Port forwarding can be a powerful tool to unlock new functions on your router, but it can also open serious security vulnerabilities. What is it and how can you use it to your advantage while staying safe?
To understand port forwarding you first need to understand what your router does. You can think of it as a mix between a security guard and a mail sorter. Your NAT firewall, which lives on your router, sends incoming connections to the devices that requested them, by extension also blocking unwanted incoming data. It does this automatically, but if you want your home devices to connect to a remote device, you need to set up port forwarding.
Your router has over 60,000 ports. About the first 1,000 are ordinarily dedicated to standard specific functions. The remaining can be assigned to any device or program you want. You can do so by opening a port on your router and assigning it to a specific device. Now, when a device sends a connection request to your router, it will automatically create a direct connection. Here's more about how to find your port number.
Port forwarding is useful whenever you need to make a direct connection between a device in your home network and a remote device. For example:
There are many other legitimate uses for port forwarding, but many of them are advanced and beyond the scope of this introductory article.
The specific instructions for port forwarding can be different for each router or brand, so here’s a general overview of what the process might look like:
Say your router’s IP address is 123.456.789. If the port you set to connect to your home security camera is 3579, then a request to your router to connect directly to the camera via port forwarding would be sent to this address: 123.456.789:3579. It’s just like dialing a phone number with an extension!
Imagine that your router’s ports are doors, and most of them are locked. The information from the internet can still get in – it just has to be checked and allowed in by the router. But when one of those doors are unlocked, anyone who tries that door can open it and walk right in.
In one sense, it’s not as bad as it sounds – that opened port (or unlocked door) only leads to whichever device it was pointed at. But if, for example, your security camera has a weak password (or no password), an intruder could see what the camera sees or even control it. A port opened directly to your PC could be used to infect your computer or to unlock the rest of your network. Therefore it’s essential to protect your devices with strong passwords (see what makes a strong password here).
On the other hand, there are exceptions. You may not want a web server hosting your website to be completely password protected, as some pages will have to be public, but you’ll need to make sure that you can secure those pages and any data that needs to remain private.
Another issue is that manually configured ports remain open until you manually close them. They can be used and abused while you sleep or while you travel. It’s usually impossible to use a port that’s already occupied, but hackers will have a much easier time trying to connect to a port that is open and not in use.
You might have previously used port forwarding without actually manually configuring the ports or even being aware of it. How? Your device used Universal Plug and Play (UPnP), which allows apps on your device to open ports on your router when needed and to close them when they’re done.
UPnP might be convenient but it adds its own potential security issues. It assumes that every device on your local network is trustworthy. So if you happen to get infected by malware that wants to initiate a direct connection with a remote hacker, your UPnP router will allow it without question. Such a connection would be much more difficult to open with UPnP disabled.
Outdated routers or ones with poor UPnP implementations can be vulnerable to a number of UPnP exploits. Some of these can open all of the ports on your router or use UPnP to change your DNS server (you can read about DNS spoofing and other common hack attacks here).
Port triggering is much like port forwarding, but with a few key differences. Some of these help shore up some of its security vulnerabilities, but they also limit the cases where port triggering can be useful.
First, when you set up port triggering, the port you choose remains closed. It will only open in the event that it’s triggered by outbound communication. When the outbound communication that triggered the port opening ends, the port will close after a specified period of time. This makes the connection more secure because it puts the local device in control of opening the connection. However, it also means these connections are difficult or almost impossible to initiate from outside.
Secondly, port triggering doesn’t require you to configure a specific device IP address when creating the trigger. This means that any device on your network can initiate the connection, though only one can use it at a time. In port forwarding, you have to define the specific device using the connection. Depending on your router and your devices, this can make port triggering either a more or less secure choice than forwarding.
Port forwarding and triggering could work with a VPN protocol in general, but not with NordVPN. Our apps block almost all port communication from within your device except for the ones most commonly used by popular applications. This was a tough decision that may inconvenience some users, but we’d like to explain why we did this.
Browsing the internet with open ports opens you up to a number of security risks. Blocking access to all ports except those that are essential for our VPN to operate and for you to enjoy the internet is part of how NordVPN keeps you secure. Otherwise, we wouldn’t be able to ensure your security online.
Protect yourself online with NordVPN. Try it now with a risk-free 30 days money-back guarantee!