which ports the application uses.

Q- How do I know if my device has a static address or a dynamic one?

A- You have to go to the device and examine the settings or look at your DHCP server.

Q- How do I know what port I need to forward?

A- You need to know what port the service you want to use is using.However most home routers will have a list of common games and applications and you just need to select it and it will automatically select the ports.

select-game-forward

Q- How do I know if I have configured it correctly

A- You can use an online port forwarding checker to check that the ports are open.

Q- What is strict NAT?

A- Microsoft define three levels of NAT- Strict,Moderate and Open. Devices that perform strict or moderate can affect Gamers on Xbox. See this article for help

Q- Does port forwarding affect my home network security?

A- Yes because you are exposing the home network to the Internet meaning that external devices can access internal devices.

Q- I’m using port forwarding should I also use DDNS (dynamic DNS).

A- Almost certainly yes unless if you are using it on a permanent basis.

Related Tutorials:

References:

Please Let me Know if you found it Useful
[Total: 77 Average: 4.5]

66 comments

  1. Hi Steve,
    First of all I want to say thanks for your excellent explanation. I was struggling with this port forwarding for some years without understanding it. Great that you created this document.
    In my home I have some Shelly devices on my network. They can use a cloud connection. To do so you apparently need to do some port forwarding and more. Here are my questions about
    1. The Shelly devices have fixed IP, but use all the same port (e.g. 6010). I can create more then one “rule” using the different fixed IPs of the Shelly devices, but what about the external port? Should I use the same port for all the devices there? I think this cannot be true…
    2. I understand that my ISP uses “shared” IP adresses as outside IP. I understand that in that case more user routers share the same IP (as if there is a router upstream at the IPS with one external IP for all connected users). I think I need a dedicated IP for myself to be able to use external access, right?

    1. Hi
      The devices need to have unique ids so on the local network they have the same port number but different ip addresses that hakes then unique.
      Therefore on the ISP side of the network they have the same IP address and so they need different port numbers.
      Hope that makes sense.
      To overcome the changing address use DDNS see here
      https://stevessmarthomeguide.com/dynamic-dns/
      Also getting a fixed IP will do it but they aren’t always available.
      Rgds
      Steve

  2. I need help, I want to forward 20004 to public IP

    Start port:
    End port:
    Internal IP:
    Internal Port:
    Description:
    Protocol: TCP

    1. Start port:20004
      End port:20004
      Internal IP:Ip address of the local machine
      Internal Port:20004
      Description:
      Protocol: TCP

      Note the internal port is flexible it depends on what port the application is using. If the application was a web server then it would be 80.
      The external port is also flexible as it is what you want to connect to.
      Hope that makes sense
      Rgds
      Steve

      1. Thanks for the responds but when I try setting Start port: 20004 same as End port, is said the End port should greater than the Start port

  3. Hi Steve,

    Can router run out of ports to assign? Theoratically, single computer should be
    able to use all the ports of router as they both have same number of ports i.e. ~65K.

    Thanks

    1. Not sure if the router limits the ports that can be forwarded but I would imagine they do. Anyway 65K ports would imply 65K applications which is very unlikely.
      Rgds
      Steve

  4. Hi Steve,

    Let’s say I’m trying to control some machinery at work from home, I have a static ip for the machine and port set up at work. Do I need to configure my home router to access the work machine. And also let’s say I want to control the machine at work from my phone, when I’m on the road, again do I have to set up my phone. I’m using VNC Viewer.

    Thank you,
    Mike

  5. Confused about a particular case. Suppose in the private network we have two devices with sockets: PrivN-IP1-Port1 & PrivN-IP2-Port2 both browsing Google. After NAT does its translation, the packets from both devices reaches Google who then replies back with some data. Will Google will respond to the NAT’s public IP and a particular port e.g. 2000 for both devices ? Or will Google respond to the NAT’s public IP and different port for each device ( whatever the port value NAT set for each device in the translation ) ? Im guessing the latter otherwise NAT wont be able to map back to the private sockets. Correct ?

    1. Correct the later. When port forwarding you can’t use the same port number twice. They have to be unique.
      Rgds
      Steve

  6. Is there any problem with port forwarding if the local network and the wan have the same address mask, like 255.255.255.0? Do I have to partition the local network differently?

  7. Hi.

    I have an issue with our new Vodafone router. Since installing it we get connection issues for either our pc or ps4 playing warzone online.
    So if the ps4 is logged into the game and waiting in the lobby then the game will not connect on the pc.
    The ps4 will need shutting down then login to the game on the pc then log back in on the ps4.

    Both are Ethernet connected directly to the isp’s router.

    Would this be a port or ip address sharing problem?
    Its driving me nuts so any help would be fantastic.

    Many thanks.

  8. Hi Steve,

    A few questions related to Ihsan Nurul Iman’s original question:

    1. If the other person who wants to play the same game is connected to the same router as him, then would they both share the same external IP address?
    2. Could you explain how the mapping in your reply (191.168.1.5:50000 66.66.66.66:10000) would also work? If i hosted a private game server on my computer with the mentioned port forwarding, would people who are trying to connect to my server have to type in the IP address along with the port number?

    Thanks in advance! Hope my question makes sense as I’m new to this.

    1. Question 1- All computers on the internal network share the same external IP address.
      Question2 – yes they always need an IP and port. The IP would be the external Ip and the port whatever you have mapped. If we take two web severs located on our network both use port 80 internally.
      On the router I would map port 80 to 192.168.1.21:80 and port 8080 to 192.168.1.21:80

      and external client would connect to external_ip:80 to connect to the web server on 192.168.1.21 and external_ip:8080 to the web server on 192.168.1.22

      Does that make sense?

  9. Hi Steve,

    first thanks for your fantastic explanation. But I got some doubts after learning port forwarding. I’ve gone to several references and didn’t find any explanation I’m really looking. I hope you’re willing to tackle my doubts:

    1. Where’s our public IP address? Is it on our home, or our ISP’s office?
    2. Let’s say my public IP is 66.66.66.66 and my device has a private IP of 191.168.1.5. I want to forward 50000 port for playing X game. So if the game requests for 66.66.66.66:50000, it’ll go to my private IP right? Now what would happen when another person who’s also using the same public IP as me, also want to play the same game, he want to forward 50000 port? How the router handle that? Because I’ve set the 66.66.66.66:50000 to go to my local, not his/her.

    Thanks in advance!

    1. The public Ip is on your router. You router has 2 IP addresses see here
      https://stevessmarthomeguide.com/internal-external-ip-addresses/

      Your public IP address may change but no one else has it at the same time as you.
      As long as you have the ip address 66.66.66.66 no one else can be assigned it.

      2. Let’s say my public IP is 66.66.66.66 and my device has a private IP of 191.168.1.5. I want to forward 50000 port for playing X game. So if the game requests for 66.66.66.66:50000, it’ll go to my private IP right? – Correct but the ports don’t have to be the same e.g you could use port 10000 on the external IP address. It ia a mapping 191.168.1.5:50000 <=> 66.66.66.66:50000
      191.168.1.5:50000 <=> 66.66.66.66:10000 would also work.
      Hope that helps
      Rgds
      Steve

Leave a Reply to V K Cancel reply

Your email address will not be published. Required fields are marked *