Your IP: Unknown · Your Status: Unprotected Protected

Blog In Depth

Port forwarding: what it is and how to set it up

Aug 21, 2019 · 5 min read

Port forwarding: what it is and how to set it up

Port forwarding can be a powerful tool to unlock new functions on your router, but it can also open serious security vulnerabilities. What is it and how can you use it to your advantage while staying safe?

What is port forwarding?

To understand port forwarding you first need to understand what your router does. You can think of it as a mix between a security guard and a mail sorter. Your NAT firewall, which lives on your router, sends incoming connections to the devices that requested them, by extension also blocking unwanted incoming data. It does this automatically, but if you want your home devices to connect to a remote device, you need to set up port forwarding.

Your router has over 60,000 ports. About the first 1,000 are ordinarily dedicated to standard specific functions. The remaining can be assigned to any device or program you want. You can do so by opening a port on your router and assigning it to a specific device. Now, when a device sends a connection request to your router, it will automatically create a direct connection.

What is port forwarding used for?

What is port forwarding?

Port forwarding is useful whenever you need to make a direct connection between a device in your home network and a remote device. For example:

  • Watch a security camera or baby monitor when away from home;
  • Connect to your home server remotely;
  • Use remote desktop software to access your home computer;
  • Allow other users to connect to your public web server;
  • Connect to an IoT device on your home network;
  • Form a direct connection to a gaming server;
  • Maintain uninterrupted and direct access to a VoIP call server.

There are many other legitimate uses for port forwarding, but many of them are advanced and beyond the scope of this introductory article.

How to set up port forwarding

The specific instructions for port forwarding can be different for each router or brand, so here’s a general overview of what the process might look like:

  1. Log into your router. You can do so by entering your router’s IP (or in other words, default gateway) into the address bar.
  2. Open the port forwarding settings panel. There, you should see a list of empty port configurations.
  3. Choose one configuration and enter internal and external port numbers (your best bet is to go over 1,000 and under 65,000). In most cases, the external and internal ports don’t actually have to match each other, as long as the external and internal devices know which ones to use.
  4. Once the ports are set, enter the local IP address of the device you want the port to connect to on your network (the local address will be different from your router’s IP address, since another one of your router’s jobs is to hide your devices’ individual IPs under the router’s public IP).
  5. Now the router can redirect any request sent to that specific port straight to your device without revealing its private IP address. But what does that request look like?

Say your router’s IP address is 123.456.789. If the port you set to connect to your home security camera is 3579, then a request to your router to connect directly to the camera via port forwarding would be sent to this address: 123.456.789:3579. It’s just like dialing a phone number with an extension!

Is port forwarding safe?

Imagine that your router’s ports are doors, and most of them are locked. The information from the internet can still get in – it just has to be checked and allowed in by the router. But when one of those doors are unlocked, anyone who tries that door can open it and walk right in.

In one sense, it’s not as bad as it sounds – that opened port (or unlocked door) only leads to whichever device it was pointed at. But if, for example, your security camera has a weak password (or no password), an intruder could see what the camera sees or even control it. A port opened directly to your PC could be used to infect your computer or to unlock the rest of your network. Therefore it’s essential to protect your devices with strong passwords (see what makes a strong password here).

On the other hand, there are exceptions. You may not want a web server hosting your website to be completely password protected, as some pages will have to be public, but you’ll need to make sure that you can secure those pages and any data that needs to remain private.

Another issue is that manually configured ports remain open until you manually close them. They can be used and abused while you sleep or while you travel. It’s usually impossible to use a port that’s already occupied, but hackers will have a much easier time trying to connect to a port that is open and not in use.

What is UPnP?

What is UPnP

You might have previously used port forwarding without actually manually configuring the ports or even being aware of it. How? Your device used Universal Plug and Play (UPnP), which allows apps on your device to open ports on your router when needed and to close them when they’re done.

UPnP might be convenient but it adds its own potential security issues. It assumes that every device on your local network is trustworthy. So if you happen to get infected by malware that wants to initiate a direct connection with a remote hacker, your UPnP router will allow it without question. Such a connection would be much more difficult to open with UPnP disabled.

Outdated routers or ones with poor UPnP implementations can be vulnerable to a number of UPnP exploits. Some of these can open all of the ports on your router or use UPnP to change your DNS server (you can read about DNS spoofing and other common hack attacks here).

Port forwarding vs. port triggering

What is port triggering?

Port triggering is much like port forwarding, but with a few key differences. Some of these help shore up some of its security vulnerabilities, but they also limit the cases where port triggering can be useful.

First, when you set up port triggering, the port you choose remains closed. It will only open in the event that it’s triggered by outbound communication. When the outbound communication that triggered the port opening ends, the port will close after a specified period of time. This makes the connection more secure because it puts the local device in control of opening the connection. However, it also means these connections are difficult or almost impossible to initiate from outside.

Secondly, port triggering doesn’t require you to configure a specific device IP address when creating the trigger. This means that any device on your network can initiate the connection, though only one can use it at a time. In port forwarding, you have to define the specific device using the connection. Depending on your router and your devices, this can make port triggering either a more or less secure choice than forwarding.

Does port forwarding work with a VPN?

Port forwarding and triggering could work with a VPN protocol in general, but not with NordVPN. Our apps block almost all port communication from within your device except for the ones most commonly used by popular applications. This was a tough decision that may inconvenience some users, but we’d like to explain why we did this.

Browsing the internet with open ports opens you up to a number of security risks. Blocking access to all ports except those that are essential for our VPN to operate and for you to enjoy the internet is part of how NordVPN keeps you secure. Otherwise, we wouldn’t be able to ensure your security online.

Protect yourself online with NordVPN. Try it now with a risk-free 30 days money-back guarantee!


Emily Green
Emily Green successVerified author

Emily Green is a content writer who loves to investigate the latest internet privacy and security news. She thrives on looking for solutions to problems and sharing her knowledge with NordVPN readers and customers.


Subscribe to NordVPN blog