you can configure network port forwarding In all Windows versions without using third-party tools. Using the port forwarding rule, you can redirect incoming TCP connections (IPv4 or IPv6) from a local TCP port to another port number, or even to a port on a remote computer. Windows port forwarding is commonly used to bypass firewalls or hide internal hosts or services from external networks (NAT/PAT).
In the Linux world, port forwarding is configured quite simply iptables or firewall rules. On Windows Server hosts, Routing and Remote Access Service (RRAS) is typically used to configure port redirection. However, there is an easier way to enable port forwarding
netsh portproxy Mode, which works on all versions of Windows from Win XP to current builds of Windows 11 and Windows Server 2022.
How to Enable Port Forwarding on Windows with Netsh Portproxy?
You Can Configure Port Forwarding in Windows portproxy mode of netsho command.
The command syntax is as follows:
netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
- listening address – Have a local IP address to listen for incoming connections (useful if you have multiple NICs in different subnets/VLANs or multiple IP addresses on a single interface);
- listenport – a local TCP port number to listen on (connection is on);
- connect address – is a local or remote IP address (or DNS name) to which you want to redirect incoming connections;
- connectport – is a TCP port to which the connection
listenportis forwarded to.
netsh interface portproxy add
v6tov6 Optionally, you can create port forwarding rules between IPv4 and IPv6 addresses.
Let’s say your task is to make the RDP service respond to a non-standard port, for example 3340 (of course, this port number can be changed in Windows settings, but we’re using RDP to make it easier to display port forwarding) are) technology). To do this, we need to redirect incoming traffic from TCP port 3340 to another local port 3389 (this is the default RDP port number).
netstat -na|find "3340"
Alternatively, you can check that the port is not listening locally using the PowerShell cmdlet Test-NetConnection:
Test-NetConnection -ComputerName localhost -Port 3340
To create a port forwarding rule on Windows, open Command Prompt as an administrator and run the following command:
netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110
where 10.10.1.110 – the current IP address of your computer on which port forwarding is configured.
Now, use the netstat tool to check that Windows is now listening on local port 3340:
netstat -ano | findstr :3340
Check Service Status in
services.msc Using console or powershell commands:
IPv6 support must be enabled on the network interface for which the port forwarding rule is being created.
These are the prerequisites for the correct operation of port forwarding in Windows. Without the IP Helper service and without IPv6 support enabled, port redirection will not work.
For port forwarding to work on Windows Server 2003/XP, you must additionally set ipenable router parameters to 1 under registry key HKEY_LOCAL_MACHINE\ System\CurrentControlSet\services\Tcpip\Parameter,
Set-ItemProperty -Path HKLM:\system\CurrentControlSet\services\Tcpip\Parameters -Name IpEnableRouter -Value 1
This option also allows you to enable routing between different subnets in Hyper-V.
You can identify the process that is listening on the specified port by its PID (in our example, the PID is 636):
tasklist | findstr 636
Now try to connect to the new port from a remote computer by using an RDP client. You need to specify 3340 as the RDP port number. It is specified after the colon followed by the RDP host address. For example,
In this example, port TCP/3340 must first be opened in Windows Defender Firewall (see the next section of the article).
The RDP connection should be established successfully.
PortProxy port forwarding rules are permanent and are not cleared when you restart Windows. These rules are stored in the registry. You can list netsh forwarding rules in the registry using PowerShell:
Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp
If you want to forward incoming TCP connections to a remote computer, use the following command:
netsh interface portproxy add v4tov4 listenport=3389 listenaddress=0.0.0.0 connectport=3389 connectaddress=192.168.100.101
This rule will redirect all incoming RDP traffic from this computer (from local TCP port 3389) to a remote host with IP address 192.168.1.100.
Note that portproxy mode in Windows does not support saving the source IP into a forwarded network packet. That is, if you forward port 443 from a Windows device to an internal web server, all incoming connections will be visible to the target server as coming from the same IP address (from your Windows host with netsh portproxy enabled). If you need to use source IP forwarding, you need to use NAT on an external firewall or Hyper-V (described below).
Configuring Firewall Rules for Port Forwarding Mode in Windows
Make sure your firewall (Microsoft Windows Defender or any third-party firewall, which is often part of anti-virus software) allows incoming connections from the new port. You can add a new permission rule to Windows Defender Firewall with the command:
netsh advfirewall firewall add rule name="forwarded_RDPport_3340" protocol=TCP dir=in localip=10.1.1.110 localport=3340 action=allow
Or using the New-NetFirewallRule PowerShell cmdlet:
New-NetFirewallRule -DisplayName "forwarder_RDP_3340" -Direction Inbound -Protocol TCP –LocalPort 3340 -Action Allow
When creating an inbound firewall rule for port TCP/3340 via the Windows Defender Firewall graphical interface, you do not need to associate a program or process with the rule. This port is only listened to by the network driver.
