Quick Links

Key Takeaways

To forward a port on your router, log into your router, find the "Port Forwarding" section, and then create a rule applying to the device you're using to host. You should also assign a static IP address to the host computer.

Although modern Wi-Fi routers handle most functions automatically, some applications will require you to manually forward a port in your router's settings. Fortunately, it's very simple to forward ports on a router if you know where to look

What Is Port Forwarding?

Port Forwarding (or port mapping) allows external traffic from the internet to connect to a device, like a computer, on a private network.

Say you want to host a Minecraft server for your friends on your computer. When they try to connect, their traffic has to be sent to the correct computer on your network, and their connection must be permitted by your router. Your router uses port forwarding rules to sort out which computer should be sent the traffic relating to the Minecraft server. Of course, it isn't just game servers --- if it involves internet traffic, ports are involved.

Let's look at the details of how it happens.

How Your Router Handles Requests and Uses Ports

Here's a map of a simple home network. The cloud icon represents the greater internet and your public, or forward-facing, Internet Protocol (IP) address. This IP address represents your entire household from the outside world --- like a street address, in a way.

The red address 192.1.168.1 is the router address within your network. The additional addresses all belong to the computers seen at the bottom of the image. If your public IP address is like a street address, think of the internal IP addresses like apartment numbers for that street address.

A LAN network diagram.

The diagram raises an interesting question which you may not have thought about before. How does all the information from the internet get to the right device inside the network? If you visit howtogeek.com on your laptop how does it end up on your laptop and not your son's desktop if the public-facing IP address is the same for all devices?

This is thanks to a wonderful bit of routing magic known as a Network Address Translation (NAT). This function occurs at the router level where the NAT acts like a traffic cop, directing the flow of network traffic through the router so that a single public IP address can be shared among all the devices behind the router. Because of the NAT, everyone in your household can request web sites and other internet content simultaneously and it will all be delivered to the right device.

So where do ports come into this process? Ports are an old but useful holdover from the early days of network computing. Back in the day, when computers could only run one application at a time, all you had to do was point one computer at another computer on the network to connect them as they would be running the same application. Once computers became sophisticated to run multiple applications, early computer scientists had to wrestle with the issue of ensuring applications connected to the right applications. Thus, ports were born.

Some ports have specific applications which are standards throughout the computing industry. When you fetch a web page, for example, it uses port 80. The receiving computer's software knows that port 80 is used for serving http documents, so it listens there and responds accordingly. If you send an http request over a different port --- say, 143 --- the web server won't recognize it because it's not listening there (although something else might be, like an IMAP email server which traditionally uses that port).

Other ports don't have pre-assigned uses, and you can use them for whatever you want. To avoid interfering with other standard-abiding applications, it's best to use larger numbers for these alternate configurations. Plex Media Server uses port 32400, for example, and Minecraft servers use 25565 --- both numbers that fall into this "fair game" territory.

Each port can be used via either TCP or UDP. TCP, or Transmission Control Protocol, is what's used most commonly. UDP, or User Datagram Protocol, is less widely used in home applications with one major exception: BitTorrent. Depending on what is listening, it'll be expecting requests to be made in either one or the other of these protocols.

Why You Need to Forward Ports

So why exactly would you need to forward ports? While some applications take advantage of NAT to set their own ports and handle all the configuration for you, there are still plenty of applications that do not, and you'll need to give your router a helping hand when it comes to connecting services and applications.

In the diagram below we're starting with a simple premise. You're on your laptop somewhere in the world (with an IP address of 987.76.54.123), and you want to connect to your home network to access some files. If you simply plug your home IP address (123.45.67.891) into whatever tool you're using (an FTP client or remote desktop application, for example), and that tool doesn't take advantage of those advanced router features we just mentioned, you're out of luck. It won't know where to send your request, and nothing will happen.

An external request without port forwarding may be blocked.

This, by the way, is a great security feature. If somebody connects to your home network and they aren't connected to a valid port, you want the connection to get rejected. That's the firewall element of your router doing its job: rejecting unwelcome requests. If the person knocking on your virtual door, however, is you, then the rejection isn't so welcome and we need to do a little tweaking.

