Port forwarding is one of those networking concepts that sounds complicated but is actually straightforward once you understand what it does and why you need it. If you have ever tried to host a game server, set up a security camera for remote viewing, or run a web server from home, you have probably encountered the need for port forwarding.
This guide explains how it works, walks you through setting it up, and covers the security implications you should know about.
Need a VPS? Vultr (free credit), DigitalOcean ($200 free credit), or RackNerd (cheap annual deals).
What is Port Forwarding?
Your router acts as a gatekeeper between the internet and your home network. By default, it blocks all incoming connections — this is a good thing, because it prevents random people on the internet from accessing your devices.
Port forwarding creates a controlled exception: you tell the router "if someone connects to port X from the internet, send that traffic to device Y on my local network."
Internet → Your Public IP:8080 → Router → 192.168.1.50:8080 (your server)Without port forwarding:
Internet → Your Public IP:8080 → Router → BLOCKED (dropped)When Do You Need Port Forwarding?
| Use Case | Common Ports |
|---|---|
| Game servers (Minecraft, Valheim, etc.) | 25565, 2456-2458 |
| Web server (self-hosted website) | 80 (HTTP), 443 (HTTPS) |
| Security cameras (remote viewing) | 554 (RTSP), 8080 |
| Remote desktop | 3389 (RDP), 5900 (VNC) |
| FTP server | 21 |
| SSH access | 22 |
| Plex/Jellyfin media server | 32400, 8096 |
| Home automation (Home Assistant) | 8123 |
| BitTorrent | 6881-6889 |
You do NOT need port forwarding for:
- Normal web browsing
- Streaming Netflix, YouTube, etc.
- Online gaming (as a player, not a host)
- Video calls
- Most apps — they use outbound connections which work fine through NAT
How to Set Up Port Forwarding
Step 1: Find Your Device's Private IP
The device you want to forward to needs a known, static private IP. Find it first:
Windows:
ipconfigMac/Linux:
ifconfig
# or
ip addr show
Look for something like 192.168.1.50. Write it down.
Step 2: Set a Static IP (Important)
If your device gets its IP from DHCP (which is the default), the IP can change and break your port forwarding rule. Set a static IP either:
Option A: On the device itself — configure a static IP in network settings
Option B: DHCP reservation on the router (preferred) — tell the router to always assign the same IP to this device's MAC address. This is usually under DHCP settings in your router.
Step 3: Log Into Your Router
Open a browser and go to your router's admin page:
| Common Router IPs | Brands |
|---|---|
192.168.1.1 |
Netgear, Asus, most routers |
192.168.0.1 |
D-Link, TP-Link, some Netgear |
10.0.0.1 |
Xfinity, some enterprise |
192.168.2.1 |
Belkin |
Default credentials are usually on a sticker on the router. Common defaults: admin/admin or admin/password.
Step 4: Find Port Forwarding Settings
The location varies by router brand, but look for:
- Port Forwarding
- Virtual Servers
- NAT / Gaming
- Applications & Gaming
- Advanced → Port Forwarding
Step 5: Create a Rule
Fill in these fields:
| Field | Example | Description |
|---|---|---|
| Service Name | Minecraft | A label for your reference |
| External Port | 25565 | The port incoming traffic arrives on |
| Internal Port | 25565 | Usually the same as external |
| Internal IP | 192.168.1.50 | Your device's static IP |
| Protocol | TCP, UDP, or Both | Check what your application needs |
Step 6: Test It
After saving the rule, test from outside your network:
- Use our Port Scanner to check if the port is open from the internet
- Ask a friend to try connecting
- Use your phone on cellular data (not WiFi) to test
If the port shows as closed, see the troubleshooting section below.
Port Forwarding vs UPnP
UPnP (Universal Plug and Play) lets applications automatically create port forwarding rules without you manually configuring them. Most game consoles and apps use UPnP.
| Port Forwarding | UPnP | |
|---|---|---|
| Setup | Manual | Automatic |
| Control | You choose exactly what is open | Apps open ports on their own |
| Security | More secure (explicit rules) | Less secure (any app can open ports) |
| Reliability | Always works | Sometimes fails or conflicts |
Recommendation: Disable UPnP and use manual port forwarding for anything important. UPnP is convenient but it means any malware on your network can also open ports.
Security Considerations
Port forwarding punches a hole in your router's firewall. Every open port is a potential entry point for attackers. Follow these rules:
Do
- Only forward ports you actually need — close them when done
- Use non-standard ports when possible — instead of
22for SSH, use2222 - Keep software updated — the service behind the port needs security patches
- Use strong passwords — especially for SSH, RDP, and admin panels
- Use a VPN instead when possible — WireGuard or OpenVPN lets you access your home network without opening any ports
- Monitor access logs — check who is connecting
Do Not
- Never forward port 23 (Telnet) — it is unencrypted
- Never expose RDP (3389) directly — use a VPN instead
- Never forward ports to a device you do not maintain — IoT devices with bad security
- Never use DMZ mode — it forwards ALL ports to one device, exposing everything
Troubleshooting
Port Shows as Closed
- Is the service running? Check if the application is actually listening on that port
- Firewall on the device? Windows Firewall or
iptablesmight be blocking it. Add a rule to allow the port - Correct internal IP? Make sure the IP in the forwarding rule matches the device
- ISP blocking? Some ISPs block common ports (25, 80, 443) on residential connections. Call them or use a different port
- Double NAT? If you have two routers (ISP modem-router combo + your own router), you need to forward on both. Or put the ISP device in bridge mode
- CGNAT? Some ISPs use Carrier-Grade NAT, meaning your "public IP" is actually shared. Port forwarding will not work. Check if your public IP starts with
100.64.x.x— if so, you are behind CGNAT
Check If Your Port is Open
Use our Port Scanner to test if a port is reachable from the internet. Enter your public IP (find it with our What's My IP tool) and the port number.
Alternatives to Port Forwarding
| Method | Complexity | Security | Use Case |
|---|---|---|---|
| VPN (WireGuard/OpenVPN) | Medium | Excellent | Remote access to entire home network |
| Reverse proxy (Cloudflare Tunnel) | Medium | Excellent | Exposing web services without opening ports |
| Tailscale/ZeroTier | Easy | Excellent | Mesh VPN, no port forwarding needed |
| ngrok | Easy | Good | Temporary public URLs for development |
For most home use cases, a VPN or Cloudflare Tunnel is more secure than port forwarding and works even behind CGNAT.
Check Your Ports
Use our free Port Scanner to verify if your port forwarding is working. It checks common service ports from outside your network and tells you which ones are open. You can also use our What's My IP tool to find the public IP address you need to test against.