Everything you need to know about port forwarding – and how to make it work for you
We explore this networking technique
Port forwarding is a networking technique that can seem a bit mysterious at first, but it's incredibly useful once you get the hang of it. Essentially, it allows external devices to connect to a specific device within your local network, bypassing the router's default security measures.
This can be especially handy for things like accessing your home server remotely, managing security cameras, or even hosting game servers. In this guide, I'll explain what port forwarding is, how to set it up, and discuss its safety and relation to VPNs. By the end, you'll have a clear understanding of how to make port forwarding work for you.
What is port forwarding?
When your router connects to the internet, it’s given an IP address. This is the unique identifier that allows other devices on the internet to communicate with you. However, think about how many devices are actually sitting on your router. Even if you’ve only got a desktop or laptop connected, you’ve almost certainly connected your phone too. If there’s multiple devices sitting on the same router, how do devices sitting on the internet know which one they’re talking to?
Well, this is where port forwarding comes into play. In the same way that an IP address identifies a specific device on a network, a port identifies a specific network service on a single device. You can imagine that a single server might be hosting both a web service and an email service at the same time, so both of these services operate on different ports to avoid any confusion between the two.
However, you can use ports for more than just sending traffic to a specific service. You can also set up your router to direct data from one network port to another. Essentially, port forwarding tells your router to forward incoming traffic from the internet that accesses a specific port to a particular device within your local network. For example, if you want to access a server at home while you're away, port forwarding can make that server accessible from the internet.
Port forwarding isn’t necessary if you’re just browsing the internet, your router can handle all of that by itself. On the other hand, if you want to run a service that you can access from outside of your local network, port forwarding is absolutely essential.
For example, if you want to set up a web server that you’re hosting from inside your network, you’ll need to make sure it’s accessible from the internet. Port forwarding allows it so that when other devices access your IP on port 80, all of those requests are forwarded by your router to the web server on your network.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
There’s a lot of different services that work this way, and not all are as niche. If you’ve got a home CCTV network, you’ll want to be able to access it from anywhere on the internet when you’re away from home. With port forwarding, you’ll be able to access your home IP from anywhere and log in.
It’s also useful if you’re trying to set up a gaming session with your friends. Most multiplayer games work off of a client-server model, where one participant hosts the session and the rest connect to their session. Without port forwarding, all of the incoming requests to join the session would drop.
You’ve also probably heard of port forwarding if you’ve ever tried to use torrenting software. Torrents work on a swarm model, where each client tries to connect to other clients in the network to upload and download files. If you can’t port forward, you’re cutting your ability to torrent in half as you’ll only be able to initiate connections to other clients who do have port forwarding enabled.
How to set up port forwarding
Setting up port forwarding really isn’t as complicated as it sounds, you just need to understand a few basic concepts about networking and what exactly you’re trying to achieve.
First, you need to identify the service you’re trying to port forward for. That service will have a specific port it’s listening on, which is the destination port that you’ll need to note down for later. Some services will have a specific port by default, such as a web server, while something like a torrent client will have a randomized port you’ll be able to change.
You’ll also need to find out what the internal IP address on the network is associated with the device you’re trying to access. Most routers have DHCP enabled by default, which dynamically assigns IPs from a pool of addresses. To make sure your port forwarding settings work in the long term, you’ll have to assign a static IP to the device you’re trying to make accessible from the internet.
You can do this by going to your router’s settings through your web browser. You’ll have to type your router’s IP address into the address bar, which is usually something like 192.168.1.1 or 192.168.0.1. You may have to check in with your ISP or router manufacturer for this step, but once you’re inside your router’s configuration menu it’s smooth sailing.
You’ll then need to find your router’s DHCP menu and add the MAC address of the device you’re trying to keep static to the list. You’ll find the MAC address on the device itself, although it varies by OS so you’ll need to look this up. You’ll also need to choose a static IP, which you should also write down for the next step.
Once you’ve got a static IP assigned, you can move on to port forwarding. You’ll need to find the section labeled “Port Forwarding” in your router’s menu, and add a new port forwarding rule. The external port is the port you expect to listen to on the internet, whereas the internal port is the one your device on the internal network is listening on.
For example, if you were hosting a web server internally that you wanted to expose to the internet, your internal port would be port 80, corresponding with the web server. Your external port could be absolutely anything you wanted, but an internet user would have to know to check that port to access your website. Therefore, if you wanted to keep it simple, you’d also use port 80 as your external port.
All that’s left is choosing the internal IP address that’s receiving the traffic (this is the static IP you picked out earlier) and whether it’s the TCP or UDP protocol. That’s all there really is to it.
Is port forwarding the same as a VPN?
Port forwarding is conceptually similar to a VPN, but they’re fairly different things in practice. Port forwarding is about directing traffic from the internet to a specific device within your local network. The device you’re talking to will know the IP address for your internet gateway, but they won’t know the specific IP on your internal network so port forwarding translates that for you.
A VPN, on the other hand, creates a secure tunnel for your data to travel through the internet, protecting it from eavesdropping and unauthorized access. It’s similar to port forwarding in that the VPN server acts as your internet gateway, so all of the devices you interact with on the internet send traffic to that VPN server which then sends that traffic back to you.
The main difference is that port forwarding only deals with routing specific types of traffic to internal devices, while a VPN encrypts and secures all data transmitted from your device to a server which disguises your IP address.
Some VPNs actually offer full port-forwarding services which means you’re able to host services on your internal network and access them through your VPN IP address, which is especially useful if you’re also using a dedicated IP.
Is it safe to port forward?
Port forwarding does come with some security risks, but if you manage them properly it’s nothing to worry about. You need to understand that your firewall will reject most incoming traffic by default. On a home router, all of your ports are “closed”, which means that a hacker can’t send traffic and get a response. When you open a port for port forwarding, it allows anyone on the internet to send traffic to that port, which can potentially open up a pathway into your network.
Really, it all depends on which service you’ve set up. Running older network services with known vulnerabilities will leave you at risk, so you’ll need to ensure all the software on your system has been patched and your OS has all the up-to-date security patches it needs. If you’re hosting password based systems, you’ll also need to make sure you have strong passwords and anti-brute forcing measures like IPBan in place.
If not configured properly, port forwarding might expose sensitive data to external parties, including your ISP or malicious actors. This is especially true if your service doesn’t use encryption, as the data passing through open ports can be intercepted and monitored. Using a VPN can minimize this risk, as everything that passes through a VPN tunnel is encrypted. You should always use encrypted services, but if it’s not possible then a VPN will at least stop your traffic from being spied on.
Sam Dawson is a cybersecurity expert who has over four years of experience reviewing security-related software products. He focuses his writing on VPNs and security, previously writing for ProPrivacy before freelancing for Future PLC's brands, including TechRadar. Between running a penetration testing company and finishing a PhD focusing on speculative execution attacks at the University of Kent, he still somehow finds the time to keep an eye on how technology is impacting current affairs.
- Olivia PowellTech Software Commissioning Editor