The Windows 10 operating system (OS) features built-in port forwarding support, but this option is not available on the Settings interface. Basically, port forwarding allows you to access network resources remotely as if they were hosted locally on the machine you are currently using.
The technique is used to allow devices outside your private network access to devices and applications within the private network. This will come in handy when you are developing with web servers or are working on a Local Area Network (LAN).
By default, your router and Firewall on your network will automatically block any incoming connection from an external network. This is mainly done to secure your network. To allow a connection from an external device, you need to configure port forwarding, as explained throughout this guide.
Port forwarding—also known as port mapping—is essentially a Network Address Translation (NAT) application. It is meant to redirect a communication request(s) from one port number and address combination to another as the packets are traversing the network gateway (such as a firewall or router).
Normally, this is done through the router settings page. It is also possible to port forward without router access. In Windows, you can configure port forwarding using Netsh Portproxy, by allowing the traffic firewall access or configuring port forwarding settings on the Hyper-V Server.
Alternatively, you could also use a vast array of port forwarding tools available today to configure port forwarding without router access on Windows, Mac and Linux OS.
What is Network Address Translation?
Every device that is connected to a network is automatically assigned an IP address—a unique identifier that is used to identify and communicate with the device. When connecting to a network, the router is assigned an IP address (which is a public IP address) by the ISP. The devices connected to the router are also assigned IP addresses, but these are private IP addresses.
A private IP address is used to identify a device within the private network—cannot be used to communicate with devices outside the network. If you need such a device to communicate with the internet directly (i.e. with devices outside your home network), the IP addresses need to be changed. In this regard, the private IP address for the device will be replaced with the public IP address for outgoing traffic.
For incoming traffic, the public IP address will be replaced with a specific private IP address. This form is network mapping is referred to as Network Address Translation (NAT).
What is a Port?
When connected to a network through a router, a device—such as a laptop—will have multiple processes, and services running. Just as is the case with the router and the laptop, each of the processes running on the laptop needs a unique identifier for streamlined communication.
Whenever a service in your laptop needs to communicate, a port number is used to identify the appropriate source/destination on the device. The port number is also used to facilitate efficient data transfer. Just as an IP address is the address of a device in a network, the port is the address used to identify services and processes running on a device.
A combination of the IP address and port number facilitates efficient communication between the services, device, and the network. They are used to identify the source or destination of a specific service within a particular device. Most of the popular laptop services have a unique port used to identify them, including:
- Port 80 for HTTP
- Port 25 for SMTP
- Port 443 for https
- Port 20 for FTP
What is Port Forwarding?
This is a process that redirects communication addressed to a particular IP address/port combination to a different IP address/pot combination. This makes it possible for you (or another person) to connect to a device that is connected to a private network from the internet.
For instance, you may have Gitstorage—an appliance used to store your code in the network—connected to your private home network. Port forwarding so allow you to access the Gitstorage device and use it remotely using the private IP address.
Why Would You Need to Configure Port Forwarding?
Port forwarding is often used to allow for remote access to a specific device or service within a private local area network (LAN) from another computer over the internet. For instance, you may need to access and use the Gitstorage appliance mentioned above from a remote location, say from the Starbucks Wi-Fi.
This will only be possible if you already set up port forwarding on your private network. In such a case, port forwarding allows the router at home to redirect the incoming traffic at port 443—the standard TCP port for websites that use SSL—to Gitstorage device. With port forwarding configured, the Gitstorage device is available over the internet, allowing you to access it outside your home network.
In such a setup, all requests sent to the router with port 443 as the destination are automatically redirected to the Gitstorage device. This allows you to securely log into the devices and services on your home network remotely and continue your development. Port forwarding on Windows may also be used to bypass firewalls.
Note: For enhanced security, it is advisable to use a non-standard port for port forwarding. This has been proven to reduce public exposure for the devices on your private network.
How to Port Forward Without Router Access in Windows
As opposed to modems, connecting to the internet through a router conceals the address for the device behind the router’s IP address. Whole this allows for enhanced safety, it can also be a hindrance in some cases. For instance, some applications that require direct connection may stop working.
Normally, the Routing and Remote Access Service (RRAS) is used to configure port redirections on Windows Server systems. However, other methods may be used to configure port forwarding on almost any Windows version, without having to change router settings.
Discussed below are some of the methods you can use to configure and manage port forwarding on Windows without router access:
Method 1: Use Netsh Portproxy Commands to Configure Port Forwarding on Windows 10
This method aims at creating port forwarding rules to help redirect incoming TCP connections (either IPv4 or IPv6) from the default local TCP port to a different port. These rules may also be used to redirect such connections from the local TCP port to a port on a remote computer (outside the private network).
Port forwarding on Windows is mainly configured using the Portproxy mode of the Netsh command. ‘Proxying’ a poet will come I handy if a process on your network binds to a particular interface, but you need to expose its endpoint to another network interface.
