Whether you’re making a Minecraft game accessible to your friends or hosting a small website, port forwarding is a useful way to access software running on your computer remotely.
Essentially, port forwarding maps an external “port” on your Internet-facing IP address to a particular computer on your local network. This allows you (or someone else) to access something on your computer from the internet.
Port forwarding solves all kinds of problems, but it can also be dangerous. If you fail to secure a remote desktop connection, for example, someone could log into your computer from afar.
In this article, we’ll extensively explore the topic of port forwarding.
What is port forwarding used for?
From the sound of it, port forwarding might seem like it’s in the purview of IT professionals and programmers. While those kinds of people are certainly heavy users of port forwarding, it’s useful for a far wider range of the computer-using population.
Here are some of the most common uses for port forwarding:
- Hosting game servers for multiplayer gaming accessible from outside your home network.
- Running remote desktop protocols for accessing your computer remotely.
- Permitting file transfers from your computer to the outside world.
- Running a publicly-accessible website from your home computer.
- Using torrent applications to quickly download files.
- Hosting your own VPN server that allows you to access your home network from afar.
While many of these tasks can be accomplished without the help of port forwarding, it’s often the easiest solution.
Is port forwarding safe?
Port forwarding inherently gives people outside of your network more access to your computer. Network access translation (NAT), the technology that allows multiple devices to share one IP address (covered in more detail in the “How Does Port Forwarding Work?” section), normally also protects your devices from external attacks.
When you selectively disable NAT with port forwarding, you open your chosen device up to direct connections from the wider Internet. If you port forward a remote desktop connection to the Internet, anyone from anywhere in the world can connect to your computer if they know the password or exploit a bug. This can be bad.
Can you get hacked through port forwarding? Yes. If you take security precautions, is it likely? Not really.
More than anything, responsibly using port forwarding requires care and diligence. The following general tips will make sure that you stay safe:
- Use strong passwords. If you’re running a remote access connection, your computer is only as secure as the password you set. Hackers try multiple passwords every second on every machine connected directly to the Internet. If possible, eliminate this weakness altogether by using key-based authentication (supported by some protocols like SSH).
- Update your devices quickly. Vulnerabilities are constantly discovered and fixed in operating systems and other software. If you put off updating your computer, there might be a bug that a hacker can use to defeat your security and gain access to your computer.
- Don’t expose more than you need. Once you learn how to use port forwarding, you might want to use it with all sorts of devices and services. This is a bad idea. As you expose more surface, the odds of a successful cyberattack against your computer increase.
Dangers of port forwarding
Let’s look at some more specific hypothetical scenarios where port forwarding can be risky.
- You port forward access to a video game. For convenience, you don’t set a password, thinking that hackers will never guess your IP address. Your friends can join your game with ease, but so can bad actors.
- Just like how hackers test passwords to Internet-accessible services multiple times per second, they also automatically attack open protocols like games on every internet-connected device.
- Set a strong password and keep your device updated to prevent this issue.
- You secure your game with a password, but don’t update the game or device. A security issue is discovered in the game, allowing anyone who exploits the bug to hack your computer.
- Apply security updates in a timely manner to avoid this problem.
- You forward a port to use a torrenting application. Even though you think you’re using an anonymizing solution like a VPN, data is accidentally uploaded through your real IP address. If you’re downloading copyrighted material, you could be in trouble.
- Always verify that your software is configured correctly. Don’t assume that your traffic is anonymous just because you use a VPN or Tor.
How does port forwarding work?
Before we dive into the technicalities of port forwarding, let’s back up to the mid-1990s. Households were getting connected to the Internet left and right. It quickly became evident that the world would soon run out of Internet Protocol (IP) addresses.
The IPv4 address space only made room for about 4.3 billion unique addressable devices. With every computer assigned a unique address, we would quickly run out. There are far more desktops, servers, and smartphones than there are IP addresses today.
Network access translation (NAT) is the stopgap solution to this problem. It allows one Internet-facing IP address to correspond to an entire private network instead of just one device.
Ports are how computers distinguish between multiple services listening on one computer.
Think of them like doors to a house: your computer is at 1234 Daisy Lane and it has about 65,000 doors. If port 22, used for the SSH remote access protocol, is listening, imagine that door 22 on 1234 Daisy Lane is unlocked.
The trouble with NAT is that it provides different addresses internally and externally. To continue the house analogy, imagine that the outside world could only send visitors to Daisy Lane, not specific houses within the neighborhood. If a visitor asks for door 22 on Daisy Lane, the gatekeeper (representing NAT on the router) won’t know which house to send them to.
This is where port forwarding comes in. When you set a few router settings, it will be able to send inbound connections to the right computer within the network.
How to open ports on a router
Because port forwarding involves changing settings on your router, the exact process will depend on your router model. However, the process usually takes the same form regardless of who made your router.
In this guide, I’ll use screenshots from a common Comcast modem/router combination.
Step 1: Find your router’s configuration page
Every router makes its settings accessible through some kind of a configuration interface. Apple AirPort routers are somewhat unique in that they require special software (AirPort Utility) to change their settings. For most routers, you can change settings with a website accessed through a special IP address.
Internal networks use IP addresses that follow the form of 10.X.X.X or 192.168.X.X. The 172.16.X.X subnet is less common but also possible.
Your router’s configuration page will likely be at the first IP address in its range. To figure out what this address is, first look in your computer’s networking settings to figure out what IP prefix you use.
Depending on your computer’s operating system, this setting will be in a different place.