To solve that problem, you want to tell your router "hey: when I access you with this program, you'll need to send it to this device at this port". With those instructions in place, your router will make sure you can access the right computer and application on your home network.

Port forwarding can be used to direct external requests correctly.

So in this example, when you're out and about and using your laptop, you use different ports to make your requests. When you access your home network's IP address using port 22, your router at home knows that this should go to 192.168.1.100 inside the network. Then, the SSH daemon on your Linux installation will respond. At the same time, you can make a request over port 80, which your router will send to the webserver you're running at 192.168.1.150. Or, you can try to remotely control your sister's laptop with VNC, and your router will connect you to your laptop at 192.168.1.200. In this way, you can easily connect to all the devices you've set up a port forward rule for.

The usefulness of port forwarding doesn't end there though! You can even use port forwarding to change existing services' port numbers for clarity and convenience. For example, let's say you have two web servers running on your home network and you want one to be readily and obviously accessible (e.g. it's a weather server you want people to be able to easily find) and the other web server is for a personal project.

External Ports can be forwarded to different internal ports.

When you access your home network from the public-facing port 80, you can tell your router to send it to port 80 on the weather server at 192.168.1.150, where it will be listening at port 80. But, you can tell your router that when you access it via port 10,000, that it should go to port 80 on your personal server, 192.168.1.250. This way, the second computer doesn't have to be reconfigured to use a different port, but you can still manage traffic effectively --- and at the same time by leaving the first web server linked to port 80 you make it easier for people accessing your aforementioned weather server project.

Now that we know what port forwarding is and why we might want to use it, lets' take a look at some small considerations regarding port forwarding before diving into actually configuring it.

Considerations Before Configuring Your Router

There are a few things to keep in mind before sitting down to configure your router and running through them in advance is guaranteed to cut down on frustration.

Set Static IP Address for Your Devices

First and foremost, all your port forwarding rules will fall apart if you're assigning them to devices with dynamic IP addresses assigned by your router's DHCP service. We dig into the details of what DHCP is in this article on DHCP vs. static IP address assignments, but we'll give you the quick summary here.

Related: How to Set Up Static DHCP So Your Computer's IP Address Doesn't Change

Your router has a pool of addresses that it reserves just for handing out to devices as they join and leave the network. Think of it like getting a number at a diner when you arrive --- your laptop joins, boom, it gets IP address 192.168.1.98. Your iPhone joins, boom, it gets address 192.168.1.99. If you take those devices offline for a period of time or the router is rebooted, then the whole IP address lottery happens all over again.

Under normal circumstances this is more than fine. Your iPhone doesn't care which internal IP address it has. But if you've created a port forwarding rule that says your game server is at a certain IP address and then the router gives it a new one, that rule won't work, and nobody will be able to connect to your game server. In order to avoid that, you need to assign a static IP address to each network device you're assigning a port forwarding rule to. The best way to do that is through your router.

Know Your IP Address (and Set a Dynamic DNS Address)

In addition to using static IP assignments for the relevant devices inside your network, you also want to be aware of your external IP address --- you can find it by visiting whatismyip.com while on your home network. Although its possible you might have the same public IP address for months or even over a year, your public IP address can change (unless your internet service provider has explicitly given you a static public-facing IP address). In other words, you can't rely on typing in your numeric IP address into whatever remote tool you're using (and you can't rely on giving that IP address to a friend).

Related: What Is Dynamic DNS (DDNS), and How Do You Set It Up?

Now, while you could go through the hassle of manually checking that IP address each time you leave the house and intend to work away from home (or every time your friend is going to connect to your Minecraft server or the like), that's a big headache. Instead, we highly recommend you set up a Dynamic DNS service which will allow you to link your (changing) home IP address to a memorable address like mysuperawesomeshomeserver.dynu.net.

Pay Attention to Local Firewalls

Once you set up the port forwarding on the router level, there is a possibility that you may need to tweak firewall rules on your computer too. For example, we've gotten a lot of emails over the years from frustrated parents setting up port forwarding so their kids can play Minecraft with their friends. In almost every case, the problem is that despite setting up the port forwarding rules on the router correctly, somebody ignored the Windows firewall request asking if it it was OK if the Java platform (that runs Minecraft) could access the greater internet.

Be aware that on computers running local firewall and/or anti-virus software that includes firewall protection, you'll likely need to confirm the connection you've set up is okay.

How to Set Up Port Forwarding on Your Router

You can configure port forwarding on your router. Now that you know the basics, it's pretty simple.

As much as we'd love to provide exact instructions for the precise model of router you own, the reality is that every router manufacturer has their own software, and how that software looks can even vary between router models.

In general, you're going to be looking for something called --- you guessed it ---"Port Forwarding". You may have to look through the different categories to find it, but if your router is any good, it should be there. Most routers also offer apps, in addition to any desktop software or interfaces they have.

Step One: Locate the Port Forwarding Rules on Your Router

Rather than attempt to capture every variation, we'll highlight a few to give you an idea what the menu looks like and encourage you to look up the manual or online help files for your particular router to find the specifics.

For comparison, here's what the port forwarding menu looks like for the xFi Gateway in the Xfinity app:

xFi Router port forwarding image.

And here's what the port forwarding menu looks like on a D-Link DIR-890L running the popular third-party DD-WRT firmware:

The dd-wrt port forwarding control panel.

As you can see, the complexity between the two views varies greatly. In addition, the location is completely different within the menus. As such it's most useful if you look up the exact instructions for your device using the manual or a search query.

Once you've located the menu it's time to set up the actual rule.

Step Two: Create a Port Forwarding Rule

After learning all about port forwarding, setting up a dynamic DNS for your home IP address, and all the other work that went into this, the important step --- creating the actual rule --- is pretty much a walk in the park. In the port forwarding menu on our router, we're going to create two new port forwarding rules: one for the Subsonic music server and one for a new Minecraft server we just set up.

Minecraft and Subsonic port forwarding examples.

Despite the differences in location on different router software, the general input is the same. Almost universally, you'll name the port forwarding rule. It's best to simply name it what the server or service is and then append it if need be for clarity (e.g. "Webserver" or "Webserver-Weather" if there is more than one). Remember the TCP/UDP protocol we talked about at the beginning? You'll also need to specify TCP, UDP, or Both. Some people are very militant about finding out exactly what protocol every application and service uses and matching things up perfectly for security purposes. We'll be the first to admit that we're lazy in this regard and we almost always just pick "Both" to save time.

Some router firmware, including the more advanced DD-WRT we're using in the screenshot above, will allow you to specify a "Source" value which is list of IP addresses you're restricting the port forward to for security purposes. You can use this feature if you wish, but be forewarned it introduces a whole new host of headaches as it presumes that remote users (including you when you're away from home and friends who are connecting in) have static IP addresses.

Next you'll need to put in the external port. This is the port that will be open on the router and facing the internet. You can use any number you want here between 1 and 65353, but practically most of the lower numbers are taken up by standard services (like email and web servers) and many of the higher numbers are assigned to fairly common applications. With that in mind, we'd recommend picking a number above 5,000 and, to be extra safe, using Ctrl+F to search this long list of TCP/UDP port numbers to make sure you're not selecting a port that conflicts with an existing service you're already using.

Finally, put in the internal IP address of the device, the port you on that device, and (if applicable) toggle the rule on. Don't forget to save the settings.

Step Three: Test Your Port Forwarding Rule

The most obvious way to check if your port forward worked is to connect using the routine intended for the port (e.g. have your friend connect their Minecraft client to your home server), but that's not always an immediately available solution if you're not away from home.

Thankfully, there's a handy little port checker available online at YouGetSignal.com. We can test to see if our Minecraft server port forward took simply by having the port tester try to connect to it. Plug in your IP address and the port number and click "Check".

A port forwarding test utility.

You should receive a message, as seen above, like "Port X is open on [Your IP]". If the port is reported as closed, double check both the settings in the port forwarding menu on your router and your IP and port data in the tester.

Xfinity Port Forwarding With an xFi Gateway

Unfortunately, you can't do everything in one place anymore if you've got an xFi Gateway. Xfinity has moved port forwarding rules to the Xfinity app, but you must use the web interface to assign a static IP address.

