What is Port Forwarding and What Does it Do? Comprehensive Guide 2023
Port forwarding (also called port mapping) allows devices on the Internet to connect to devices or services on private networks (e.g. your home or office network). It has many applications for gaming, torrenting, or setting up backups, servers, and security cameras.
PrivateVPN is the best choice that supports Port Forwarding
As port forwarding makes your device accessible to external traffic, it’s important to learn how to forward ports without putting your data at risk.
In this article, we’ll be looking at how port forwarding works, its uses, how to mitigate any risks, the port forwarding setup process, and even answer some related FAQs.
What is Port Forwarding?
Port forwarding (or port mapping) is a networking technique that involves configuring a router to send incoming traffic to a specific device on a private network.
Note: the term “port” doesn’t refer to the physical ports on your router (where you plug in network cables). Instead, apps and services use ports (and associated port numbers) to communicate over the Internet.
Normally, your router’s NAT (Network Address Translation) protocol acts like a security firewall and rejects outside connections.
To get around that, port forwarding maps an external port on your public IP address to an internal port / IP address combo.
That way anyone on the Internet can access specific services on your private LAN. As such, port forwarding is typically used to set up a web server or game server, or get more peers in torrenting clients.
Where is Port Forwarding Used?
Port forwarding for gaming is perhaps the most common practice related to our topic. You can forward ports to:
- Create game servers – it’s no small wonder that Minecraft port forwarding frequently pops up in online searches
- Reduce ping by connecting directly to other devices in games with peer-to-peer (P2P) multiplayer, such as GTA Online
- Be able to connect with other players if you have an older router
Without port forwarding, people could only connect to your Minecraft server over your private LAN (as you could share the same external IP address).
And while a Minecraft LAN party does sound comfy, it’s not really possible with online-only friends.
In any case, forwarding ports is also useful while torrenting. By opening a certain port number, your machine can accept more incoming connections. This can boost download speeds or let you seed torrents if you’re experiencing upload issues.
Another use case for port forwarding is to access files and backups remotely from anywhere. All you need is a network-capable device and you’re set.
Otherwise, you can use port forwarding to access virtual machines (such as a virtual desktop set up through VMWare, VirtualBox, or similar applications).
You can port forward security cameras to keep an eye out on your property while you’re away from home, check in on pets, and so on.
Many cities offer live camera feeds in central locations (e.g. Times Square in New York). All of this is done through port forwarding.
Of course, forwarding ports comes with its own risks, such as a malicious actor gaining access to your internal network.
Fortunately, there are ways to make port forwarding work without putting your local network at risk.
How to Minimize the Risks of Port Forwarding
There are several ways of making port forwarding safe. This includes using a DMZ (demilitarized zone), limiting the process to only the ports you need, restricting the IP addresses that can access the forwarded port, or using alternatives to port forwarding.
1. Use a DMZ to Keep Your Private Network Secure
A DMZ acts as an intermediary between a private local area network and an untrusted network. Say, your home Wi-Fi and the Internet at large.
Businesses use DMZs to protect their internal networks while still allowing people to access certain resources.
The DMZ host function on certain home routers lets you set up a specific device as a DMZ. This device will have all their ports open so you don’t have to waste time messing with port forwarding settings.
People tend to use their gaming consoles as DMZs as they don’t contain particularly sensitive information.
They also don’t suffer from the same vulnerabilities as a PC or a smartphone. Even if an attacker gains remote access to the console, there’s not much they can do.
Finally, this process will only open ports to the console and nothing else. Any other device on your private networks will remain unaffected.
2. Only Forward Ports You Need at the Time
Once you learn how port forwarding works, it may feel tempting to set a permanent forwarding rule for torrenting, multiplayer games, virtual desktops, and more. That is a mistake, and will only leave your machine exposed to unwanted access from attackers.
Only port forward when the situation requires it. When you’re done, remove the port forwarding rule from the router settings to restrict access to your internal network.
3. Limit Which IP Addresses Can Access the Forwarded Port
You can configure your system firewall to allow one or more IP addresses to access the port forward.
Any IP address that isn’t included in your firewall rules will be rejected, thus allowing for safe gaming sessions, limited access to remote servers, and so on.
A reliable anti-malware app will also keep you safe from threats, and may include its own firewall system.
4. Don’t Port Forward at All
One alternative to port forwarding is port triggering, which limits the amount of time the ports are left open. We’ll be discussing the technique in more detail in a later section.
Otherwise, you can set up a VPN server to act as the default gateway instead of your router. It’s a complex setup (and you still need port forwarding for one of the steps), but it’s more secure than the traditional approach.
If you’re thinking about port forwarding to an office network, then a cloud-based service like SASE may be preferable.
SASE is a new technology that uses cloud computing and policy-based security measures to grant access to an internal network.
Of course, this solution may be more suitable for enterprises than SMBs. If nothing else, it may be worth running the idea by your network administrator.