On my Mac, it helpfully displays both my computer’s internal IP address and the router’s IP address. You can see that the prefix used on my network is 10.X.X.X and that the router is at the very first possible IP address. Most routers use the first IP address in their prefix, regardless of which prefix your network uses.
Next, go to your router’s IP address in a web browser. On the Xfinity (Comcast) router used in these examples, you’ll be greeted by a login page that looks like this:
If you see something similar, congratulations! You successfully found your configuration page.
Step 2: Log in
Now that you’re at the login page, you might not remember your username and password. If you don’t remember setting one in the first place, it’s probably still set to the default. The helpful site RouterPasswords.com offers a database of default passwords that you can try.
Step 3: Find the port forwarding option
On my router, this feature is hidden in the Advanced menu. If you can’t find it, continue looking through the menus.
In the case of this router, it appears that we cannot change port forwarding settings directly from the router’s configuration page. Let’s follow its instructions and visit the other settings website.
After logging into Comcast’s website, we can go to See Network:
Afterwards, click on Advanced Settings:
Now we’ve found it!
Step 4: Add the port forward
Now that we’ve found the option, it’s time to add the port forward.
This screen appears similar on nearly every router. First, we select a device or IP address to use as the destination. This is the device that runs the software we want to forward.
Next, choose a common service to forward or manually input a port. If you choose a premade option, your service should work out of the box. Otherwise, you might need to experiment to find the correct port to forward.
If you want to forward an entire range of ports or add multiple ports to the forwarding list, you can do this here.
Step 5: Test out your program
To adequately test whether your port forwarding was successful, you’ll need to use a device outside your local network. Follow the instructions listed later in this article to test out your port forward.
We’ll look at common problems and solutions in more detail later on.
How to open ports on a VPN
If you’re unwilling or unable to open ports on your actual network, many VPN services allow you to open ports on the other end of the tunnel. Instead of remotely connecting to your computer’s actual IP address, you connect to the VPN’s endpoint IP address.
Compared to forwarding ports on a hardware router, doing the same on a VPN is relatively simple. However, not every provider supports port forwarding. Since the process differs for every VPN provider, look for specific instructions on their website.
Common problems with port forwarding
While port forwarding works most of the time, it can fail on occasion. Whether the root issue is user error or something with the software, port forwarding issues can be difficult to diagnose.
Here are a few of the most common issues that can occur with port forwarding:
- “Connection refused” errors as if you are not using port forwarding at all.
- Slow remote connections that make games and remote desktop unusable.
- Constant invalid password warnings from remote desktop software.
How to test port forwarding
Before you can figure out the cause of any issues, it’s important to have a reliable testing process. To effectively test a port forwarding setup from the comfort of your home, you’ll need the following hardware and software:
- A desktop or laptop computer used to host the application being port-forwarded.
- An additional computer to use as a client.
- This computer must have the client software installed for the application you’re testing.
- A smartphone with tethering or a secondary Internet connection.
Using Minecraft as an example, here’s how to test that your port forwarding worked:
- From the server machine, start the Minecraft server and verify that it is running on the port you selected.
- Connect the client machine to your smartphone or secondary internet connection. This connection must have a different external IP address.
- Open the Minecraft game on your client machine and connect to the first computer’s external IP and port.
- Verify that the connection works and the game loads. Don’t worry about speed; if you’re using cellular Internet on the client, it won’t be fast even if you did everything correctly.
Troubleshooting connection refused errors
If you continue to see connection refusals, here are some troubleshooting ideas:
- Make sure that you’re connecting to the right IP address. Find your external IP address from the device you want to connect to and use that.
- Try forwarding a different port. Some services, like VNC, use entire ranges of ports, so you might need to forward multiple.
- Change your firewall settings. If the computer you’re using as a server has a firewall, you might need to allow external connections to the port in question.
Understanding slowness: does port forwarding slow down your internet?
Connection slowness can be more challenging to fix. That said, it’s important to note that port forwarding itself has nothing to do with your Internet speed.
If you’re running a high-bandwidth game using port forwarding, it might slow down your connection. However, this isn’t the fault of the port forwarding setup.
Fixing invalid password warnings
Many kinds of remote desktop software will warn you if someone attempts to log in with an invalid password. Since anything connected to the public Internet will receive dozens of hack attempts per minute, you might see a lot of these.
One easy, effective way to decrease the number of invalid login attempts on your computer is to move to a non-standard port. While this approach doesn’t actually increase your security, it does provide some basic obscurity.
From your router’s control panel, change the external port to a high number (below 65,535). If the port is not commonly used for other applications, you should see fewer connection attempts.
Don’t rely on this approach to make up for a bad password, but certainly use it if you suffer from excessive invalid connection attempts.
Port triggering vs. port forwarding: What’s the difference?
Port triggering serves many of the same functions as port forwarding, but it works in a different way. Instead of always forwarding a particular port to a certain machine, port triggering works dynamically.
Here’s effectively how port triggering works:
- A computer on the internal network connects to an external server on a certain port.
- The router sees this connection and triggers a port forwarding rule to the internal computer.
- Afterwards, traffic that matches the forwarding rule is forwarded to the internal computer for a period of time.
If two machines on the local network need to use the same external-facing port, port triggering can be a great solution. However, most of the time, it’s more clunky and difficult to use.
Port forwarding allows you to open up a specific service on your computer to receive inboard traffic from the Internet. From video games to remote desktop, it’s a very useful tool. Port forwarding comes with some security considerations, but they can generally be overcome.