To totally unlock this section you need to Log-in
Port Forwarding is a technique that allows remote computers, usually computers or systems on the Internet, to connect to a specific system or service within a private local-area network (LAN), so an internal network.
This kind of configuration, in a typical home network, needs an Internet access through a DSL or cable modem connected to a router or similar.
Internal network clients, on the private network (LAN), can be connected to an Ethernet switch (by using typical Ethernet cables) or communicate via a wireless LAN (Wi-Fi). The NAT device’s external interface (usually on a router) is configured with a public IP address. The computers behind the router, on the other hand, are invisible to hosts on the Internet as they each communicate only with a private IP address with the router, so only this device can be “viewed” and reached by remote systems.
When configuring port forwarding, the network administrator sets aside one port number on the gateway/router for the exclusive use of communicating with a service in the private network, located on a specific host (the internal client).
External (Internet) hosts must know this port number and the address of the gateway to communicate with the network-internal service. Often, the port numbers of well-known Internet services, such as port number 80 for web services (HTTP) or 443 for HTTPS, are used in port forwarding, so that common Internet services may be implemented on hosts within private networks.
Port Forwarding on Windows
Most of users have at least a Windows system available at home or at job; especially at home it could be useful, usually for gaming or set up a remote internal video camera control, to be able to reach a system from a remote position or letting another system to reach us from Internet. To do this, on Windows platforms, there have been, since Windows XP, and then on Windows 7, 8, 8.1 and 10, a command line utility, not only used for this purpose, called netsh, the give the ability to expert users to redirect any incoming TCP connection (not UDP) (IPv4 or IPv6), specified on a local port to another local port or even to a remote port opened on a remote computer. To do this ther is no need for the local system to have a service that listens to this local port.
As a quick reference, even on Linux, port forwarding can be configured quite simply by using a command line utility called iptables. On Windows Server systems port forwarding is managed using the Routing and Remote Access Service (RRAS) role. However, in this article we will see an easier way to configure the port forwarding, and this will work on any version of Windows.
Port forwarding in Windows can be enabled and configured by using netsh contest in portproxy mode. The syntax of this mode is as follows:
|netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport|
Where the options specified above are:
- listenaddress : this is the local IP address waiting for a connection (usually this port is the same LAN address of the system).
- listenport : this parameter represents the local listening TCP port (the connection is waited on it).
- connectaddress : this is a local or remote IP address (can be used also the DNS name) to which the incoming connection will be redirected.
- connectport : this is a TCP port to which the connection from listenport is forwarded to.
As an example we will consider the need to make the local RDP service to respond on a non-standard port, for example 3340 (usually this port can be changed in the settings of the service, but we will use this protocol and service to demonstrate this port forwarding method). To do this, we will need to redirect incoming traffic from TCP port 3340 to another local port – 3389 (standard Remote Desktop protocol port).
Start the command prompt as an administrator and perform the following command:
|netsh interface portproxy add v4tov4 listenport=3340 listenaddress=172.16.50.5 connectport=3389 connectaddress=172.16.50.5|
Where 172.16.50.5 is our the current IP address of this example computer. To check if the portproxy as been enabled we will use netstat utility to make sure that port 3340 is listened now:
|netstat -ano | findstr :3340|
If this command will output a line with your IP address followed by the specified port, in this case 3340, we are good to go.
Note. If this command does not return anything and port forwarding via the netsh interface portproxy does not work, make sure that you have the iphlpsvc (IP Helper) service running on your system. You can check this by opening services.msc administrative console or by opening Services going in to Administrative Tools.
Even the IPv6 protocol must be enabled on the network interface for which the port forwarding rule is created.
The prerequisites for correct port-forwarding are the following: the iphlpsvc (IP Helper) serviceWithout the IP Helper service and IPv6 protocol support linked to the network interface on which we are working.
Now that we have configured the portproxy on port 3340 we can try to connect to this computer from another system/client by using Remote Desktop utility or any other RDP client. Port 3340 should be specified as the RDP port and It can be specified using colon after the RDP server address as shown in the following example (172.16.50.5:3340):
The connection should be established successfully.
