Port forwarding can be a powerful tool to unlock new functions on you router, but it can also open serious security vulnerabilities in your home network. What is it, how can you use it to your advantage, and how can you stay safe?
Your router does many things for you. Right now, you can think of it as a mix between a security guard and a mail sorter. Your NAT firewall (read more about it here), which lives on your router, sends incoming information to the devices that requested it, by extension also blocking unwanted incoming data.
This is great from a security standpoint, but what if you want to form a direct connection between one of your home devices and a remote device far away (say, a web server or your smartphone when you’re out of the house)?
That’s what port forwarding is for.
If you think of your router as a bouncer, then port forwarding is like “putting someone on the VIP list”. Your router has 65,532 ports that it can dedicate to specific purposes or connections. About the first 1,000 are ordinarily dedicated to standard specific functions (you can find a list here), but many of the remaining ports can be assigned to any device you want.
You start by opening a port on your router. After choosing a specific port, give it a specific device to send its connections to. That can be a home PC, a web server, a security camera, an IoT-enabled home appliance, or anything else connected to your network.
Now, if a device sends a connection request to your router and specifies the port you’ve designated, your router will automatically forward the connection on to that device, creating a direct connection.
The specific instructions for port forwarding can be different for each router or brand, so here’s a general overview of what the process might look like:
1. After logging in to your router, open the port forwarding settings panel. There, you should see a list of empty port configurations.
2. Choose one configuration and enter internal and external port numbers (your best bet is to go over 1,000 and under 65,000). In most cases, the external and internal ports don’t actually have to match each other, as long as the external and internal devices know which ones to use.
3. Once the ports are set, enter the local IP address of the device you want the port to connect to on your network (the local address will be different from your router’s IP address, since another one of your router’s jobs is to hide your devices’ individual IPs under one public IP assigned to the router).
4. Now that the router port has this information, it can redirect any request sent to that port straight to your device without revealing its private IP address. But what does that request look like?
Say your router’s IP address is 123.456.789. If the port you set to connect to your home security camera is 3579, then a request to your router to connect directly to the camera via port forwarding would be sent to this address: 123.456.789:3579. It’s just like dialing a phone number with an extension!
In general, port forwarding is useful whenever you need to make a direct connection between a device in your home network and a remote device. The possibilities are virtually endless, limited only by the devices involved and the software they use during the connection:
There are many other legitimate uses for port forwarding, but many of them are advanced and beyond the scope of this introductory article.
Imagine that your router has 65,532 doors, and most of them are locked. If none of your ports are open, information from the internet can still get in – it just has to be checked and allowed in by the router. When one of those doors is unlocked, anyone who knows which door is unlocked can open it and walk right inside whenever they want.
In one sense, it’s not as bad as it sounds – that opened port (or unlocked door) only leads to whichever device it was pointed at when it was set up. A security camera without strong password protection would allow an intruder to see what the camera sees or even to control it. A port opened directly to your PC, on the other hand, could be used to infect your computer or to unlock the rest of your network using your admin privileges.
Even something as simple as a webcam should be secured with a strong password. So should a home PC ready to receive remote connections. You may not want a web server hosting your website to be completely password protected, as some pages will have to be public, but you’ll need to make sure that you can secure the pages and data that need to remain private.
Another issue is that manually configured ports remain open until you manually close them. They can be used and abused while you sleep or while you travel. It’s usually impossible to use a port that’s already occupied, but hackers will have a much easier time trying to connect to a port that is open and not in use.
Hold on – you’ve probably used a service that might use port forwarding (like some videogames or VoIP programs) without actually manually configuring any port forwarding. What gives?
Most modern services that require port forwarding use something called UPnP, or Universal Plug and Play. This protocol solves some of the security issues raised by port forwarding, as it allows apps on your devices to open ports when needed and to close them when they’re done. It’s also way more convenient since it saves you the trouble of having to manually forward your ports.
However, UPnP adds its own potential security issues. First of all, UPnP assumes that every device on your local network is trustworthy. If you happen to get infected by malware and that malware wants to initiate a direct connection with a remote hacker, your UPnP router will allow it without question. Such a connection would be much more difficult to open with UPnP disabled.
Outdated routers or ones with poor UPnP implementations can be vulnerable to a number of UPnP exploits, some of which can open all of the ports on your router or use UPnP to change your DNS server (you can read about DNS spoofing and other common hack attacks here).
If you rarely use any of the functions that port forwarding is used for, disabling UPnP might be a good idea. This would make you have to manually configure open ports for certain services, but that might be a small price to pay for increased security if you rarely use them. However, instructions for how to do this will vary from device to device (if it’s even possible on your router).
Port triggering is much like port forwarding, but with a few key differences. Some of these help shore up some of its security vulnerabilities, but they also limit the cases where port triggering can be useful.
First of all, when you set up port triggering, the port you choose remains closed. It will only open in the event that it is triggered by outbound communication. When the outbound communication that triggered the port opening ends, the port will close after a specified period of time.
This makes the connection more secure because it puts the local device in control of opening the connection and because it otherwise keeps the port shut. As we know, one of the biggest security risks with port forwarding is when the port is kept open for a long time when we’re not using it.
Secondly, port triggering doesn’t require you to configure a specific device IP address when creating the trigger in your browser. This means that any device on your network can initiate the connection, though only one can use it at a time. In port forwarding, you have to define the specific device using the connection. Depending on your router and your devices, this can make port triggering either a more or less secure choice than forwarding.
Port forwarding and triggering could work with a VPN protocol in general, but not with NordVPN. Our apps block almost all port communication from within your device except for the ones most commonly used by popular applications. This was a tough decision that may inconvenience some users, but we’d like to explain why we did this.
Browsing the internet with open ports opens you up to a number of security risks. Blocking access to all ports except those that are essential for our VPN to operate and for you to enjoy the internet is part of how NordVPN keeps you secure. We wouldn’t be able to maintain our excellent security track record otherwise.