Configuring Port Forwarding in Windows | Ranjan.info

you can configure network port forwarding In all Windows versions without using third-party tools. Using the port forwarding rule, you can redirect incoming TCP connections (IPv4 or IPv6) from a local TCP port to another port number, or even to a port on a remote computer. Windows port forwarding is commonly used to bypass firewalls or hide internal hosts or services from external networks (NAT/PAT).

In the Linux world, port forwarding is configured quite simply iptables or firewall rules. On Windows Server hosts, Routing and Remote Access Service (RRAS) is typically used to configure port redirection. However, there is an easier way to enable port forwarding netsh portproxy Mode, which works on all versions of Windows from Win XP to current builds of Windows 11 and Windows Server 2022.

How to Enable Port Forwarding on Windows with Netsh Portproxy?

You Can Configure Port Forwarding in Windows portproxy mode of netsho command.

The command syntax is as follows:

netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
where

  • listening address – Have a local IP address to listen for incoming connections (useful if you have multiple NICs in different subnets/VLANs or multiple IP addresses on a single interface);
  • listenport – a local TCP port number to listen on (connection is on);
  • connect address – is a local or remote IP address (or DNS name) to which you want to redirect incoming connections;
  • connectport – is a TCP port to which the connection listenport is forwarded to.

using the netsh interface portproxy add v4tov6,v6tov4,v6tov6 Optionally, you can create port forwarding rules between IPv4 and IPv6 addresses.

Let’s say your task is to make the RDP service respond to a non-standard port, for example 3340 (of course, this port number can be changed in Windows settings, but we’re using RDP to make it easier to display port forwarding) are) technology). To do this, we need to redirect incoming traffic from TCP port 3340 to another local port 3389 (this is the default RDP port number).

Please note that the local port number you specified listenport Must not be heard (used) by any other service or process. Check that the port number is not used:

netstat -na|find "3340"

Alternatively, you can check that the port is not listening locally using the PowerShell cmdlet Test-NetConnection:

Test-NetConnection -ComputerName localhost -Port 3340

To create a port forwarding rule on Windows, open Command Prompt as an administrator and run the following command:

netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110

windows port forwarding rule netsh interface using portproxy add

where 10.10.1.110 – the current IP address of your computer on which port forwarding is configured.

Now, use the netstat tool to check that Windows is now listening on local port 3340:

netstat -ano | findstr :3340

netstat -ano - get process PID

Comment, If this command returns nothing and port forwarding via the netsh interface doesn’t work, make sure you have iphlpsvc (IP Helper) service running on your Windows device.

Check Service Status in services.msc Using console or powershell commands:

Get-Service iphlpsvc

    iphlpsvc (ip helper) service

IPv6 support must be enabled on the network interface for which the port forwarding rule is being created.

ipv6 protocol enabled

These are the prerequisites for the correct operation of port forwarding in Windows. Without the IP Helper service and without IPv6 support enabled, port redirection will not work.

For port forwarding to work on Windows Server 2003/XP, you must additionally set ipenable router parameters to 1 under registry key HKEY_LOCAL_MACHINE\ System\CurrentControlSet\services\Tcpip\Parameter,

Set-ItemProperty -Path HKLM:\system\CurrentControlSet\services\Tcpip\Parameters -Name IpEnableRouter -Value 1

This option also allows you to enable routing between different subnets in Hyper-V.

You can identify the process that is listening on the specified port by its PID (in our example, the PID is 636):

tasklist | findstr 636

Now try to connect to the new port from a remote computer by using an RDP client. You need to specify 3340 as the RDP port number. It is specified after the colon followed by the RDP host address. For example, 10.10.1.110:3340

RDP client connects to different port

In this example, port TCP/3340 must first be opened in Windows Defender Firewall (see the next section of the article).

The RDP connection should be established successfully.

