Operator notes
Port forwarding for game servers: the practical version
Port forwarding is conceptually trivial and operationally annoying. Most "how to port forward" guides skip the parts that actually break: NAT loopback, CGNAT, IPv6, and what to do when your router's UI lies to you. Here is the operator's version.
What you are actually doing
Your home router sits between the public internet and your local network. By default it lets your devices reach out (player → game server on the internet) but blocks anything coming in (other players → your home server). Port forwarding tells the router: "when traffic arrives on port X from the internet, send it to this specific machine on my LAN." That is the whole concept.
What ports to forward, by game
Common defaults. Always verify against the game's current docs because patches change them.
| Game | Port(s) | Protocol |
|---|---|---|
| Minecraft Java | 25565 | TCP |
| Minecraft Bedrock | 19132 (IPv4), 19133 (IPv6) | UDP |
| Valheim | 2456-2458 | UDP |
| Palworld | 8211 | UDP |
| 7 Days to Die | 26900-26902 (game), 8081 (web) | both |
| Project Zomboid | 16261-16262 | UDP |
| Vintage Story | 42420 | TCP/UDP |
| Conan Exiles Enhanced | 7777, 7778, 27015 | UDP |
| ARK Survival Ascended | 7777, 7778, 27015 | UDP |
| Rust | 28015 (game), 28016 (RCON) | UDP / TCP |
| V Rising | 9876-9877 | UDP |
| Soulmask | 8777, 27015 | UDP |
| Counter-Strike 2 | 27015 (game), 27020 (SourceTV) | both |
Forward the ports above to the LAN IP of the machine running the server. That is usually a 192.168.x.x or 10.x.x.x address.
How to actually do it
Every router brand calls this menu something different. Common paths:
- ASUS / TP-Link / Netgear: Advanced → NAT Forwarding → Port Forwarding (or "Virtual Server")
- OpenWrt: Network → Firewall → Port Forwards
- UniFi: Settings → Routing & Firewall → Port Forwarding
- Most ISP-supplied routers: usually called "Port Forwarding" or "Custom Services" under an Advanced or Firewall menu
For each rule you typically specify: external port, internal port (usually the same), internal IP (your server's LAN address), and protocol (TCP, UDP, or both).
Critical tip: set a static DHCP reservation for your server's LAN IP first. Routers reassign DHCP leases periodically. The day yours rotates, your port forward suddenly points at the family laptop instead of your game server. Set the reservation in the router's DHCP settings before you set up the forward.
NAT loopback (why your friends can connect but you cannot)
Common scenario: you set up port forwarding correctly. Friends can join. You cannot, because connecting to your own public IP from inside the LAN does not loop back to the internal server on most routers.
Fixes, in order of preference:
- Connect to the LAN IP from inside the network. Use 192.168.x.x:port instead of your public IP from your own machine.
- Enable NAT loopback (sometimes called "NAT reflection" or "hairpin NAT") in your router. Many newer routers support it; older ISP routers do not.
- Add a hosts-file entry on your machine so your.dyndns.example.com resolves to the LAN IP locally.
Dynamic DNS for non-static IPs
Most home internet has a dynamic public IP that rotates every few days or when the router reboots. Telling players to update the IP every time is impractical.
Solutions:
- Free dynamic DNS: DuckDNS, No-IP, FreeDNS. Run a small client on your router or server that updates the DNS record when your IP changes.
- Paid static IP: some ISPs offer it for $5-15/month. Cleanest but costs.
- Tailscale or WireGuard mesh: bypasses port forwarding entirely. Players connect to the server through a peer-to-peer overlay network. Works through any NAT including CGNAT. Trade-off: every player needs the client installed.
The CGNAT trap
If your router's "WAN IP" starts with 100.64-100.127, you are behind Carrier-Grade NAT (CGNAT). Your ISP is sharing one public IP across many subscribers. Port forwarding does nothing because your router is not the edge; the ISP's CGNAT is. Common with mobile internet, some rural fiber, and entry-tier service plans.
Options when you are behind CGNAT:
- Ask your ISP for a public IPv4. Often free on request, sometimes a small monthly fee. Best long-term solution.
- Use a tunneling service. Tailscale, ZeroTier, Cloudflare Tunnel, or a VPS with a small reverse-proxy setup. Tailscale is the simplest for game servers because it works peer-to-peer without your players going through a third-party relay.
- Move to managed hosting. If neither of the above is feasible, the wall is permanent for self-hosting from this connection.
IPv6 (the side door that mostly works)
If your ISP gives you an IPv6 prefix, your server already has a public IPv6 address with no NAT. Players who also have IPv6 can connect directly without any forwarding. Older games (UDP-only with no IPv6 support in their netcode) cannot use this; newer games (Minecraft Bedrock, modern Unity titles) often can.
Worth checking if your router exposes the server's IPv6 address. Sometimes the path of least resistance.
Verifying it works
Before posting the connection details to your friends, test from outside your LAN. Three quick options:
- Use a port-check website. canyouseeme.org and similar tools probe a port from the internet side.
- Tether your phone to mobile data and connect. If it works, your forwarding is correct.
- Run
nmap -sU -p PORT public.ip.addressfrom a friend's machine if they are technical enough.
If the port check fails, the typical culprits in order: software firewall on the server (Windows Defender, ufw on Linux), router firewall above the port-forward rule, ISP-side blocking, or you are behind CGNAT and did not realise.