This guide goes well with these (in order):
- Understand Your Public IP
- TCP vs UDP
- How to Set Up Port Forwarding
Understand Your Public IP
You can configure your router perfectly and still fail to host anything - simply because your public IP situation makes it impossible.
Before you start opening ports, you need to understand three things:
- What your public IP address is
- Whether it is static or dynamic
- Whether you're behind Carrier-Grade NAT (CG-NAT)
If you skip this step, you might spend hours debugging something that can never work.
What Is a Public IP Address?
Your
public IP address is the address the internet sees when you connect to websites or services.
It is assigned by your ISP (Internet Service Provider).
This is
not the same as:
- 192.168.x.x
- 10.x.x.x
- 172.16-31.x.x
Those are
local/
private addresses used inside your home network.
How to Check Your Public IP
The simplest way:
Write that number down.
Example:
203.0.113.42
That is your public IP.
Step 1: Is Your IP Static or Dynamic?
Most residential ISPs today give you a
dynamic IP.
That means:
- Your Public IP can change
- It might change on router reboot
- It might change every few days or weeks
How to Check
There is no guaranteed instant test, but:
- Write down your public IP
- Reboot your router
- Check your IP again
If it changed - You have a
dynamic IP
If it stayed the same - It may still be dynamic, just sticky from your ISP. As they often assign the same IP to the same customer for long periods, called a "DHCP lease".
The only reliable way to know for sure is to:
- Check your ISP's website
- Look in your subscription details
- Contact their support
Is Dynamic IP a Problem?
No.
It just means you should use:
DDNS services map a domain name to your changing IP.
Instead of:
203.0.113.42
You use:
myserver.example.com
Your router or server updates the IP automatically.
Problem solved.
However...
Step 2: Are You Behind Carrier-Grade NAT (CG-NAT)?
This is where things break.
Many ISPs now place customers behind
Carrier-Grade NAT to save IPv4 addresses.
(There are a naturally limited number of IPv4 addresses, but CG-NAT is a common solution for ISPs to manage this.)
That means:
- You do NOT get your own public IP
- You share one with many customers
- Port forwarding will NOT work
- Your router is no longer the “edge” of the internet
How to Check If You're Behind CG-NAT
Method 1 — Router WAN IP Check:
- Log into your router
- Find the WAN / Internet IP
- Compare it with the IP from “What is my IP”
If they are DIFFERENT - You are behind CG-NAT
Method 2 — Look at the WAN IP range:
If your router's WAN IP is in one of these ranges (Not limited to):
- 100.64.0.0 - 100.127.255.255
- 10.x.x.x
- 192.168.x.x
You are behind CG-NAT.
And normal port forwarding will not work.
Why Port Forwarding Fails Under CG-NAT
When someone connects to your IP:
IP → ISP → CG-NAT → You
The ISP controls the outer NAT layer.
You cannot configure it.
Your router is no longer the “edge” of the internet.
Check out the simple drawing here to visualize it:
For fun, let's pretend you
could open a port on the CG-NAT layer, you would essentially open it for all customers under this same network. But where would the traffic go? customer #1? customer #2? customer #3? - Would never work.
What We Do Want
The visualization below, shows the ideal scenario for port forwarding:
- Our router forwards external port
27960 to the internal server at 192.168.1.2
- A single external port can only be forwarded to one internal IP address at a time
- You cannot forward port
27960 to multiple PCs simultaneously
However, you could do:
- External port
27960 to internal IP:port 192.168.1.2:27960
- External port
27961 to internal IP:port 192.168.1.3:27960
Simplified explanation of the visualization:
- Random client connecting to our example server's public IP:
198.51.100.23:27960
- The IP block is registered to our ISP and advertised globally via BGP (BGP )
- Internet routers route the traffic to that ISP
- The ISP routes the traffic to our router
- Our router forwards it to our internal server (using our port forwarding rules)
What Are Your Options If You're Behind CG-NAT?
You still have options.
Option 1: Ask Your ISP for a Public IPv4 (Best option)
Many ISPs offer:
- Static public IP (often paid)
- Dynamic public IP (free upon request)
Sometimes you just need to ask to be removed from CG-NAT.
My ISP put me behind CG-NAT overnight, without warning, and I woke up not being able to access my home server. I could not go back to Dynamic IP, from here on I had to pay a small fee each month for static IP.
This is the cleanest solution.
Option 2: Use IPv6 (But really, don't...)
If your ISP provides IPv6:
- You may have a globally routable IPv6
- No NAT is required
Downside:
- Not all clients use IPv6
- Some services still assume IPv4
- If you setup game server for older games, IPv6 may not be supported
Option 3: Use a VPS + Reverse Tunnel
This is merely to flag that it's an
option if you cannot get a public IP from your ISP.
You:
- Rent a small VPS (e.g. $5/month)
- Get a public IP on the VPS
- Create a reverse tunnel from your home server to the VPS
Examples:
- SSH reverse tunnel
- WireGuard tunnel
- Cloudflare Tunnel
- Tailscale Funnel
Traffic flow becomes:
Internet → VPS → Secure Tunnel → Your Server
No port forwarding required.
But if you get to this point, good luck - have fun.
Summary: Know Your Situation First
Before following any port forwarding guide, determine:
| Situation |
Port Forwarding? |
Solution |
| Static Public IP |
Yes |
Normal port forwarding |
| Dynamic Public IP |
Yes |
Port forwarding + DDNS |
| CG-NAT |
No |
Request public IP |
Next Step
If you have confirmed:
- You have a public IP
- You are NOT behind CG-NAT
Then you're ready to move on to the actual port forwarding steps.
Comments (0)
No comments yet. Be the first to comment!
Leave a Comment