How to Set Up Port Forwarding
To forward ports, you’ll need the following:
- Your router’s IP address – it should be in the following format: 192.168.x.x
- A static IP address, which you may be able to set up from your router settings. Otherwise, consider using a VPN with port forwarding and a dedicated IP option.
- Your router’s username and password – typically printed at the bottom of your router, although you can check your ISP’s forums for this info
- The port number of the game or application you want to port forward
The process is different depending on your router, so here’s a general outline of what to do.
1. First, open your browser and type in your router’s IP address. Note that this should be its internal IP address in the 192.168.x.x format.
On Windows, you can type in “ipconfig” in a Command Prompt to find out this IP. It’ll be called “Default Gateway.”
You’ll reach your router’s dashboard. Log in with your username and password.
2. Find the port forwarding option in the router settings. In our case, we had to go to the “Forward Rules” menu.
3. If not already present, click New to create a new port forwarding rule.
You may also have to click “Add” to include the UDP or TCP port you want to open. Add a “Mapping Name” to your port forward rule so you remember what it’s for.
4. Insert the internal IP address of the device you want to port forward to (the Internal Host).
Some routers let you choose from a list of devices in a drop-down list. Choose your PC, smartphone, or gaming console and it’ll autofill the IP for you.
As mentioned, this is different from your public IP address (the one you see when you google “what’s my IP”).
5. Choose your protocol (UDP or TCP) and set the internal and external port numbers.
These can be the same port numbers, unless you don’t want others to know what game server or application you’re actually running. Just make sure that the internal port number points to the application you want (e.g. 25565 for Minecraft).
6. Click Apply to save your settings. In some rare cases, you may have to restart the router for the changes to take effect.
Port Forwarding with a VPN
Some ISPs won’t allow you to set up a static IP address through your router settings. In that case, you may need to use a VPN with port forwarding and acquire a dedicated IP.
If you’ve already done so, your provider may have a full guide explaining how to port forward using their service.
Here’s a general guide using Private Internet Access as an example:
1. Enable port forwarding in the VPN app or your client dashboard. For PIA, go to Settings > Network > check the box that says “Request Port Forwarding.”
2. Some providers (such as PrivateVPN) let you choose the particular port you want to open. Otherwise, connect to a VPN server that supports the feature, and a random port number will be opened.
3. Whether you chose the port number yourself or had one randomly assigned, take note of it for later use.
4. Access the network settings for the app you want to use. For example, in qBittorrent you should go to Tools > Options > Connection. Use the specified port in the “Port used for incoming connections” and disable UPnP / NAT-FMP.
Port Fail Attacks
On a related note, you should be careful about which port forwarding VPN you choose.
In 2015, a vulnerability called a “Port Fail Attack” was discovered that affected most VPNs with the port forwarding feature.
An attacker could expose VPN users’ real IP addresses just by having them click a link. And get this: only the attacker needed to use port forwarding for it to work.
Copyright trolls could potentially use Port Fail to gather the IP addresses of users torrenting with a VPN.
Fortunately, VPN providers were notified of the vulnerability through a blog post that also contained potential fixes.
Many have since implemented DNS and IP address leak protection methods to counteract it. Still, it’s worth double checking with customer support just in case.
How to Check if Port Forwarding is Working
For the most part, you can use a tool like CanYouSeeMe.org to check if your port is open. The tool will automatically detect your IP address, you just need to type in the port you want to check.
You can also perform a more hand-on test using torrents. If you input the correct port in your torrenting client, you should start seeing better download speeds / working seeding.
Want to manually test the incoming connection? Then you’ll need a second device and Internet connection (to get a different external IP address). Use a mobile device with a tethered connection or ask a friend to help.
Here’s a general testing method using Minecraft:
- Start up Minecraft on your server machine.
- Check that the game is running on your specified port.
- Connect your secondary device (the client machine) to the Internet. Once again, use a mobile connection so the two devices don’t have the same external IP address. Alternatively, have a friend connect from an outside network.
- Launch Minecraft and connect to your server using its external IP address and port combination.
- If you did everything correctly, the game should load properly.
Port Forwarding Not Working? Try These Fixes
If you’re still facing port forwarding issues, these could be to blame:
- Your ISP uses CGNAT. In that case, you can’t forward ports without using a VPN or setting up your own VPN server to bypass the CGNAT.
- You’re not using a static IP address. The connection request is rejected simply because your port forwarding rule points to an IP address that has changed.
- Your system or antivirus firewall is blocking the connection request. Configure your firewall to allow incoming connections on your chosen port.
- You’re using the same port multiple times. Check your forwarding rules and remove the one you’re not currently using.
- You have DMZ enabled on your router – disable it for port forwarding to work.
- You chose the wrong device. Your computer may have more than one IP address attached to it in the forward rules. Restart your router to clear any extra entries.