The command used it achieve this follows this syntax:
netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
The Parameters on this command are as follows:
- Listenaddress – this specifies the IPv4 address that should be listened to. The acceptable values for this parameter include IP address, computer DNS name, or the computer NetBIOS name. The parameter will come in handy when you have multiple IP addresses or NICs on a single interface.
- Connectaddress – this is a remote or local IP address/DNS name to which you need to redirect the incoming connection. The parameter specifies the IPv4 address to which to connect.
- Connectport – indicates the TCP port (specified by a service name or port number) to which the connection from listenport is redirected to. If this parameter is not specified in the command, the default value of listenport within the local computer will be used.
Suppose you need to make the Remote Desktop Protocol (RDP) to respond to a non-standard port, say port 3340. You may also change the port from the Remote Desktop service Settings. For the purpose of this guide, we will be using RDP to demonstrate port forwarding in Windows.
In this regard, you need to redirect the incoming traffic from the TCP port 3340 to another local port, say 3389—the default RDP port number. The following procedure will help you achieve this:
Step 1: Open a Command Prompt as Administrator
To configure port forwarding on your Windows computer, you will need to run a series of commands. In this regard, the first step would be to open a command prompt. For it work, you need to execute the command as administrator.
To open a command prompt as administrator, click on the Start icon on your Desktop then click on the search box at the bottom of the Start menu. Next, type cmd into the search box and press the Enter key on the keyboard. On the search results, look for the Command Prompt option.
Hover the mouse pointer over the ‘Command Prompt’ option on the search results and then right-click on it. Select the ‘Run as administrator’ option from the context menu that pops up. This will open a command prompt window that you can run as the administrator.
Step 2: Check Whether the Port Number is in Use
Ensure that the port number you are going to use for the listenport parameter is not listed (used) by another process or service. To check whether the port number is already in use, you need run this command on the command:
netstat -na|find “3340”
Alternatively, you could also use the PowerShell to check whether a TCP port is currently in use. In this case, you should run he following command:
Test-NetConnection -ComputerName localhost -Port 3340
Toucan change the 3340 value on this command to reflect whichever port you would like to check.
Step 3: Configure Port Forwarding
At this point, you can now run the command that forwards the desired port using the command prompt you opened in step 1 above. To do this, just type the following command into the command prompt and then press Enter to run it:
netsh interface portproxy add v4tov4 listenport=3340 listenaddress=IP_address connectport=3389 connectaddress=IP_address
Replace the IP_address with the actual IP address on your server. If you would rather forward the incoming TCP connection to a remote computer, you should run the following command instead:
netsh interface portproxy add v4tov4 listenport=3389 listenaddress=0.0.0.0 connectport=3389 connectaddress=192.168.100.101
In this case, we have assumed that 192.168.100.101 is the IP address for the remote computer. Just replace it accordingly to match yours. When excited, this command will configure the system to redirect all incoming RDP traffic from the local TCP port 3389 on the current computer to a remote hose with the IP address 192.168.100.101.
You could also use the Windows SSH tunnel to forward a local port to a remote server host.
Step 4: Check Whether Windows is Listening on Port 3340
Now that you have configured port forwarding in step 3 above, you can use the netstat tool to check whether the process was successful. To see if Windows is currently listening on the local port 3340, you need to run this command on the command prompt as administrator:
netstat -ano | findstr :3340
If running the command returns nothing and the port forwarding through netsh portproxy does not seem to work, ensure that the iphlpsvc (IP Helper) service is running on your computer. Again, you need to ensure that IPv6 support is enabled on the network interface for which you will be creating the port forwarding rule.
If you are configuring port forwarding on Windows Server 2003/XP, you also need to set the IPEnableRouter parameter to 1. You can access this option from the registry key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters.
You may also check which process is listening on the using its PID. In the above example, the PID will be 636. To do this, just run this command:
tasklist | findstr 636
Step 5: Test Port Forwarding
You can now test whether your router is forwarding the port you just configured. To do this, try to connect to the port from a remote computer using any RDP client. For the above-discussed example, be sure to specify 3340 as the RDP port number.
This value should be specified just after the colon following the RDP server address. For instance, 10.10.1.110:3340.
Note: The above-described port forwarding method only works for TCP ports. As such, it is ineffective when used to forward UDP ports. Similarly, you cannot use the loopback interface 127.0.0.1 as the connectaddress in this method.
How to Configure Port Forwarding for UDP Traffic
To configure port forwarding for UDP ports, you should use a Windows Server that has RRAS and NAT role installed. In such a case, you can use the graphical snap-in (rrasmgmt.msc) to configure port forwarding between your server interfaces.
Alternatively, you could just run the following command on command prompt as administrator:
netsh routing ip nat add portmapping Ethernet1 udp 0.0.0.0 53 192.168.100.100 53
Note: It is not possible to forward a range of TCP ports on Windows. If you would like to forward multiple TCP ports, you just have to create multiple portproxy forwarding rules one-after-another. The best way to do this would be to generate a list of netsh interface portproxy add commands that have different port numbers in Notepad.