PortProxy port forwarding rules are permanent and are not cleared when you restart Windows. These rules are stored in the registry. You can list netsh forwarding rules in the registry using PowerShell:

Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp

Get list of portproxy rules from windows registry

If you want to forward incoming TCP connections to a remote computer, use the following command:

netsh interface portproxy add v4tov4 listenport=3389 listenaddress=0.0.0.0 connectport=3389 connectaddress=192.168.100.101

This rule will redirect all incoming RDP traffic from this computer (from local TCP port 3389) to a remote host with IP address 192.168.1.100.

Note that portproxy mode in Windows does not support saving the source IP into a forwarded network packet. That is, if you forward port 443 from a Windows device to an internal web server, all incoming connections will be visible to the target server as coming from the same IP address (from your Windows host with netsh portproxy enabled). If you need to use source IP forwarding, you need to use NAT on an external firewall or Hyper-V (described below).

In addition, you can use SSH tunnels in Windows to forward local ports to remote servers.

Configuring Firewall Rules for Port Forwarding Mode in Windows

Make sure your firewall (Microsoft Windows Defender or any third-party firewall, which is often part of anti-virus software) allows incoming connections from the new port. You can add a new permission rule to Windows Defender Firewall with the command:

netsh advfirewall firewall add rule name="forwarded_RDPport_3340" protocol=TCP dir=in localip=10.1.1.110  localport=3340 action=allow

Or using the New-NetFirewallRule PowerShell cmdlet:
New-NetFirewallRule -DisplayName "forwarder_RDP_3340" -Direction Inbound -Protocol TCP –LocalPort 3340 -Action Allow

When creating an inbound firewall rule for port TCP/3340 via the Windows Defender Firewall graphical interface, you do not need to associate a program or process with the rule. This port is only listened to by the network driver.

If you disable the PortProxy rule, be sure to remove the rest of the firewall rule as follows:

netsh advfirewall firewall del rule name="RDP_3340"

Or remove firewall rules with PowerShell:

Remove-NetFirewallRule -Name RDP_3340

Managing Netsh Port Forwarding Rules in Windows

You can create any number of port forwarding rules in Windows. All netsh interface portproxy rules are persistent and persist even after Windows restarts.

Many times I have encountered cases when port forwarding rules were reset in Windows Server 2012 R2 after the server was rebooted. In this case, you need to check whether there is periodic disconnection on the network interface and whether the IP address changes when the OS boots (it is better to use static IP instead of dynamic DHCP). As a workaround, I had to add a batch script with netsh interface portproxy rules to the Windows Task Scheduler that runs at system startup.

To display a list of all enabled TCP port forwarding rules on Windows, run the command:

netsh interface portproxy show all

In our case, there is only one forwarding rule from local port 3340 to 3389:

Listen on ipv4:             Connect to ipv4:
Address         Port        Address         Port
--------------- ----------  --------------- ----------
10.1.1.110     3340        10.1.1.110     3389

Display all port forward rules

tip, You can list all port forwarding rules in portproxy as follows:

netsh interface portproxy dump

#========================
# Port Proxy configuration
#========================
pushd interface portproxy
reset
add v4tov4 listenport=3340 connectaddress=10.1.1.110 connectport=3389
popd
# End of Port Proxy configuration

netsh interface portproxy dump

If you need to change the setting of an existing portproxy rule, use the following command:

netsh interface portproxy set v4tov4 listenport=3340 listenaddress=10.10.1.110 connectport=3300 connectaddress=10.10.1.110

In this example, we have changed the portproxy target port number to 3300.

change port forwarding rules netsh portproxy

To remove a specific port forwarding rule:

netsh interface portproxy delete v4tov4 listenport=3340 listenaddress=10.1.1.110

To delete all existing port mapping rules and completely clear the port forwarding rules table:

netsh interface portproxy reset

important, This port forwarding scheme works only for tcp ports. You will not be able to forward UDP ports this way. Also, you cannot use the loopback interface 127.0.0.1 (localhost) connectaddress,