IMPORTANT NOTE: make sure that your installed and enabled firewall (for example Windows Firewall, that is enabled by default on modern Windows OSes, or a third-party one that are often included into an antivirus software) allows incoming connections to the new specified port. If necessary, you can add a new Windows Firewall rule using this command:
|netsh advfirewall firewall add rule name=”forwarded_RDPport_3340” protocol=TCP dir=in localip=172.16.50.5 localport=3340 action=allow|
When creating an incoming firewall rule for port 3340 via Windows Firewall graphical interface, no program needs to be associated with it. This port is only listened by the network driver.
Windows allows you to create any number of port forwarding rules. All netsh interface portproxy rules are persistent and are stored in the system after a Windows restart.
To display the list of forwarding rules actually present in the system we will use the following coma:
|netsh interface portproxy show all|
This command will show two sections, side by side, that will show you, on the left, which is the listening port and related port (in this case will be 172.16.50.5 and port 3340), while on the right side there will be the “Connect to IPv4” section that will show the destination address and port to which traffice will be forwarded (in our case this will be 172.16.50.5 and port 3389).
Another way to check if on the system there are portproxy rules enabled is to use the following command:
|netsh interface portproxy dump|
Now let’s see how to remove a specific port forwarding rule, after we have added it:
|netsh interface portproxy delete v4tov4 listenport=3340 listenaddress=172.16.50.5|
Another quicker way to clear all current port forwarding rules is to use the following command, always in netsh context:
|netsh interface portproxy reset|
NOTE: as already said at the beginning of this article, take note that this forwarding method works only for TCP ports. So if you are thinking to use this method to forward UDP ports, like the one used by DNS service, you are wrong. Take note also that you can’t use even the loopback address 127.0.0.1 as connect address, so only actual static or DHCP released IP addresses of your network interface (NIC).
Let’s continue by seeing how to forward an incoming TCP connection to another computer, with the following command:
|netsh interface portproxy add v4tov4 listenport=3389 listenaddress=0.0.0.0 connectport=3389 connectaddress=10.12.10.21|
As you can see, we have defined an IPv4 forwarding rule that will redirect all incoming RDP requests (requested to TCP port 3389) from this computer to another computer with an IP address 10.12.10.21.
Another portproxy feature is the ability to make any remote network service like it is operating locally (forwarding proper public port). In the following example (take note that this method will not work with any service or website) we will forward the connection from the local port 3000 to the remote HTTPS address 18.104.22.168 (National Geographic website):
|netsh interface portproxy add v4tov4 listenport=3000 connectport=443 connectaddress= 22.214.171.124 protocol=tcp|
Now if you go to http://localhost:3000/ in your browser, National Geographic website page should open with a warning regarding SSL certificate (in this case the forwarding is working properly but the SSL/TLS certificate associated to National Geographic website is binded to a specific DNS name so there will be an error/warning displaying the website. However, with this method you will be able to open a remote website using a local address.
Finally, take note that portproxy, on some Windows editions, and port forwarding rules could works only until the system is rebooted, and after restart they are reset. If this is your case, check if there is a periodic disconnection on the network interface and also if the network interface is configured with a static IP instead of a DHCP one when the system is booting.
As a general workaround, to be sure the netsh interface portproxy rules are always enabled on system startup, you could create a simple script (in .bat or .cmd) and use it to create a startup scheduled task in Windows.
Router Mode on Windows XP
As a final note, if you are using older Windows Server 2003 / XP systems, you have to set the IPEnableRouter parameter to 1 in the registry key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters to use the “router mode” feature in these operating systems.
This key actually is not related to port forwarding, but to a router mode that will enable a Windows XP/2003 system to act as an internal router in LAN.
To do this we will need at least 3 network cards (NICs) with different IP addressing, like the following scheme:
Network Card A (connect to network A):
Gateway (GW): [leave it blank]
Network Card B (connect to network B):
Gateway (GW): [leave it blank]
Network Card C (connect to Internet) :
This information will be based on the Internet connection service which you have subscribed and to the router to which the “XP router” will be connected.
Gateway (GW): 192.168.1.1
The last step will be to enable the Router Mode on Windows XP by locating the following key and finally restarting the Windows system:
Value Name: IPEnableRouter
Value Name: IPEnableRouter
Value type: REG_DWORD
Value Data: 1
Once the key has been configured, and after a system restart, the Windows XP/2003 will act as an internal router and the 2 subnets will be able to communicate and to go on Internet without issues.