Port forwarding is practical for filtering incoming and outgoing Internet connections to redirect traffic by port number. There are tons of advantages to forwarding ports on routers and VPN services, which we are exploring next.
In this article, we are looking under the hood of port forwarding to see what makes it tick. We are examining all types of this traffic redirection method and showing you how to enable VPN port forwarding. Before leaving this page, you will also find out how to use port mapping with BitTorrent clients and eMule.
Here are all topics sorted in an orderly fashion (click to jump):
- What is a port?
- How to check your device for open ports?
- What is port forwarding?
- How it works
- Types of port forwarding
- About port triggering
- What you can do with port forwarding
- Is port forwarding safe?
- How to enable port forwarding on VPN
- How to use VPN port forwarding for torrenting
- How to use VPN port forwarding with eMule
- In conclusion
What is a port?
A port is the last point of contact used by computers to communicate with each other. It identifies a particular computer process or type of network service at the software level. In the example of 220.127.116.11:80, 18.104.22.168 is the IP address, while 80 is the port number. If you launch this request, it means that you are trying to communicate with the computer found at 22.214.171.124 using port 80.
You can determine ports for each protocol (such as TCP and UDP), along with the port number (ranging from 0 to 65535). Because of this, there are no conflicts between protocols. For instance, sites use port 443 to transfer data over HTTPS (typically via TCP).
How to check your device for open ports?
To accept incoming connections on a particular port, that port must be opened (allowed) on your network. If connections are blocked there, it means that any communications using that port will fail.
Here are three uncomplicated methods to find out if your system has open ports:
Use an online service
Visit a site specialized in checking your device for open ports, like CanYouSeeMe, Port Checker and Open Port Checker. Write your IP address and a port number, then click a button to see if it is unlocked.
Launch CMD on Windows, macOS, Linux
It is not exactly challenging to scan your computer for open ports using CMD. But it means doing a bit of investigation. On the bright side, this method lists all open ports on your computer so that you do not have to verify them individually.
- Fire up CMD
- Windows: Press the Win key or click the Start button, type cmd, right-click Command Prompt, and select Run as administrator
- macOS: Open the Go menu, go to Utilities, and double-click to open Terminal
- Linux: Click Activities on the upper-left corner of the desktop, then click the Terminal icon.
- Type netstat -a and press Enter
- The console window displays a list of active connections. You can find out the port number and type (TCP or UDP), along with the status:
- If the status is set to LISTENING, it means that it is open but unused (the socket is waiting for a connection)
- Otherwise, if it is labeled as ESTABLISHED, the port is open and in use.
- To know about more statuses, take a look at this page.
Add Fing on Android and iOS
Android and iOS do not have built-in support for checking ports. But there are plenty of tools in the Google Play Store and App Store for the job. We suggest using Fing because it is free and does not take an aggressive approach towards ads. It has a collection of network utilities, including a port checker.
- Download and install Fing from the Google Play Store or App Store.
- Once you launch the app, go to Network and tap Find open ports.
- Type the domain name or IP address of the computer, then tap Find open ports.
- After completing the scan, Fing reveals all open ports and their role.
What is port forwarding?
Also known as port mapping, port forwarding is a procedure for redirecting network traffic between local and remote computers using ports. It comes in handy for reaching devices and services across the Internet.
Port forwarding is applicable in networking and VPN services. It is a process that silently runs in the background. Once you configure it correctly, it is no longer necessary to intervene to confirm actions.
How it works
Regardless of how many devices you have with Internet access capabilities, your ISP assigns only one IP address. It is public and represents your entire network: your router (default gateway). It is the only device that sits between the public Internet and your private network.
The router is the sole authority in charge of filtering incoming and outgoing connections. It makes sure to send messages to the correct recipients. At the same time, it receives and forwards data to the right devices in your network. When you visit a website to find out your IP address – that is the public IP of your gateway.
A private network with non-routable IP addresses
All devices with Internet access must have an IP address so that they can communicate with each other. That means that your desktop, laptop, printer, smartphone, and tablet must have an IP address, too. The problem is they are private, non-routable IP addresses. External computers cannot access your devices directly.
Here are the ranges of non-routable private IP addresses accepted on IPv4:
- 10.0.0.0 – 10.255.255.255
- 172.16.0.0 – 172.31.255.255
- 192.168.0.0 – 192.168.255.255
The networking device drops any messages sent by devices with non-routable IPs (for safety reasons). Even the router has a private IP address that it uses to communicate with the other devices (e.g., 192.168.0.1). To change router settings, you would have to gain access by private IP.