You can use Windows Server with the RRAS (Routing and Remote Access Service and NAT) role installed to enable port forwarding for UDP traffic. You can configure port forwarding between server network interfaces using the graphical snap-in (rrasmgmt.msc) or with the command:

netsh routing ip nat add portmapping Ethernet1 udp 0.0.0.0 53 192.168.100.100 53

The list of NAT port forwarding rules in Windows Server can be listed as follows:

netsh routing ip nat show interface

If you have WSL (Windows Subsystem for Linux) installed on your computer, you can create a simple PowerShell script to create a port forwarding rule for a WSL 2 virtual machine (a WSL2 VM has its own virtual Ethernet adapter with a unique IP address). happens with) :

wsl --shutdown;
netsh interface portproxy reset;
$wsl_ipaddr = wsl -d Ubuntu-20.04 hostname -I;
netsh interface portproxy add v4tov4 listenport=443 listenaddress=0.0.0.0 connectport=443 connectaddress=$wsl_ipaddr ;
netsh interface portproxy show all;
exit;

Another built-in feature of PortProxy is the ability to make any remote network service look like it’s running locally. For example, you want to forward connections from local port 9090 to a remote HTTPS server (google.com:443,

netsh interface portproxy add v4tov4 listenport=9090 connectport=443 connectaddress=google.com protocol=tcp

Now, the Google Search page will open if you go to In your browser (you need to ignore SSL_ERROR_BAD_CERT_DOMAIN errors). So even though the browser is accessing the local computer address, it opens a page from an external web server.

portproxy: redirect local port to remote web service

Windows cannot forward a range of TCP ports. If you need to forward multiple ports, you must manually create multiple portproxy redirection rules.

Port forwarding rules can also be used to redirect ports from the external IP address of a physical NIC to a port on a virtual machine running on the same host. In Hyper-V, you can configure port forwarding at the virtual switch level (see below).

Port Forwarding with NAT Rules on Hyper-V Virtual Switch

When using the Hyper-V role on your computer (it can be installed on both Windows 10/11 and Windows Server, or a free Hyper-V server), you can configure DNAT port forwarding rules using PowerShell Huh. Let’s say you want to redirect all HTTPS traffic your Hyper-V host receives to the IP address of the virtual machine running on the host. To do this, Hyper-V . use static mapping Order.

Create Hyper-V Virtual Switch:

New-VMSwitch -SwitchName NAT_Switch -SwitchType Internal

make hyperv nut switch using powershell

To set the IP address for the new virtual switch:

New-NetIPAddress -IPAddress 192.168.100.1 -PrefixLength 24  -InterfaceAlias "vEthernet (NAT_Switch)"

Enable NAT for this network:

New-NetNat -Name NATNetwork -InternalIPInterfaceAddressPrefix 192.168.100.0/24

Connect the VM to your NAT_Switch and assign it a static IP address (for example, 192.168.10.80). Set the Hyper-V Virtual Switch IP address (192.168.100.1 in this case) as the default gateway for the virtual machine’s network connection.

You can now enable port forwarding from the Hyper-V host to the virtual machine:

Add-NetNatStaticMapping -NatName NATNetwork443 -Protocol TCP  -ExternalIPAddress 0.0.0.0/24  -ExternalPort 443  -InternalIPAddress 192.168.10.80  -InternalPort 443

After executing these PowerShell commands, all incoming HTTPS traffic on the Hyper-V host’s TCP/443 port will be forwarded to the virtual machine’s private IP address.

If you want to create a port forwarding rule for a non-standard port, be sure to open it in Windows Firewall:

New-NetFirewallRule -DisplayName "HyperV_Nat_444" -Direction Inbound -LocalPort 444 -Protocol TCP -Action Allow -Enabled True

You can display a full list of NAT/PAT port forwarding rules on a Hyper-V host like this:

Get-NetNat

Leave a Comment