Learn

Port forwarding: letting the outside reach one inside machine

Port forwarding is a router rule that sends inbound internet traffic arriving on a chosen port to a specific device and port inside your network. It is how you make a service running at home reachable from outside, by punching a deliberate hole through the router that would otherwise drop unsolicited inbound connections.

At a glance

What it is
A router rule sending an inbound port to one internal device
What it is for
Making a home-hosted service reachable from the internet
The catch
It exposes that device's port to the whole internet
When it fails
It cannot help if your provider puts you behind shared CGNAT
Flow

Inbound traffic finding the right machine

An outside request hits the router's public address on a port. The forwarding rule sends it to the one internal device you chose. The green step is the service finally receiving the request.

1
Inbound request from the internet arrives at the public address on a port
2
Router forwarding rule you mapped that port to one device
3
Internal service receives it the request reaches the machine you chose

What does port forwarding actually do?

By default a home router drops unsolicited inbound traffic, because Network Address Translation (NAT) means an arriving request has no idea which internal device it was meant for. Port forwarding is how you answer that question in advance: you tell the router that anything hitting its public address on, say, port 443 should go to one specific machine and port inside the network. From then on the outside world can reach that one service.

It is the oldest trick for hosting from home, and it works. You map a port, you point traffic at a device, and the service is live on the public internet.

What are you signing up for?

A forwarded port is a deliberate hole in the wall, and the whole internet can see it. The moment it is open, automated scanners will find it and start trying the door, so anything behind it has to be something you are willing to defend: patched, authenticated, watched. That is the real cost, not the setup but the standing exposure.

There is also a failure that no amount of configuration fixes. If your provider puts you behind Carrier-Grade Network Address Translation (CGNAT), you do not hold a public address of your own to forward from, and the rule has nothing to bind to. That is when people reach for an overlay network or a tunnel instead, where the home machine reaches out to a meeting point and never waits to be reached. No open port, nothing for a scanner to find.

Check it yourself

ss -tlnp

Lists the ports your machine is actually listening on. A forwarding rule is pointless unless something here is bound to the port you are forwarding.

Port forwarding is good for

  • Making one home service reachable from the internet
  • A direct path with no third party in the middle
  • Simple, well-understood setup on most home routers
  • Self-hosting when you hold a real public address

Port forwarding costs you

  • A port exposed to the entire internet, scanners included
  • A standing surface you now have to secure and watch
  • Nothing at all when you sit behind shared CGNAT
  • Fragility if your public address changes underneath you

Related terms

Go deeper

← All terms Reviewed: June 2026