We may earn affiliate commissions for the recommended products. Learn more.

What is port forwarding and how safe is it?


Port forwarding, or port mapping, allows remote servers and devices on the internet to access the devices that are within your private local-area network (LAN) and vice versa. Without port forwarding, only devices that are part of the internal network can access each other, and with port forwarding, anyone can.

Whether you’re making a Minecraft game accessible to your friends or hosting a small website, port forwarding is a useful way to access software running on your computer remotely.

Essentially, port forwarding maps an external “port” on your internet-facing IP address to a particular computer on your local private network. This allows you (or someone else) to access something on your computer from the internet.

Port forwarding solves all kinds of problems, but it can also be dangerous. If you fail to secure a remote desktop connection, for example, someone could log into your computer from afar.

In this article, we’ll extensively explore the topic of port forwarding - how does it work, what it is used for and how to solve any port forwarding problems that might arise.

How to use port forwarding safely

Port forwarding

How does port forwarding work?

Ports are how computers distinguish between multiple services listening on one computer.

Using ports lets a device run a myriad of different processes and services. Each service has its own port - for example, email servers usually use port 587 while websites use port 80.

In total, there are more than 65,000 different ports, but only about 1,000 are used regularly. The others can be assigned to the devices or applications of your choice, and this process is called port forwarding.

how port forwarding works

To fully understand it, you should also know that, thanks to NAT (Network access translation), all the internal devices share the same external IP address.

So, let’s use a little allegory to explain how port forwarding works.

You can think of ports like doors to a house: your computer is at 1234 Daisy Lane and it has about 65,000 doors. If port 22, used for the SSH remote access protocol, is listening, imagine that door 22 on 1234 Daisy Lane is unlocked.

The trouble with NAT is that it provides different addresses internally and externally. To continue the house analogy, imagine that the outside world could only send visitors to Daisy Lane, not specific houses within the neighborhood. If a visitor asks for door 22 on Daisy Lane, the gatekeeper (representing NAT on the router) won’t know which house to send them to.

This is where port forwarding comes in. When you set a few router (or other default gateway) settings, it will be able to send inbound connections to the right computer within the network.

Types of port forwarding

There are several types of port forwarding, with each of them serving different purposes. Local and remote port forwarding uses the TCP port 22, or SSH Tunneling.

  • Local port forwarding. This type of port forwarding is used when you want to use your LAN device to get data from a destination that you don’t have access to, but a device in the middle, or an intermediate, has. This allows for data to be pulled from the remote destination to your local device.
  • Remote port forwarding. This type of port forwarding allows your device to be visible to other remote devices or on the internet. In this case, data is being pushed from your device to the remote destination server, and then back to the source port and to your device. With remote forwarding, anyone on the internet or remote device can get access to your device.
  • Dynamic port forwarding. Dynamic port forwarding is virtually an extension of the local port forwarding. The difference is that any program from your LAN device can use the SSH tunnel and access any remote destination port by using only one port on your side. Dynamic port forwarding works by creating a proxy of sorts.

What is port forwarding used for?

From the sound of it, port forwarding might seem like it’s in the purview of IT professionals and programmers. While those kinds of people are certainly heavy users of port forwarding, it’s useful for a far wider range of the computer-using population.

Here are some of the most common uses for port forwarding:

  • Hosting game servers for multiplayer gaming accessible from outside your home network.
  • Running remote desktop protocols for accessing your computer remotely.
  • Permitting file transfers from your computer to the outside world, or external networks.
  • Running a publicly-accessible website from your home computer.
  • Using torrent applications to quickly download files.
  • Hosting your own VPN server that allows you to access your home network from afar.

While many of these tasks can be accomplished without the help of port forwarding, it’s often the easiest solution.

Is port forwarding safe?

Port forwarding inherently gives people outside of your network more access to your computer. Giving access or accessing unsafe ports can be risky, as threat actors and other people with malicious intents can then easily get full control of your device.

Port forwarding requires disabling Network access translation (NAT), the technology that allows multiple devices to share one IP address. NAT also protects your devices from external attacks.

When you selectively disable NAT with port forwarding, you open your chosen device up to direct connections from the wider Internet. If you port forward a remote desktop connection to the Internet, anyone from anywhere in the world can connect to your computer if they know the password or exploit a bug. This can be bad.

Can you get hacked through port forwarding? Yes. If you take security precautions, such as using a firewall or a VPN for the port forwarding process, is it likely? Not really.

More than anything, responsibly using port forwarding requires care and diligence. The following general tips will make sure that you stay safe:

  • Use strong passwords. If you’re running a remote access connection, your computer is only as secure as the password you set. Hackers try multiple passwords every second on every machine connected directly to the Internet. If possible, eliminate this weakness altogether by using key-based authentication (supported by some protocols like SSH tunnels).
  • Update your devices quickly. Vulnerabilities are constantly discovered and fixed in operating systems and other software. If you put off updating your computer, there might be a bug that a hacker can use to defeat your security and gain access to your computer.
  • Don’t expose more than you need. Once you learn how to use port forwarding, you might want to use it with all sorts of devices and services. This is a bad idea. As you expose more surface, the odds of a successful cyberattack against your computer increase.