You can also try out several other categories of port forwarding called SSH port forwarding (or SSH tunneling).
These include local port forwarding, remote port forwarding, and dynamic port forwarding.
They involve using an SSH (secure socket shell) utility such as OpenSSH or PuTTy to connect two devices through an intermediary.
Here’s a little context for each type.
Local Port Forwarding
In this case, the port on the local host (the client) is forwarded to the remote host (the destination server).
It’s typically used to connect to a remote service on internal databases, share files securely, and more.
Remote Port Forwarding
Conversely, in remote port forwarding, the port on the server side is forwarded to the client host of the SSH connection.
For example, if you work from home, you can connect the office network to a FTP server you’ve set up locally. That way co-workers can access your work files remotely.
Or, you can use it to give access to an internal service to an outside connection.
Dynamic Port Forwarding
This type is an extension of local port forwarding, and involves creating a sort of SOCKS proxy server on the client device.
Any application using this proxy will connect to the SSH server, which then forwards all traffic to a dynamic port on the actual destination server.
A common use is to bypass VPN blocks and firewalls by tunneling browser traffic through an SSH server.
Speaking of which, we can consider port triggering to be a dynamic form of port forwarding as well. More details below.
Port Triggering vs Port Forwarding: What’s the Difference?
Port triggering works by setting a trigger port on the router. This, in turn, tells the router to open incoming ports for the various applications that need it.
The difference between the two is that port forwarding rules are set indefinitely, and so the ports are exposed to attacks until manually closed.
Port triggering only opens ports for a set amount of time, and only when needed. If you’re looking for a slightly more secure alternative to port forwarding, then this is it.
What is UPnP (Universal Plug and Play)?
UPnP is a function that allows for seamless connections between devices without extra configuration.
When you connect any device to your network, it is assigned an IP address (whether through DHCP or UPnP).
The device then advertises itself across the network. Your router will provide its location and list its capabilities (e.g. printer, camera) to the network – and vice-versa.
It is basically automatic port forwarding, and is usually enabled by default on most modern routers.
The automatic nature of UPnP leaves it open to cyber attacks, however. That’s because UPnP assumes all devices on your network are secure
If one of your devices is infected with malware, UPnP can compromise your whole network.
The protocol also suffers from several vulnerabilities that can be exploited by hackers, which is why it’s often recommended to disable the feature.
Dangers of Port Forwarding
Port forwarding is only dangerous when you fail to take proper precautions. Here’s what can happen if you don’t:
- Hackers may access your gaming sessions. Easily preventable by setting a strong password and keeping your system / game up-to-date.
- Cyber attackers exploit app vulnerabilities to hack your PC. Once again, ensure you install the latest security updates.
- Your IP address may be exposed through a port fail attack (or other IP leaks) while torrenting with a VPN. Only use trusted providers and keep your VPN updated.
- Hackers may gain access to your security camera feeds. While not particularly dangerous on its own, it’s still a risk to your overall privacy.
Follow our threat mitigation tips from the start of the article and everything should be A-okay. If you’re just starting out with port forwarding, it may be worth having someone more tech-savvy guiding you through the process.
We answer some of the most frequent questions on the topic of port forwarding below.
Do I Need Port Forwarding?
For the most part, port forwarding isn’t necessary. However, if you plan on creating a gaming server, setting up remote access to a device (such as security cameras or a computer), or need better torrenting speeds, then port forwarding is essential.
What is SSH Port Forwarding?
SSH port forwarding is another way to refer to SSH tunneling – i.e., creating an encrypted SSH tunnel between two devices using software like OpenSSH or PuTTy.
This is useful if you want to access remote services on an internal network, bypass VPN blocks and firewalls, or even access geo-blocked content in some cases.
Does Port Forwarding Increase Internet Speed?
Port forwarding doesn’t increase internet speed, at least not in the traditional sense. Instead, it opens up your computer to external connections, such as more peers while torrenting. Essentially, it allows for more efficient use of your internet connection.
Does Port Forwarding Help Gaming?
Yes, port forwarding is useful for gaming, especially for creating your own game server or opening up your device to incoming connections from your teammates. Port forwarding is great for games like Minecraft, Red Dead Online, GTA Online, and others.
Does Opening Ports Reduce Lag?
Opening ports can reduce lag by letting you connect directly to one or more players. This is true for games with peer-to-peer (P2P) connections: For Honor, GTA Online, indie games with a multiplayer component, and so on.
What is DMZ on a Router?
DMZ stands for demilitarized zone, and is a router function that can exclude a device on a local network from any firewall protection.
You can set up a device on your private network as a DMZ host (say, a gaming console). That way the router firewall will not interfere with your gaming sessions.
What Are the Risks of Port Forwarding?
The primary risk of port forwarding is hackers gaining full access to your device. When you grant access to unsafe ports without any extra precautions (such as a firewall and anti-malware), you open yourself up for various cyber attacks.