Skip to main content

Port Forwarding

Basics of Port Forwarding

This is a super duper high level guide to Port Forwarding. I am not an expert. But I wanted a really simple guide to show how Port Forwarding works. So here it is. Port forwarding is often required for applications that need to accept incoming connections from external networks (like the internet) because it allows devices outside a local network to communicate with a specific application running within it. Typically, unsolicited connections are dropped by the router. When we want something outside our network to reach out and connect to something inside our network, we need Port Forwarding. This is not needed for something like browsing the internet, because your computer is reaching out to the server hosting the website, and your router keeps track of this and ensures traffic is routed correctly.

Although the concept of port forwarding remains the same across most consumer setups, the specific steps to achieve successful port forwarding depend on the specific hardware. Forwarding a port typically involves configuring your router to direct traffic from an external IP & port to a specific internal IP & port on your local network.

port-forward-rules

In the diagram above, the rules are set on the Router itself. Traffic coming from the internet is directed through the router and the port forwarding rules are applied to the traffic.

Forwarding a Port

There are a lot of guides and resources on how to properly forward a port. If you are unsure, the best bet is to find your router's model number (usually on the bottom or back of the router) and google "How to port forward [ROUTER MODEL]". Usually you can find a decent resource with the steps laid out.

The overall steps are typically:

  1. Log into the router (Common Router Passwords)
  2. Find the Port Forward section (usually under security)
  3. Create a new entry
  4. There are usually a few inputs but main concept is that you want traffic coming from any IP outside your network on a specific port to be forwarded to a specific internal IP and port on your network.
    • From IP: Any
    • From Port: Port you wish to forward
    • To IP: Internal IP of where you want the traffic to go
    • To Port: Port that the app is running on (typically same as "From Port")

Here is an example on my Ubiquiti router

dream-machine-forward

Verify Port is forwarded

Typically the most obvious way to know if the port was forwarded is to check the performance of whatever app requires the port to be forwarded. However, another method is to use a website like you get signal

On this page, enter in the port you wish to check, and then click the "Check" button. You will then see a response that the port is either "closed" or "open".

Problems

There are a few common problems that people run in to when trying for forward ports.

Double NAT

First is what is called a "Double NAT". This means that the PC that the traffic needs to get to is behind two routers. This usually happens when the ISP provides a Modem/Router combo, and then another router is added after.

If this is something that you have, it can be overcome by putting the ISP Modem/Router into what is called "passthrough" mode or "bridge mode". How to do this is outside the scope of this wiki, but typically googling your ISP router's model number + "passthrough" is enough to find some instructions.

Dynamic IP

If your PCs internal IP is dynamic (typically it is by default) then it may change when your reboot your PC or Router. This will make the port forward rule you set fail, as the traffic is being forwarded to an IP where the PC no longer is located.

To fix this, it is best to set up static IPs for any PC that has traffic forwarded to it. This is typically done in the router, and instructions can usually be found by googling the router's model number + static IP.

Protocol

Some apps require UDP and TCP to be forwarded. Selecting the wrong one can cause issues. It is a good idea to research what protocol needs to be forwarded (or select BOTH).

CGNAT

Some ISPs, especially mobile and rural ISPs, use Carrier-Grade NAT (CGNAT), which shares public IPs among multiple customers. This causes issues for the same reason a Double NAT does. In a traditional setup, your router performs NAT, translating private IP addresses (e.g., 192.168.x.x) to a unique public IP. But in CGNAT, both your router and the ISP's system are performing NAT. The ISP's NAT layer doesn't know where to route incoming connections to your specific device.

Contact the ISP to request a public IP address. In some cases, they may offer a static IP option for an additional fee. Alternatively, consider using a VPN with port forwarding capabilities.