Here is an example of a private network:
- Router: 192.168.0.1
- Desktop: 192.168.0.107
- Smartphone: 192.168.0.198
- Tablet: 192.168.0.101
- Smart TV: 192.168.0.105
- Smart Refrigerator: 192.168.0.103
As you can see, all devices share the first three octets: 192.168.0. The last octet (emphasized with bold) represents the unique identifier of each machine. Your gateway uses this unique ID to find out where to establish a connection when sending and receiving messages from the public Internet.
The role of NAT and its routing table
The router knows to which device it must forward messages from the web, thanks to a feature called NAT (Network Address Translation). NAT has a routing table with the non-routable addresses of all devices connected via DHCP.
When a device (such as a smartphone) wants to reach a remote server, it sends a request to the default gateway. Before broadcasting the message remotely, the router modifies the packet header. It replaces the non-routable IP address of the smartphone with the public IP address of the gateway itself.
At the same time, it writes down the non-routable IP of the smartphone in its NAT table to remember where to forward replies received from the remote server. Messages are safely exchanged this way, without the remote server ever knowing the non-routable IP address of the smartphone.
Where port forwarding comes in
A port accompanies all network connection requests. Its number lets the router know what type of packet is being transferred. For example, port 80 corresponds to HTTP, port 21 to FTP, and port 443 to HTTPS traffic.
If port forwarding is enabled, the router performs an additional verification. While analyzing the packet header, it cross-checks the port with the list of port forwarding rules that you previously defined. It is possible to forward any number or range of ports.
Let us assume that you configured the router to redirect all HTTP traffic to a laptop via port 80. All remote computers trying to establish a connection with your smartphone, desktop and all other devices via port 80 will be automatically forwarded to your laptop. However, keep in mind that no other gadgets aside from your laptop will know that connections were ever attempted.
Types of port forwarding
There are several kinds of port mapping that you should know about:
Local port forwarding
Known as the most typical method, you can configure local port mapping to pass on messages from the local machine to another server within a secure environment. It is possible to forward data from an SSH client using an SSH server. The SSH server redirects packets from any port (local to the host computer that runs the SSH client) to any other device and port.
The method helps bypass firewalls, receive emails, access intranet resources across firewalls, and connect to sites through an SSH tunnel (e.g., from home to work).
A key feature is the ability to add network security to old (legacy) applications that do not have native encryption support. The procedure is also known as SSH tunneling or SSH port forwarding. Examples of tools specialized in local port forwarding are PuTTY, MobaXterm and mRemoteNG.
Remote port forwarding
Remote port forwarding is the reverse operation of local port forwarding: applications from the server can access services on the client. It can be SSH or another type of server. This approach is useful for providing a remote access on an intranet to an outsider. For example, a corporation may facilitate remote access to work-at-home employees or those traveling abroad.
Caution is advisable because it also means exposing the private web application to the public Internet. Hackers may infiltrate internal networks to steal or destroy data. Remote port mapping can also be used for opening remote desktop sessions and for allowing remote access to web applications hosted on your server.
Router port forwarding
It is what we call when forwarding ports at the router level. You should access the configuration page of the default gateway, find a port forwarding feature, then edit port settings: ports or range of ports, protocol, status, and IP address. Some software programs or video games specify the exact ports you should open to get them working properly.
Furthermore, you should assign a static IP address to the router. This way, you do not have to configure port settings every time your router receives a new IP. Check out this site to find out how to open and forward ports on any router.
Once router port forwarding is enabled, the gateway remembers what type of Internet traffic to redirect to which IP address. It will keep following your rules and passing on data traffic until you reaccess the router to modify the configuration.
VPN port forwarding
It is a port forwarding feature that few virtual private network services offer. If the VPN provider uses a NAT firewall to protect users from suspicious connections, it can cause trouble. In most cases, NAT firewalls cannot tell apart safe connections from dangerous ones.
Let us assume you are hosting a server for gaming via VPN. Your friends might not be able to connect to your computer. It happens due to firewall restrictions inadvertently set by your VPN provider.
The NAT firewall of the VPN service can also interfere when you are seeding torrents. It prevents other users from downloading torrents from your computer. But the problem is solved with VPN port forwarding, which can reroute incoming connections and help others get past your firewall.
Static port forwarding
A few VPN services let you enable static port forwarding. You are associated with a constant port whose number does not change. It saves you the hassle of changing port forwarding settings every time you launch the VPN client to establish a secure Internet connection. On the downside, the VPN provider might still reset your assigned port. Static port forwarding is less common than the dynamic mode.
Dynamic port forwarding
As the name suggests, it is the opposite of static mode. A VPN client that features dynamic port forwarding will assign a new port to your computer on every session (every time you connect to the VPN). It typically uses UPnP. Although dynamic, some VPN providers will retain the same port for an extended time. Dynamic port forwarding is more frequent than the static mode.
UPnP port forwarding
UPnP (Universal Plug and Play) is a series of networking protocols that allows UPnP-compatible devices to discover each other in LAN, without any configuration on your behalf. Such devices are security cameras, game consoles, printers, personal computers, or mobiles. Once they spot each other, they can create services over the network to share data.
About port triggering
Port triggering is similar to port forwarding to some degree. It can be configured on routers with NAT features to control the flow of traffic between internal and external computers (inside and outside a private network).
Just like port mapping, you can set up port triggering to redirect inbound connections to any host in the local network. However, the forwarded port does not remain open permanently. Instead, it keeps the port closed until it is specifically requested otherwise. The port closes automatically after a certain amount of time.
Further, the new internal host that receives the forwarded data is selected dynamically. The goal of port triggering is to protect your system from hackers that might exploit the vulnerabilities of open ports.
What you can do with port forwarding
There are numerous advantages to enabling port forwarding on your router or VPN application, such as:
- Fix issues when downloading/uploading torrents and using other peer-to-peer applications via VPN.
- Access your home desktop, notebook, or server from anywhere in the world.
- Share access with other users to a web server, FTP, or anything else you are hosting.
- Stay in touch with your home security system when you are away.
- Optimize multiplayer games and host game rooms.
- Set up TeamViewer to provide remote desktop access when you need to get files from your personal or work computer quickly.
- Access the resources of your office’s intranet when you are home or traveling.
- Fix gaming issues on Xbox and PlayStation consoles by implementing NAT Type Open (on Xbox) or NAT Type 2 (PlayStation), such as joining lobbies or repairing voice chat.
- Test ports on your network to see which are vulnerable to hacker attacks.
- Add an extra layer of security against DDoS attacks.
- Get access to services on Plex or Synology NAS.
Is port forwarding safe?
Yes, if you configure it appropriately.
Open ports are susceptible to hacker attacks
Generally, it is not wise to keep ports open. Hackers could snoop around and redirect traffic to their computer or infect you with malware. At the same time, you should practice common decency and not test port forwarding by redirecting traffic from all ports.
It is perfectly safe to enable port forwarding for Xbox or PlayStation, as well as for consumer devices like security cams. If the devices are password protected, you minimize hacking risks.
The dangers of UPnP
Many routers turn on UPnP by default. Unfortunately, it uses multicast through the UDP protocol and does not benefit from encryption or authentication features. Therefore, UPnP is considered a dangerous port forwarding method. But it also depends on how it was implemented on the router.
Anyone who manages to infiltrate your network may set up port mapping and infect your IoT devices with malware. In 2008, it was discovered that a Flash applet could send a UPnP request to the router for port forwarding. In 2015, the FBI recommended computer users to disable UPnP at the router level due to high-security risks.
What about the “Port fail” security warning?
In 2015, the company behind the Perfect Privacy VPN service uncovered a vulnerability that affected nine (unnamed) VPN providers. As it turned out, hackers could easily expose the home IP address of anyone using five of those VPN services with port forwarding.
What made matters worse, it was not necessary to have port forwarding enabled to fall victim to this IP leak. The cybercriminal only needed an account to the same VPN service used by the victim, along with the victim’s IP address while connected to a VPN server (any server location).
Then, the hacker had to enable port forwarding. That was it. The home IP address was exposed even if port mapping was disabled on the victim’s end. This vulnerability affected all VPN protocols, even OpenVPN and IPSec. Some VPN providers fixed the issue, like Private Internet Access, Ovpn.to, and nVPN. But it was unclear for others because the remaining VPN companies did not step out from the shadows.
How to enable port forwarding on VPN
It can be challenging to activate VPN port forwarding, so here are four steps you should take:
- Step 1: Find out if your go-to VPN service supports port mapping
You might be surprised by the lack of support among popular VPN services like ExpressVPN, NordVPN or CyberGhost VPN. Therefore, you should run a Google search to see if your VPN app allows port forwarding. To be extra sure, you can contact customer support and ask them a straightforward question about this.
- Step 2: Locate the port mapping feature
Because port forwarding is not as common as other VPN settings, it might not pop out. Some VPN applications keep the port forwarding feature grouped with the rest of the configuration options within the graphical interface.
However, as you will see in our examples below, other VPN providers let you enable port mapping only from the web interface. After logging in with your account details, you can find and activate the option from the dashboard.
- Step 3: Check the conditions of using port mapping
Not all VPN services provide you with the same circumstances for utilizing port forwarding mode. For instance, they might charge you extra for this feature. Some let you use only one port while others put up to five simultaneous ports at your disposal.
Whatever the case, there is more to port forwarding than meets the eye, so it is recommended to get all the facts straight before activating this feature.