Dangers of port forwarding

Even though using port forwarding with a VPN greatly reduces the risk of getting hacked, you should still be aware of the possible dangers. Let’s look at some more specific hypothetical scenarios where port forwarding can be risky.

1. You port forward access to a video game. For convenience, you don’t set a password, thinking that hackers will never guess your IP address. Your friends can join your game with ease, but so can bad actors.

  • Just like how hackers test passwords to Internet-accessible services multiple times per second, they also automatically attack open protocols like games on every internet-connected device.
  • Set a strong password and keep your device updated to prevent this issue.

2. You secure your game with a password, but don’t update the game or device. A security issue is discovered in the game, allowing anyone who exploits the bug to hack your computer.

  • Apply security updates in a timely manner to avoid this problem.

3. You forward a port to use a torrenting application. Even though you think you’re using an anonymizing solution like a VPN, data is accidentally uploaded through your real IP address. If you’re downloading copyrighted material, you could be in trouble.

  • Always verify that your software is configured correctly. Don’t assume that your traffic is anonymous just because you use a VPN or Tor.

How to open ports on a router

Because port forwarding involves changing settings on your router, the exact process will depend on your router model. However, the process usually takes the same form regardless of who made your router.

In this guide, I’ll use screenshots from a common Comcast modem/router combination.

Step 1: Find your router’s configuration page

Every router makes its settings accessible through some kind of a configuration interface. Apple AirPort routers are somewhat unique in that they require special software (AirPort Utility) to change their settings. For most routers, you can change settings with a website accessed through a special IP address.

Internal networks use IP addresses that follow the form of 10.X.X.X or 192.168.X.X. The 172.16.X.X subnet is less common but also possible.

Your router’s configuration page will likely be at the first IP address in its range. To figure out what this address is, first look in your computer’s networking settings to figure out what IP prefix you use.

Interface of Mac network settings that show router IP address

Depending on your computer’s operating system, this setting will be in a different place.

On my Mac, it helpfully displays both my computer’s internal IP address and the router’s IP address. You can see that the prefix used on my network is 10.X.X.X and that the router is at the very first possible IP address. Most routers use the first IP address in their prefix, regardless of which prefix your network uses.

Next, go to your router’s IP address in a web browser. On the Xfinity (Comcast) router used in these examples, you’ll be greeted by a login page that looks like this:

Xfinity (Comcast) router login page

If you see something similar, congratulations! You successfully found your configuration page.

Step 2: Log in

Now that you’re at the login page, you might not remember your username and password. If you don’t remember setting one in the first place, it’s probably still set to the default. The helpful site RouterPasswords.com offers a database of default passwords that you can try.

Step 3: Find the port forwarding option

Port forwarding option under the Advanced menu on Xfinity (Comcast) router configuration page

On my router, this feature is hidden in the Advanced menu. If you can’t find it, continue looking through the menus.

Interface of Port Forwarding section on Xfinity (Comcast) router configuration page

In the case of this router, it appears that we cannot change port forwarding settings directly from the router’s configuration page. Let’s follow its instructions and visit the other settings website.

After logging into Comcast’s website, we can go to See Network:

See Network option after logging in to Comcast website

Afterwards, click on Advanced Settings:

Option to select Advanced Settings on Comcast website

Now we’ve found it!

Advanced Settings on Comcast website

Step 4: Add the port forward

Now that we’ve found the option, it’s time to add the port forward.

Option to add Port Forward on Comcast website

This screen appears similar on nearly every router. First, we select a device or IP address to use as the destination. This is the device that runs the software we want to forward.

Next, choose a common service to forward or manually input a port. If you choose a premade option, your service should work out of the box. Otherwise, you might need to experiment to find the correct port to forward.

If you want to forward an entire range of ports or add multiple ports to the forwarding list, you can do this here.

Step 5: Test out your program

To adequately test whether your port forwarding was successful, you’ll need to use a device outside your local network. Follow the instructions listed later in this article to test out your port forward.

We’ll look at common problems and solutions in more detail later on.

How to open ports on a VPN

Many VPN services allow you to open ports on the other end of the tunnel. Instead of remotely connecting to your computer’s actual IP address, you connect to the VPN’s endpoint IP address. That way, no one has access to your actual device, and any data sent through the secure tunnels is encrypted.

Using a VPN to forward ports is a way to deal with the risks that forwarding ports on a router puts your devices and data in, such as hacks, data corruption and/or theft, and malware infections.

Compared to forwarding ports on a hardware router, doing the same on a VPN is relatively simple. However, not every provider supports port forwarding, so do your research before purchasing a VPN. Also, since the process of forwarding ports differs for every VPN provider, look for specific instructions on their website.

Common problems with port forwarding

While port forwarding works most of the time, it can fail on occasion. Whether the root issue is user error or something with the software, port forwarding issues can be difficult to diagnose.

Here are a few of the most common issues that can occur with port forwarding:

  • “Connection refused” errors as if you are not using port forwarding at all.
  • Slow remote connections that make games and remote desktop unusable.
  • Constant invalid password warnings from remote desktop software.

How to test port forwarding

Before you can figure out the cause of any issues, it’s important to have a reliable testing process. To effectively test a port forwarding setup from the comfort of your home, you’ll need the following hardware and software:

  • A desktop or laptop computer used to host the application being port-forwarded.
  • An additional computer to use as a client.
    • This computer must have the client software installed for the application you’re testing.
  • A smartphone with tethering or a secondary Internet connection.

Using Minecraft as an example, here’s how to test that your port forwarding worked:

  1. From the server machine, start the Minecraft server and verify that it is running on the port you selected.
  2. Connect the client machine to your smartphone or secondary internet connection. This connection must have a different external IP address.
  3. Open the Minecraft game on your client machine and connect to the first computer’s external IP and port.
  4. Verify that the connection works and the game loads. Don’t worry about speed; if you’re using cellular Internet on the client, it won’t be fast even if you did everything correctly.

You can also check your port by using this online open port testing tool.

Troubleshooting connection refused errors

If you continue to see connection refusals, here are some troubleshooting ideas:

  • Make sure that you’re connecting to the right IP address. Find your external IP address from the device you want to connect to and use that.
  • Try forwarding a different port. Some services, like VNC, use entire ranges of ports, so you might need to forward multiple.
  • Change your firewall settings. If the computer you’re using as a server has a firewall, you might need to allow external connections to the port in question.

Does port forwarding slow down the internet?

Connection slowness can be more challenging to fix. That said, it’s important to note that port forwarding itself has nothing to do with your Internet speed.

If you’re running a high-bandwidth game using port forwarding, it might slow down your connection. However, this isn’t the fault of the port forwarding setup.

Fixing invalid password warnings

Many kinds of remote desktop software will warn you if someone attempts to log in with an invalid password. Since anything connected to the public Internet will receive dozens of hack attempts per minute, you might see a lot of these.

One easy, effective way to decrease the number of invalid login attempts on your computer is to move to a non-standard port. While this approach doesn’t actually increase your security, it does provide some basic obscurity.

From your router’s control panel, change the external port to a high number (below 65,535). If the port is not commonly used for other applications, you should see fewer connection attempts.

Don’t rely on this approach to make up for a bad password, but certainly use it if you suffer from excessive invalid connection attempts.

Port triggering vs. port forwarding: What’s the difference?

Port triggering serves many of the same functions as port forwarding, but it works in a different way. Instead of always forwarding a particular port to a certain machine, port triggering works dynamically.

Here’s effectively how port triggering works:

  • A computer on the internal network connects to an external server on a certain port.
  • The router sees this connection and triggers a port forwarding rule to the internal computer.
  • Afterwards, traffic that matches the forwarding rule is forwarded to the internal computer for a period of time.

If two machines on the local network need to use the same external-facing port, port triggering can be a great solution. However, most of the time, it’s more clunky and difficult to use.

Example of port forwarding

It is one thing to know how things work in theory, and another it is to have a real life example. So, let’s say you want to set up a public Minecraft server for you and your friends.

Setting up the server itself requires a bit of coding, but we don’t need to focus on that here. The most important thing to know is that this Minecraft server is local. This means that it can only be accessed from devices that are connected to your LAN, or sharing the same external IP address. If you want to play on your server with your friends, they won’t be able to access it unless they come to your home and connect to your internet.

You need to open your server to incoming connections from remote devices, and this is where port forwarding comes into place. In your router configuration, you need to enter the standard Minecraft server port number, which is 25565. That way, your router will know to forward incoming connections from your friends’ devices to your Minecraft server.

If you want to try setting up a Minecraft server yourself, check out this guide.

Bottom line

Port forwarding allows you to open up a specific service on your computer to receive inboard traffic from the Internet. From video games to remote desktop, it’s a very useful tool. Port forwarding comes with some security considerations, but they can generally be overcome.


Thinking of trying out a VPN service? Read one of our VPN guides or reviews


FAQ

Comments

Netgear extender setup
prefix 4 months ago
Thanks for sharing the information with us!
Brad
prefix 3 years ago
Hello Jack,
I appreciate the simplification of this useful networking topic. Thank you for additionally showing step-by-step instructions on how one might accomplish their port-forwarding goals by accessing their router admin interface.
Leave a Reply

Your email address will not be published. Required fields are markedmarked