You may then copy and paste the commands into a command prompt and execute them.
Method 2: Allow Traffic Through the Firewall
After configuring port forwarding, you need to ensure that the firewall program on your computer allows incoming connections to the new port. Otherwise the port forwarding configuration would have been in vain.
To allow traffic through your firewall (whether the Windows Defender Firewall or a third-party firewall), add a new allow rule to the firewall. Besides the UI configuration settings, different other methods may be used to update firewall rules in windows.
For instance, you can create a new allow rule by running the following command on a command prompt:
netsh advfirewall firewall add rule name=”forwarded_RDPport_3340” protocol=TCP dir=in localip=10.1.1.110 localport=3340 action=allow
On modern computers, you can also create a new allow rule for the firewall using PowerShell commands. In this case, you should run the following command:
New-NetFirewallRule -DisplayName “forwarder_RDP_3340” -Direction Inbound -Protocol TCP –LocalPort 3340 -Action Allow
If you are creating the incoming firewall allow rule for the port 3340 using the Windows Defender Firewall graphical interface, first ensure that no program is associated with it. The port should be listened by just the network driver.
Note: You may create multiple Windows port forwarding rules. All netsh interface portproxy rules are persistent and the system stores them, even after a Windows restart. However, there are cases where the port forwarding rules may be reset following a server reboot.
This is particularly an issue with the Windows Server 2012 R2. If this happens, check whether there was a periodic disconnection on your network interface. If the IP address changes when the OS boots, you may need to use a static IP address as opposed to dynamic DHCP.
As a workaround, you could add a batch script to your Windows Task Scheduler that contains the netsh interface portproxy rules that should run at Startup.
Method 3: Managing Port Rules in Windows
In addition to configuring port forwarding, you also need to manage your forwarding rules as you go. To view all the active TCP port rules on your Windows computer, run this command:
netsh interface portproxy show all
Alternatively, you could also run the following command to list all the active port forwarding settings in portproxy:
netsh interface portproxy dump
To remove a certain forwarding rule that you no longer need, run this command on the command prompt:
netsh interface portproxy delete v4tov4 listenport=3340 listenaddress=10.1.1.110
If you would rather delete all the current mapping rules and clear the port forwarding rules table entirely, run this command instead:
netsh interface portproxy reset
Method 4: Port Forwarding Without Router Access in Hyper-V Server
Port forwarding rules on Windows may also be used to redirect a port from an external IP address of a physical NIC to a virtual machine port on the same host. This can be accomplished by configuring port forwarding at the Virtual Switch level in Hyper-V.
The Hyper-V role may be installed on Windows Server, Windows 10, or as a free Hyper-V Server. In either case, you can configure port forwarding rules via PowerShell. Suppose you need to redirect all the incoming https traffic on your Hyper-V host to an IP address of a virtual machine running on the same host.
This can be configured by running a series of Hyper-V StaticMapping commands, as discussed below:
Step 1: Create a Virtual Switch with NAT
To create a virtual switch with NAT on your system, run this command:
New-VMSwitch -Name “HTTPS-NAT” -SwitchType NAT -NATSubnetAddress 192.168.100.0/24
Step 2: Connect the Appropriate VM to the VSwitch
Now you need to connect the right to the specified vswitch and then enable the address translation rule for all the virtual machines connecting via the Hyper-V virtual switch. To do this, you need to execute the following commands:
New-NetNat -Name HTTPS-NAT -InternalIPInterfaceAddressPrefix 192.168.100.0/24
Add-NetNatStaticMapping -ExternalIPAddress “0.0.0.0/24” -ExternalPort 443 -Protocol TCP -InternalIPAddress “192.168.100.77” -InternalPort 443 -NatName HTTPS-NAT
Having executed these PowerShell commands, all the incoming HTTPS traffic to the port 443 of the Hyper-V host will be redirected to the Virtual Machine’s private IP address.
How to Configure Port Forwarding without Router Access on Mac
It is possible to configure port forwarding without access to the router on macOS. To begin with, you need to enable the remote login service on the Mac computer. To do this, you need to navigate to System Preferences -> Sharing -> Remote Login. This operation will open the SSH server on your Mac.
You will be promoted to authenticate the login by entering your fingerprint and, or entering your local login password. You may also set the local SSH public/ private key if you do not want it to prompt for a password.
Once you are logged in, open the OS X Terminal on your computer and run the following command:
ssh -L 200.234.XXX.XXX:10000:10.211.55.5:80 -N 127.0.0.1
Port forwarding allows external devices to connect to and use devices and services on your private network. You may also need to forward ports for the purpose of playing games and running similar applications. In Windows, you can configure port forwarding using the Portproxy mode of the Netsh command. You may also use different port forwarding tools, such as portmap.io and Server. Such tools may be used to configure port forwarding without router access on both Linux and Windows operating systems.