What is port forwarding

What is port forwarding and what is it used for?

The basics

To really explain port forwarding, you first need to learn a little more about how your router works. Your Internet service provider instructs your Internet connection a IP address too. All computers on the internet need a unique IP address, but you have multiple computers in your home and only one address. How does this work?

When you know what it is and just want to know how to do it : http://portforward.com/ has screenshots for literally hundreds of different routers. The documentation is hidden there behind an advertising page for their automatic portconfig tool. (Just click around a little and you will find it.)

NAT - what is it? Why do we use it?

A function called Network Address Translation (NAT) is built into your home router. Computers on your network have addresses like All addresses in the range 192.168. * (Or in the range 10. *) are "private" or "reserved" Addresses. These addresses are officially assigned by IANA for use in private networks. Your router will automatically assign such an address to every computer connected via DHCP. The computers in your network use these addresses to communicate with the router and with each other.

Your router has a separate network interface that connects it to the Internet. This interface has a completely different address assigned by your ISP. This is the one address I mentioned earlier, and your router uses it to communicate with other computers on the internet. Computers on your network not routable private IP addresses, ie if you send packets directly to the Internet, the packets are automatically discarded (packets with private addresses are not allowed to pass through the Internet for reasons of stability). However, your router has one routable Address. As the name indicates, translates the Network address translation between these two types of addresses so that the multiple computers on your network appear on the Internet as one computer with one address.

The details

While this may sound complicated, how your router does it is actually pretty simple. Every time a computer on your network tries to connect to a computer on the internet, it sends the connection request to the router (it knows it is sending it to the router, be there Standard gateway Parameter is set to the address of the router). The router then takes this connection request (a "SYN request" in TCP / IP) and changes the source address (the "reply address" or the return address) and changes it from the private IP of the computer to the public IP of the routers so that the Response is sent to the router. Then in a database (as NAT table called ) noted that the connection was initiated so that she will remember it later.

When the reply comes back from the remote computer (a "SYN-ACK"), the router looks in its NAT table that a connection to this host on this port was previously initiated by a private computer on your network and changes the destination address to the private address of the computer and forwards it within your network. That way, packets can still travel back and forth between networks, with the router transparently changing addresses to make this work. When the connection is terminated, the router simply removes it from the NAT table.

Or do you think about it like that

A metaphor may help illustrate this. Let's say you are a US freight forwarder who works with Chinese customers. You have to send packages to many customers in the US, but it's easier to only send packages to one location for customs / paper reasons. So you receive a package from one of your customers in China (in this example the private network) with an actual destination somewhere in the USA (on the internet). You change the address label on the box to the US (public) address and the return address to your own public address (as it cannot be returned directly to China without charging the customer) and hand it over to the postal service. When the customer returns the product, it comes to you. You can check your documents to find out which company in China it came from,

This works fine, but there is a small problem. What if a customer needs to send something to the company, let's say a money order for something? Suppose a computer on the Internet initiates a connection to the router (a SYN request), for example to a web server on the network. The letter / package only contains the router's public address, so the router doesn't know where to send it! It can be for every computer on the private network, or for none of them. You may have encountered this problem when calling someone at home - if they call you it won't be a problem, but when you call them they may not know who they are calling for, so the wrong person may be answering.

While this is easy enough for humans to sort out, it is much more difficult for computers because not every computer on your network knows all of the other computers.

And finally we come to port forwarding

We can use port forwarding to fix this problem: this is a way of telling your router which computer on the network it should forward incoming connections to. We have three different ways of doing this:

  • Faux DMZ : Many routers have a feature called DMZ. This stands for Demilitarized Zone, a type of network security configuration. The DMZ on home routers is often referred to as a faux DMZ because it lacks the features of an actual DMZ. This is the simplest way of handling incoming connections: all incoming connection requests are sent to an address specified on your network. It's very simple: you enter an IP address in the configuration of your router and all incoming connections are directed to it. However, this doesn't always work because multiple computers may have to accept incoming connections. For this we have ...
  • Port forwarding : All network connection requests contain a "port". The port is just a number, and it's part of how a computer knows what the packet is. IANA has indicated that port 80 will be used for HTTP. This means that an incoming packet with port number 80 must be a request for a web server. Port forwarding on your router allows you to enter a port number (or possibly a range or combination of numbers, depending on your router) and an IP address. All incoming connections with a matching port number are forwarded to the internal computer with this address.
  • UPnP Port forwarding: UPnP forwarding works the same as port forwarding, but instead of setting it up, the software on a computer on the network automatically sets the router to forward traffic to it through a specific port.

An example

Let's look at an application example. Many multiplayer video games (such as Counter Strike) allow you to run a game server on your computer that other people can connect to and play with you. Your computer doesn't know everyone who wants to play and so can't connect to them. Instead, they have to send new connection requests to your computer from the Internet.

If you hadn't set up anything on the router, it would receive these connection requests but would not know which computer on the network the game server is installed on, so it simply ignores them (or more precisely, sends them back a packet indicating that no connection can be established). Fortunately, you know the port number that is displayed when requesting a connection to the game server. Set a port on the router for forwarding with the port number expected by the game server (e.g. 27015) and the IP address of the computer with the game server (e.g.
The router can forward the incoming connection requests to on the network, and computers outside can connect.

Another example would be a local network with two computers, the second with the IP hosting a website with Apache. Therefore, the router should forward incoming requests from port 80 to this computer. When using port forwarding, both computers can be running on the same network at the same time.

Video games are perhaps the most common place users encounter port forwarding in everyday life, although most modern games use UPnP so you don't have to do it manually (instead, it's fully automatic). You need to do this whenever you want to be able to connect directly to something on your network (rather than through an intermediary on the internet). This could include running your own web server or connecting to one of your computers using Remote Desktop Protocol.

A note on safety

The beauty of NAT is that it offers effortless, built-in security. Many people search the internet for vulnerable computers and try to connect to different ports. Since these are incoming connections, these are disconnected from the router, as explained above. This means that in a NAT configuration only the router itself is susceptible to attacks with incoming connections. This is a good thing as the router is much simpler (and therefore less vulnerable) than a computer running a full operating system with a lot of software. So be aware that by DMZing a computer on your network (setting a DMZ destination), you lose that level of security for that computer: it is now completely open to incoming connections from the Internet. So you need to secure it as if it was directly connected. Of course, when you forward a port, the receiving end computer becomes vulnerable to that particular port. So make sure you are running up-to-date software that is well configured.