If you disable the PortProxy rule, be sure to remove the rest of the firewall rule as follows:
netsh advfirewall firewall del rule name="RDP_3340"
Or remove firewall rules with PowerShell:
Remove-NetFirewallRule -Name RDP_3340
Managing Netsh Port Forwarding Rules in Windows
You can create any number of port forwarding rules in Windows. All netsh interface portproxy rules are persistent and persist even after Windows restarts.
To display a list of all enabled TCP port forwarding rules on Windows, run the command:
netsh interface portproxy show all
In our case, there is only one forwarding rule from local port 3340 to 3389:
Listen on ipv4: Connect to ipv4: Address Port Address Port --------------- ---------- --------------- ---------- 10.1.1.110 3340 10.1.1.110 3389
netsh interface portproxy dump
#======================== # Port Proxy configuration #======================== pushd interface portproxy reset add v4tov4 listenport=3340 connectaddress=10.1.1.110 connectport=3389 popd # End of Port Proxy configuration
If you need to change the setting of an existing portproxy rule, use the following command:
netsh interface portproxy set v4tov4 listenport=3340 listenaddress=10.10.1.110 connectport=3300 connectaddress=10.10.1.110
In this example, we have changed the portproxy target port number to 3300.
To remove a specific port forwarding rule:
netsh interface portproxy delete v4tov4 listenport=3340 listenaddress=10.1.1.110
To delete all existing port mapping rules and completely clear the port forwarding rules table:
netsh interface portproxy reset
You can use Windows Server with the RRAS (Routing and Remote Access Service and NAT) role installed to enable port forwarding for UDP traffic. You can configure port forwarding between server network interfaces using the graphical snap-in (
rrasmgmt.msc) or with the command:
netsh routing ip nat add portmapping Ethernet1 udp 0.0.0.0 53 192.168.100.100 53
The list of NAT port forwarding rules in Windows Server can be listed as follows:
netsh routing ip nat show interface
If you have WSL (Windows Subsystem for Linux) installed on your computer, you can create a simple PowerShell script to create a port forwarding rule for a WSL 2 virtual machine (a WSL2 VM has its own virtual Ethernet adapter with a unique IP address). happens with) :
netsh interface portproxy reset;
$wsl_ipaddr = wsl -d Ubuntu-20.04 hostname -I;
netsh interface portproxy add v4tov4 listenport=443 listenaddress=0.0.0.0 connectport=443 connectaddress=$wsl_ipaddr ;
netsh interface portproxy show all;
Another built-in feature of PortProxy is the ability to make any remote network service look like it’s running locally. For example, you want to forward connections from local port 9090 to a remote HTTPS server (
netsh interface portproxy add v4tov4 listenport=9090 connectport=443 connectaddress=google.com protocol=tcp
Now, the Google Search page will open if you go to In your browser (you need to ignore SSL_ERROR_BAD_CERT_DOMAIN errors). So even though the browser is accessing the local computer address, it opens a page from an external web server.
Windows cannot forward a range of TCP ports. If you need to forward multiple ports, you must manually create multiple portproxy redirection rules.
Port forwarding rules can also be used to redirect ports from the external IP address of a physical NIC to a port on a virtual machine running on the same host. In Hyper-V, you can configure port forwarding at the virtual switch level (see below).
Port Forwarding with NAT Rules on Hyper-V Virtual Switch
When using the Hyper-V role on your computer (it can be installed on both Windows 10/11 and Windows Server, or a free Hyper-V server), you can configure DNAT port forwarding rules using PowerShell Huh. Let’s say you want to redirect all HTTPS traffic your Hyper-V host receives to the IP address of the virtual machine running on the host. To do this, Hyper-V . use static mapping Order.
Create Hyper-V Virtual Switch:
New-VMSwitch -SwitchName NAT_Switch -SwitchType Internal
To set the IP address for the new virtual switch:
New-NetIPAddress -IPAddress 192.168.100.1 -PrefixLength 24 -InterfaceAlias "vEthernet (NAT_Switch)"
Enable NAT for this network:
New-NetNat -Name NATNetwork -InternalIPInterfaceAddressPrefix 192.168.100.0/24
Connect the VM to your NAT_Switch and assign it a static IP address (for example, 192.168.10.80). Set the Hyper-V Virtual Switch IP address (192.168.100.1 in this case) as the default gateway for the virtual machine’s network connection.
You can now enable port forwarding from the Hyper-V host to the virtual machine:
Add-NetNatStaticMapping -NatName NATNetwork443 -Protocol TCP -ExternalIPAddress 0.0.0.0/24 -ExternalPort 443 -InternalIPAddress 192.168.10.80 -InternalPort 443
After executing these PowerShell commands, all incoming HTTPS traffic on the Hyper-V host’s TCP/443 port will be forwarded to the virtual machine’s private IP address.
If you want to create a port forwarding rule for a non-standard port, be sure to open it in Windows Firewall:
New-NetFirewallRule -DisplayName "HyperV_Nat_444" -Direction Inbound -LocalPort 444 -Protocol TCP -Action Allow -Enabled True
You can display a full list of NAT/PAT port forwarding rules on a Hyper-V host like this: