🦁 IP Animals
🧰 How-To & Troubleshooting

Port Forwarding Explained (and How to Set It Up)

What port forwarding is, when you need it, and how to set it up safely on your router — with the security caveats you should know before you open anything.

Port forwarding is a router setting that lets a device inside your home network accept connections from the wider internet. Normally your router blocks unsolicited inbound traffic, which is exactly what keeps your devices safe. Port forwarding deliberately pokes a hole in that protection so a specific service — a game server, a self-hosted app, a security camera — becomes reachable from outside. It is genuinely useful, but because it removes a layer of defence, you should understand the trade-offs before you set it up.

Why your router blocks inbound connections in the first place

Your home almost certainly has one public IP address shared by every device, thanks to NAT. When your laptop requests a web page, the router remembers that conversation and lets the reply back in. But if some random computer on the internet tries to start a new connection to you, the router has no matching record and drops it — it does not know which internal device the traffic was meant for, and defaulting to "block" is the safe choice.

Port forwarding is how you give the router an answer in advance: "any connection arriving on this port should go to this device." A network port is simply a numbered channel, like 25565 for a Minecraft server or 443 for HTTPS, that identifies which service the traffic is for.

Tip

Before creating any rule, give the target device a fixed local address. If it gets its IP from DHCP, that address can change on reboot and your forwarding rule will silently point at nothing. Follow our guide to setting a static IP (a router DHCP reservation is ideal) so the rule always finds the right machine.

When you actually need port forwarding

Most people never need it — outbound connections (browsing, streaming, most apps) work fine without it. You need port forwarding only when something outside your network must initiate a connection to a device inside it. Common cases include:

For remote access specifically, a VPN back into your home network is usually safer than forwarding ports, because it exposes nothing to the open internet. Keep that in mind as an alternative.

Security caveats: read this before you forward anything

This is the important part. A forwarded port is an open door to the internet, and the internet is relentlessly scanned by automated bots looking for exactly these doors. To do it responsibly:

How to set up port forwarding on your router

Every router's interface looks a little different, but the steps and the fields you fill in are essentially the same everywhere.

  1. Find and note the target device's local IP (e.g. 192.168.1.50) and make it static, as above.
  2. Open your router's admin page. In a browser, go to the default gateway — commonly 192.168.1.1 or 192.168.0.1. Not sure of the address? Our guide on finding your IP shows how to read the gateway.
  3. Log in. Credentials are often on a sticker on the router. If you have never changed the default password, change it now.
  4. Open the port-forwarding section. Look for Port Forwarding, Virtual Server, NAT, or Applications & Gaming, usually under Advanced settings.
  5. Create a new rule and fill in the fields:
    • Name — a label like Minecraft.
    • External / WAN port — the port the internet connects to (e.g. 25565).
    • Internal / LAN port — the port on your device (often the same number).
    • Protocol — TCP, UDP, or both, depending on the service. If unsure whether to pick TCP or UDP, our explainer on TCP vs UDP helps.
    • Internal IP — the target device's local address (192.168.1.50).
  6. Save and apply. Some routers require a reboot for the rule to take effect.

Common port examples

ServiceTypical portProtocol
HTTP (web)80TCP
HTTPS (secure web)443TCP
SSH (remote shell)22TCP
Minecraft (Java)25565TCP
WireGuard VPN51820UDP

Testing your rule and troubleshooting

Make sure the service is actually running on the device, then test the port from outside your network — for instance using mobile data instead of home Wi-Fi, or an online port-checking tool. Testing from inside your own network often fails even when the rule is correct, because of how NAT loopback works, so an external test is the reliable one.

If it still will not connect, work through these in order:

  1. The device's local IP changed. Re-check it matches the rule; a static IP prevents this.
  2. A software firewall is blocking the port. Windows Defender Firewall, macOS firewall or Linux ufw may need an allow rule for that port.
  3. You're behind carrier-grade NAT (CGNAT). Some ISPs share one public IP across many customers, so you have no unique public address to forward to. Compare the WAN IP on your router with what IP Animals reports — if they differ, or the WAN IP is in the 100.64.0.0/10 range, you are likely behind CGNAT and will need to ask your ISP for a public IP.

What about a changing public IP?

Even with a working rule, your public IP may be dynamic and change over time, breaking any bookmark that used the number. The standard fix is dynamic DNS, which keeps a memorable hostname pointed at your current address automatically. Many routers include a dynamic DNS client built in. With a static local IP, a tight forwarding rule and dynamic DNS in place, your service will stay reliably reachable — just remember to keep it patched and locked down, because that open port is facing the whole internet.

Frequently asked questions

Is port forwarding safe?

Port forwarding is safe when done carefully, but it does deliberately expose a device and service to the entire internet, bypassing your router's default protection. Only forward ports you truly need, keep the target software fully patched, use strong credentials, and close the rule when you no longer need it.

Why isn't my port forwarding working?

The most common causes are the target device's local IP changing, so the rule points nowhere, a software firewall on the device blocking the port, or your ISP using carrier-grade NAT so you have no unique public IP to forward to. Set a static local IP first, then check the firewall, then confirm you have a real public address.

Do I need a static IP for port forwarding?

You need a static local IP for the target device, or a DHCP reservation, so the forwarding rule always points at the right machine. You do not strictly need a static public IP, but if your public IP changes you will need dynamic DNS to keep reaching your service by name.

What is the difference between port forwarding and a DMZ?

Port forwarding opens only specific ports to a device, keeping everything else protected. Placing a device in the DMZ forwards all inbound ports to it, exposing it far more widely. Port forwarding is almost always the safer choice; a DMZ should be avoided unless you fully understand the risk.

Is UPnP a good alternative to manual port forwarding?

UPnP lets apps open ports automatically, which is convenient, but it also means software can expose your network without your explicit approval. For a service you control, a deliberate manual rule is safer and more predictable than leaving UPnP enabled.

Curious what your own IP is? Visit the IP zoo →