Port Forwarding: A Complete Guide
Port forwarding tells your router: "when someone from the internet asks for port X, send them to device Y on my network." Essential for game servers, self-hosting, remote desktop, etc.
!
Quick answer
Log into your router → find Port Forwarding (or NAT / Virtual Server) → add a rule with the external port, internal port, protocol (TCP/UDP), and your device's local IP. Save, reboot the router if asked, and verify with a port-checking tool.
Port forwarding tells your router: "when traffic arrives on port X from the internet, send it to this specific device on my local network." Without it, incoming connections are blocked by NAT. You need it to host a game server, run a private web server, allow remote desktop access, expose a security-camera feed, or use peer-to-peer apps that require open ports.
Before you start — collect this information
| You need | Where to find it |
|---|---|
| Your router's admin IP | Usually 192.168.1.1 or 192.168.0.1 — see our homepage for the full list |
| Router admin password | Sticker on the router, or whatever you set when you configured it |
| The local IP of your target device | On the device itself — see our How to find your router IP guide; the device's own IP is shown the same way |
| The port number(s) the app uses | The app's documentation. Minecraft = 25565 TCP, RDP = 3389 TCP, Plex = 32400 TCP, etc. |
| Protocol — TCP, UDP, or both | The app's documentation |
Pro tipReserve a static IP for the target device first. If the device's IP changes (DHCP renewal), your port forward will silently break. Set a DHCP reservation in the router for that device's MAC address — every router supports this.
Step-by-step
- Log into your router. Open a browser, go to your router's admin IP, sign in.
- Find the port forwarding section. The menu varies wildly:
- TP-Link: Advanced → NAT Forwarding → Virtual Servers
- Netgear: Advanced → Advanced Setup → Port Forwarding/Port Triggering
- ASUS: WAN → Virtual Server / Port Forwarding
- D-Link: Advanced → Port Forwarding
- Linksys: Security → Apps and Gaming → Single Port Forwarding
- Xfinity/Comcast gateway: Advanced → Port Forwarding
- Add a new rule with:
- Service / rule name: anything memorable ("Minecraft", "RDP-PC")
- External port: the port the internet sees
- Internal port: usually the same as external
- Protocol: TCP, UDP, or Both
- Internal IP: the LAN IP of your target device (e.g. 192.168.1.42)
- Save the rule. Some routers require a reboot.
- Test it from outside your network — use a phone on cellular data and connect to
YOUR_PUBLIC_IP:PORT, or use an online port-check service.
Common ports cheat-sheet
| Service | Port | Protocol |
|---|---|---|
| HTTP web server | 80 | TCP |
| HTTPS web server | 443 | TCP |
| SSH | 22 | TCP |
| RDP (Windows Remote Desktop) | 3389 | TCP |
| VNC | 5900 | TCP |
| Minecraft (Java) | 25565 | TCP |
| Minecraft (Bedrock) | 19132 | UDP |
| Plex Media Server | 32400 | TCP |
| FTP | 20, 21 | TCP |
| BitTorrent | 6881–6889 | TCP + UDP |
Security considerations
CriticalNever forward ports for services you don't actively use. Every open port is an attack surface. If you've finished hosting that LAN party, delete the rule.
Don't forward port 80, 443, 22, 3389 carelessly. They're constantly scanned by bots. If you must expose them, use strong passwords, fail2ban, key-based auth (for SSH), and consider changing the external port to a non-standard one (e.g. external 50022 → internal 22).
Better alternativeConsider a VPN or tunnel instead. Tools like Tailscale, WireGuard, or Cloudflare Tunnel let you reach your devices remotely without opening any inbound ports. Safer and easier to maintain.
Troubleshooting
Port-check tool says my port is closed even though I configured it. Likely causes, in order of frequency: (1) target device's firewall is blocking the port — open it in Windows Defender Firewall or
ufw; (2) you're behind Carrier-Grade NAT (CGNAT) and your ISP doesn't give you a real public IP — call your ISP; (3) you put the wrong internal IP in the rule.It works from inside my network but not from outside. That's normal — you're seeing the local service directly, not via NAT. Always test from a cellular network or a remote machine.
My ISP blocks port 25/80/443. Many residential ISPs do, to discourage spam and self-hosted servers. Workaround: use a non-standard external port and an inbound tunnel service.
Frequently asked questions
What's the difference between port forwarding and port triggering?
Port forwarding is permanent — the rule is always active. Port triggering opens a port only when outbound traffic from a specific local port is detected; it closes again afterward. Triggering is safer but rarely supported by modern apps.
Can I forward the same port to two devices?
No. One external port → one internal IP, by definition. For two devices, use two different external ports (e.g. 25565 → device A, 25566 → device B).
What is UPnP and should I use it?
UPnP lets apps automatically open ports without you configuring anything. Convenient but a security risk — malware can use it too. Enable only if you trust every device on your network; otherwise create forwards manually.
Will port forwarding slow down my internet?
No. It just changes how incoming traffic is routed. Your overall bandwidth and latency stay the same.
Do I need a static public IP from my ISP?
Not necessarily. If your ISP changes your public IP occasionally, use a free dynamic-DNS service (No-IP, DuckDNS, DynDNS) so a friendly hostname always points to your current IP.