Once you clarify all aspects surrounding port mapping, there is nothing left to do but turn it on. Usually, you have to click a button and then “Save,” “OK” or something just as ordinary for committing modifications.
To paint you a more precise picture of how it works, here are three popular VPN clients with clear-cut instructions of how to enable VPN port forwarding:
- Log into your Mullvad account page
- Scroll down the page until you spot Manage your forwarded ports
- Click Add port to enable port forwarding
- It is not possible to choose the port number (you get a random port)
- You can use up to five ports at the same time
- Make sure you are disconnected from the VPN server
- Right-click the PIA tray icon to open a menu and select Settings
- Go to the Network tab, then select Request Port Forwarding and exit the settings area
- Not all VPN servers are available when port forwarding is enabled
- The application does not mention what port it uses to forward network traffic
- Sign into your Ivacy account page
- Go to Port Forwarding
- Scroll down until you reach Your Settings
- It is possible to Open All Ports, but we do not recommend it because it comes with high risks.
- Instead, you can select Block all ports but enable following, and then choose the ports that you want to forward
- Up to fifteen ports can be open at once
- Click Apply Settings after finishing modifications
How to use VPN port forwarding for torrenting
The steps necessary for enabling VPN port forwarding for torrenting are almost the same for all torrent clients. But minor differences may exist, depending on how the torrent client keeps its settings organized.
- Step 1: Activate port forwarding in your VPN service
- Step 2: Change the listening port in your torrent client
- Step 3: Deactivate UPnP and NAT-PMP in your torrent client
- Step 4: Check if your port was forwarded successfully
uTorrent & BitTorrent
- Enter the Options menu and go to Preferences (or press Ctrl+P)
- In Preferences, go to Connection and locate the Listening Port section
- Edit the Port used for incoming connections and write the new port number assigned by your VPN service when you enabled port forwarding
- Clear the boxes of Enable UPnP port mapping and Enable NAT-PMP port mapping to make sure these features are disabled
- Click Apply and return to the main application window
- Click the Tools menu and go to Options (or press Ctrl+,)
- In Options, go to Connection and locate the Incoming TCP/UDP listen port section
- Set the port number given by your VPN provider when you activated port forwarding
- Go to Plugins -> UPnP and clear the box of Enable UPnP to deactivate this feature. NAT-PMP is automatically disabled when UPnP is switched off
- Click Save and go back to the Vuze main window
- Open the Edit menu and go to Preferences
- In Preferences, go to Network and find the Incoming Peers area
- At Port for incoming connections, change the port number to the one given by your VPN service when you enabled port mapping
- In the same area, clear the box of Use UPnP or NAT-PMP port forwarding from my router to turn off this feature
- Click Close to return to the Transmission main window
How to use VPN port forwarding with eMule
eMule uses two ports for incoming and outgoing Internet connections, on both TCP and UDP. If you close these ports, the P2P client switches to “Low ID” using the eMule servers. This feature blocks your uploading connections but allows downloading, although hindered.
To get a “High ID,” you can enable VPN port forwarding. However, getting eMule up and running with port forwarding is trickier than configuring torrent settings. It uses UPnP to bypass your firewall. Thus, if you disable UPnP, eMule will not be able to evade firewall restrictions anymore. It means that you have to turn off the system firewall and keep it like this while using eMule with port forwarding enabled. There is no other known solution.
- Step 1: Enable port forwarding in your VPN application
- Step 2: Change the client port in eMule
- Step 3: Disable UPnP in the P2P client
- Step 4: Turn off your system firewall
- Step 5: Test the new ports in eMule
- Click Options from the main application window
- In Options, go to Connection and locate the Client Port area
- At Client Port, change the TCP and/or UDP port to the port number supplied by your VPN service when you switched on port forwarding
- Below Client Port is a feature called Use UPnP to Setup Ports. Make sure its box is cleared to disable the setting (it should be deactivated by default)
- Click Apply to confirm modifications
- Press Win on your keyboard or click the Start button, type firewall, and select Check firewall status
- In the Windows Defender Firewall panel, click Turn Windows Defender Firewall on and off (requires admin rights)
- Check the option to Turn off Windows Defender Firewall at both Private network settings and Public network settings
- Click OK to confirm
- Click Options from the main window of eMule
- In Options, visit Connection and find the Client Port section again
- Click Test Ports
- It opens a page in your default web browser. The P2P client performs a connection test and lets you know if network traffic is possible on the new TCP and UDP ports
- If you get past the test, you have configured VPN forwarding with eMule successfully
Port forwarding is a useful feature that brings tons of perks. Although you can configure it at the router level, it is easier to opt for a VPN service with port mapping support. You can set it up with torrenting clients and eMule to eliminate errors related to NAT firewall.