Port Forwarding Is Broken. Here Is What Actually Works.
You followed every guide. You opened the port on your router, disabled the firewall, double-checked the IP. The port scanner still says it is closed. You are not doing it wrong. For a large and growing portion of home internet connections, port forwarding simply cannot work anymore and the reason has nothing to do with your router. This article explains why, how to confirm it, and what actually solves the problem.
📋 What's in this article
How Port Forwarding Is Supposed to Work
Your home router sits between your devices and the internet. It uses NAT (Network Address Translation) to let multiple devices share a single public IP address. Outbound connections work fine your laptop makes a request, the router records which device sent it, and routes the response back to the right machine.
Inbound connections are the problem. When a request arrives at your router from the internet,
the router has no idea which device on your network it is meant for. Port forwarding solves this
by giving the router an explicit rule: any traffic arriving on port 25565 goes to 192.168.1.50.
The router follows the rule and sends the traffic to the right machine.
This works well when your router has a real public IP address. The world can reach that IP directly, your router receives the traffic, and the forwarding rule sends it where you want. The problem is that a real public IP is something many home connections no longer have.
Why Port Forwarding Fails Even When You Do Everything Right
If you have checked everything on your router and the port still appears closed from the internet, there are a handful of likely causes. The most common one is something you have no control over at all.
❌ Your ISP uses CGNAT
This is the most common reason port forwarding fails silently. Your router has a public-looking IP on its WAN side, but it is not actually on the public internet. Your ISP has placed another NAT layer above you. See the next section for a full explanation.
❌ Your ISP-provided modem is also a router (double NAT)
If your ISP gives you a modem/router combo and you plug your own router into it, you have two NAT layers. Traffic arrives at the ISP device, which forwards it to your router, which then forwards it to your device. You need to configure port forwarding on both devices, or put the ISP device into bridge mode so it passes traffic straight to your router.
❌ Your firewall is blocking the port on the server side
Even if the router forwards the port correctly, the operating system on the destination machine may block it. Windows Firewall, ufw on Linux, and macOS's application firewall all filter inbound connections. Check that the service is actually listening on the correct port and that the OS firewall allows it.
❌ The service is not listening on all interfaces
Some applications bind only to 127.0.0.1 by default, meaning they accept connections
from the local machine only. A forwarded port cannot reach a service that is bound to loopback only.
Check the service configuration and make sure it listens on 0.0.0.0 or the specific local IP
of the machine.
❌ You are testing from the same network
Many routers do not support hairpin NAT trying to reach your own external IP from inside your own network. If you test your port forwarding from the same Wi-Fi the router is on, you will get a false result. Always test from a different network: a phone on mobile data, or an online port scanner.
What Is CGNAT and Why It Makes Port Forwarding Impossible
IPv4 addresses are a finite resource and the world ran out of them years ago. To deal with this, ISPs started using Carrier-Grade NAT (CGNAT) the same NAT concept your home router uses, but applied at the ISP level to share one public IP address across dozens or hundreds of customers simultaneously.
In a normal setup, your router has a public IP and the internet can reach it directly. With CGNAT, your router gets a private IP from your ISP. Your ISP's equipment holds the actual public IP. When you browse the web, your traffic goes: your device → your router's NAT → your ISP's CGNAT → internet. That is two NAT layers, which is why it is also called double NAT.
Port forwarding on your router only controls the first NAT layer the one you own. The second layer at the ISP level is completely outside your control. When traffic from the internet arrives at the ISP's CGNAT device, it has no rule telling it which of the hundreds of customers sharing that IP should receive it. The traffic never reaches your router at all. No amount of router configuration changes this.
ISPs known to use CGNAT by default
CGNAT is increasingly common, particularly on mobile broadband and newer ISPs:
How to Check if You Are Behind CGNAT
The test is simple. Compare the WAN IP your router reports to the actual public IP the internet sees for you. If they are different, you are behind CGNAT.
Find your router's WAN IP
Log in to your router's admin panel usually at 192.168.1.1 or 192.168.0.1.
Find the WAN or internet connection status and note the IP address shown there.
Find your actual public IP
From any device on your network, visit whatismyip.com or run:
curl ifconfig.meCompare the two IP addresses
If the two addresses match, your router has a real public IP and port forwarding should work. If they are different, you are behind CGNAT and port forwarding cannot work.
CGNAT IP ranges to look for
If your router's WAN IP falls in any of these ranges, you are definitely behind CGNAT or double NAT:
| IP Range | Type | Meaning |
|---|---|---|
100.64.0.0 / 10 | RFC 6598 | Dedicated CGNAT shared address space |
10.0.0.0 / 8 | RFC 1918 | Private, ISP-level NAT likely |
172.16.0.0 / 12 | RFC 1918 | Private, ISP-level NAT likely |
192.168.0.0 / 16 | RFC 1918 | Private, double NAT likely |
Full Troubleshooting Checklist
If you have a real public IP but port forwarding still does not work, go through this list:
netstat -tlnp | grep PORT (Linux) or netstat -ano | findstr PORT (Windows) to verify the process is actually listening.
What Actually Works Instead of Port Forwarding
If you are behind CGNAT or have exhausted the troubleshooting checklist without success, these are the practical alternatives each working in a different way.
🚇 Tunnel service (fastest to set up)
A tunnel service like Localtonet works by having your machine make an outbound connection to a relay server. Outbound connections work from anywhere, including behind CGNAT. The relay holds a public address and forwards incoming traffic back through the tunnel to your machine. You never need an inbound connection, so CGNAT never blocks anything. This is the fastest path from zero to a working public address for a local service.
Create an HTTP tunnel with Localtonet
Install Localtonet, authenticate with your token, then go to the HTTP tunnel page and create a tunnel for your service's port. For TCP services use the TCP/UDP tunnel page. Your service gets a public address in under a minute with no router or ISP changes.
localtonet --authtoken <YOUR_TOKEN>📞 Ask your ISP for a public IP (if available)
Some ISPs will provide a dedicated public IPv4 address on request, sometimes for a small monthly fee. This removes CGNAT entirely and makes port forwarding work as expected. Call your ISP, explain that you need to host services from home, and ask if a public IP is available. Not all ISPs offer this, and some charge a significant premium, but it is worth asking.
🌐 Use IPv6 if your ISP supports it
IPv6 does not use NAT by default. Every device gets a globally routable public IPv6 address. If your ISP provides native IPv6 and the service you want to expose supports IPv6, you can open a port in your OS firewall and the device is directly reachable from the internet. The catch is that many ISPs still have inconsistent IPv6 support and not all client devices support IPv6 connections.
🖥️ Rent a VPS as a relay
A small VPS (€3–5/month from Hetzner, DigitalOcean, or Vultr) has a public IP by default. You can set up WireGuard between the VPS and your home machine and use the VPS as a relay, forwarding traffic from its public IP to your local services. This gives you full control and a static IP, but requires more setup than a tunnel service.
| Approach | Works behind CGNAT | Setup time | Cost |
|---|---|---|---|
| Localtonet tunnel | ✓ | Under 1 minute | Free tier available |
| ISP public IP | ✓ | Hours to days | Free to ~€10/month |
| IPv6 direct access | ✓ | 30 minutes | Free if ISP supports it |
| VPS relay | ✓ | 1–2 hours | €3–5/month |
| Port forwarding alone | ✗ | Minutes | Free |
Frequently Asked Questions
My router shows a public IP but port forwarding still does not work. What else could it be?
The most common causes after CGNAT are: (1) testing from inside your own network, which most routers block test with your phone on mobile data instead; (2) the OS firewall on the destination machine blocking the port even though the router forwards it; (3) the service binding only to 127.0.0.1 rather than 0.0.0.0; or (4) DHCP reassigning a different IP to the machine, making the forwarding rule point at the wrong device. Work through the checklist above systematically.
Can I ask my ISP to remove me from CGNAT?
Yes, and it is worth trying. Some ISPs will give you a dedicated public IPv4 on request, sometimes free and sometimes for a small monthly fee. Call their support line and say you need a public IP for self-hosting. Residential ISPs are increasingly moving to CGNAT by default to save on IPv4 costs, but many still offer a static IP as a paid add-on.
Does a Localtonet tunnel work on Starlink or T-Mobile Home Internet?
Yes. Both Starlink and T-Mobile Home Internet use CGNAT by default, which means port forwarding does not work on either. Localtonet tunnels work because they use outbound connections, which CGNAT never blocks. Your machine connects out to the relay and stays connected, making the tunnel work regardless of what your ISP does with inbound traffic.
Is there a security risk to using a tunnel instead of port forwarding?
Tunnels and port forwarding expose the same service to the internet the risk is the same: a publicly reachable endpoint that someone can attempt to connect to. Tunnels are arguably slightly safer than port forwarding because the relay address is not tied to your actual IP, making it harder for someone who finds the endpoint to directly target your home network. Good security practice strong passwords, keeping software updated, not exposing services unnecessarily applies to both approaches.
Will port forwarding ever work again on my connection?
If you are on CGNAT, not without either getting a public IP from your ISP or switching to an ISP that provides one. IPv6 adoption may eventually make the question irrelevant when every device has a globally routable IPv6 address, port forwarding becomes unnecessary. But full IPv6 deployment is still years away for many regions. In the meantime, tunnels are the practical solution.
I have a dynamic IP that changes every few days. Does that affect any of this?
If you have a real public IP (not CGNAT), a dynamic IP means your port forwarding still works but the address changes. Dynamic DNS (DDNS) services solve this by automatically updating a domain name to point at your current IP. Most modern routers have DDNS built in. If you use a Localtonet tunnel, the relay address stays stable regardless of your home IP the tunnel reconnects automatically when your IP changes.
Stop Fighting Your Router. Get a Public Address in Under a Minute.
Create a free Localtonet account, install the client, and open a tunnel for your service. It works behind CGNAT, double NAT, and every other network configuration your ISP can throw at you.
Create Free Localtonet Account →