Log in to your xFi gateway by entering the Gateway's address into your web browser. Typically, the address will be 10.0.0.1 or 192.168.0.1, but that isn't guaranteed. You can always find your modem or router's IP address manually if one of those two addresses don't work.

Once you log in, head to Connected Devices, look for your server on the list, then click "Edit."

Devices detected by the xFi gateway on the network.

Tick "Reserved IP," then click "Save."

If you find it easier to remember, you can set a custom IP address, but you're limited to changing the last three digits to a number between 2 and 255.

Tick "Reserved IP" then click "Save."

We've now ensured that the rule will remain applied to the correct device. Next, download the Xfinity app from the Google Play Store or the Apple Store. It is the only way to port forward using an Xfinity xFi Gateway.

Open the app, sign in if prompted, then navigate to Connect > (Your Wi-Fi Network Name) > Advanced Settings > Port Forwarding, and tap, "Add Port Forward."

Click "Add Port Forward."

Select the device or local IP you'd like to make a rule for, then pick a port and select between TCP, UDP, or TCP/UDP. Then tap "Next" to finalize the port forwarding rule.

xFi Router port forwarding image.

That's it --- you're done. Your service should be on the internet. Just make sure that the firewall on the server itself allows for connections on that port.

Common Applications for Port Forwarding

There are as many applications for port forwarding as there are ports, but most of the time you'll use it for setting up remote access, a game server, or a media server. Many people need to port forward for a Minecraft server, or to set up SSH port forwarding. Here is a quick reference chart for some of the most popular applications in those categories.

Application

Ports

Protocol

Minecraft (Java)

25565

TCP/UDP

Minecraft (Bedrock)

19132-19133

TCP/UDP

Project Zomboid (PZ)

16261-16262

TCP/UDP

VNC

5900

TCP

SSH

22

TCP

Plex Media Server

32400

TCP

It is important to note that SSH uses port 22, and that port is specifically reserved for that use. Other applications (like Minecraft) have staked out such a strong claim they have functionally reserved their ports, though there isn't anything officially requiring it. You may occasionally find that you have multiple things trying to use the same port. Remember, there are literally tens of thousands of different ports freely available to use, so just pick another one and use that instead.

But before you go opening up all sorts of ports, hosting every single service you can imagine, take some time to review your security practices. Most are fairly simple to get started with, and they can save you a huge headache later.

Security Precautions for Port Forwarding

If you're port forwarding, you obviously intend for something to be accessible from the Internet. Any time you open up a port you increase your "attack surface." It is always best to take some preventative measures to mitigate your risk. This isn't an exhaustive list of things you can do to protect yourself --- for that we'd need to write multiple novels --- but it is a place to start.

Don't Run Servers As Admin or Root

It doesn't matter if you're hosting a server on Windows, Linux, or any other operating system. Do not use the administrator or root account to host things that are exposed to the Internet. The administrative or root accounts have few (if any) restrictions placed on them. They can perform any operation on your system.

If there is some problem with the service you're running --- like a misconfiguration, bug, or an exploit --- administrative or root access dramatically increases the amount of damage that can be done by a malicious attacker. It may even allow someone to compromise other devices attached to your network.

If you use a regular account you're much less vulnerable --- any attacker that gains access to your system will probably also need some kind of privilege escalation exploit to really cause harm.

Disable Root Login Over SSH

If you're hosting on Linux, you should completely disable root login over SSH. The root user has unlimited access to everything on the system, which makes it a tempting target for would-be evildoers.

Additionally, there is really nothing to be gained by using it, since sudo allows users to execute commands as if they were the root user. Sudo permissions can even be modified on a user-by-user basis, so if you wanted to create a more restricted sudo account to perform basic server administration you could.

You Can Change Your Ports, But Don't Rely On It

You'll sometimes encounter the suggestion that you shouldn't use the default ports for anything you're hosting. The idea behind this is simple: If someone is scanning IP blocks for specific open ports they want to target, changing the port might reduce the chances that someone will attempt to access your server.

For example, you could change the SSH port from 22 to something like 7281.

Is that effective? Only sorta --- it'll certainly reduce the number of automated hits you take from script kiddies (amateur would-be hackers that use prebuilt software or scripts), and there will subsequently be fewer things in your logs to review. However, it won't do anything to deter a serious targeted attack by someone knowledgeable.

Security through obscurity isn't a guarantee, and you should never rely on it to keep your system safe.

Install Fail2Ban on Linux Servers

Fail2Ban is software designed to help secure your server against brute-force attacks. Fail2Ban can be configured to automatically reject connection attempts from any IP address that has tried and failed to log in to your server a certain number of times. Attackers can't attempt to guess passwords more than a few times without being banned.

Fail2Ban can be set up with more complex behaviors too, so it is well worth learning if you plan on hosting on Linux.

Use Security Keys For SSH Whenever Possible

You should always pick a strong password for your administrative or root account, and any other account that you'll log in to remotely. Fail2Ban and any other security measures you might enact will try to stop brute-force attacks, but they could fail. Use the strongest password possible.

If you're using SSH, consider using SSH keys instead of a password. SSH keys are an example of public key cryptography --- keys are generated in pairs, one public, and one private. The public key is placed on the computer that you'll be remotely connecting to. You keep the other member of the pair, the private key, on your computer. When you try to connect, your private key is checked against the key on the server to provide authorization.

Windows, Linux, and MacOS all support SSH keys, so there isn't much reason not to use them. SSH keys are more secure, and --- once setup --- every bit as convenient as a password.

Only Allow Connections from Whitelisted Addresses

You can also improve your security by limiting the connections that are allowed to your server. There are two basic ways to do this: a whitelist and a blacklist. A blacklist prohibits connections from specific people or applications. For example, if you know a hacker was attacking your Minecraft server, you might add their IP to a blacklist so it is always rejected. Alternatively, you can use a whitelist, which works the opposite way. Whitelists only allow pre-approved connections, and they can often be restricted to only allow access to a specific application or a specific port.

On Linux, use Universal Firewall (UFW) or FirewallD to create an OS-level whitelist. You can use whichever you prefer, though Debian distros (like Ubuntu) typically come with UFW, and RHEL distros (like Fedora) typically come with FirewallD. On Windows, open Windows Firewall and go to the "Inbound Traffic" tab to create a whitelist.

Individual applications you might host also often come with built-in whitelist functionality, as well. For example, you can add an IP to a Minecraft Server's whitelist by modifying whitelist.json in the main server directory. The process varies significantly between applications though, and you'll need to check your application's documentation for the details.

Related: The Best Linux Distributions for Beginners

Consider Separating Your Local Area Network With a VLANs

Your home local area network (LAN) is typically a bit of a free-for-all. There is much less security between devices on a LAN than between a device on the Internet and a device on the LAN. The general assumption is that devices attached to your LAN are trusted devices, and that they don't pose much of a security risk.

If you're hosting an internet-facing service, however, that is not a safe assumption. If there is a fault in the service you're hosting, or your other security practices, it is possible that an attacker can compromise your server and through it gain access to other devices on your local area network. It is potentially a huge security breach.

One solution is a Virtual LAN, or VLAN. A VLAN is a separate virtual local area network that is isolated --- through software --- from the "real" LAN that all of your other devices are on. You can limit exactly what kind of traffic is allowed to pass between the VLAN containing your internet-facing server and the VLAN that all of your normal devices are on. This creates a pretty effective barrier between your server and your other devices should a malicious attacker compromise your server. Setting up a VLAN can be a bit complicated, and the details will vary depending on your hardware. Not all consumer routers support VLANs either, so if you don't see it, it probably isn't there.

If your router doesn't support VLANs, you have a few options. You can buy a new router that does support them, or you can add a managed network switch. Managed network switches start at about $30, so they're probably the least expensive way to set up a VLAN at home if your current hardware doesn't support it.

It's a wee bit of a hassle to set up port forwarding, but as long as you assign a static IP address to the target device and set up a dynamic DNS server for your home IP address, it's a task you only need to visit once to enjoy hassle free access to your network in the future.