Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Windows 10 / Configuring Port Forwarding on Windows

August 28, 2020 Windows 10Windows Server 2012 R2Windows Server 2016

Configuring Port Forwarding on Windows

You can configure network ports forwarding in all Windows versions without using third-party tools. Using a port forwarding rule, you can redirect an incoming TCP connection (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer. Moreover, it is not necessary for Windows to have a service that listens on a specific TCP port. Windows port forwarding is most commonly used to bypass firewalls or to hide an internal host or service from the external network (NAT/PAT).

In the Linux world, port forwarding is configured quite simply using iptables or firewalld. On Windows Server systems, the Routing and Remote Access Service (RRAS) is typically used to configure port redirections. However, there is an easier way to configure the port forwarding, which works well in any Windows version.

Contents:
  • How to Configure Port Forwarding on Windows 10 using Netsh Portproxy?
  • Managing Port Forwarding Rules in Windows
  • Port Forwarding in Hyper-V Server

How to Configure Port Forwarding on Windows 10 using Netsh Portproxy?

You can configure port forwarding in Windows using the Portproxy mode of the Netsh command. The command syntax is as follows:

netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
where

  • listenaddress – is a local IP address to listen for incoming connection (useful if you have multiple NICs or multiple IP addresses on one interface);
  • listenport – local listening TCP port number (the connection is waiting on);
  • connectaddress – is a local or remote IP address (or DNS name) to which you want to redirect incoming connection;
  • connectport – is a TCP port to which the connection from listenport is forwarded to.
Using the netsh interface portproxy add v4tov6/v6tov4/v6tov6 options, you can create port forwarding rules between IPv4 and IPv6 addresses.

Let’s suppose our task i is to make the RDP service to respond on a non-standard port, for example 3340 (the port can be changed in the settings of the Remote Desktop service, but we are using RDP to make it easier to demonstrate port forwarding). To do this, we need to redirect incoming traffic from TCP port 3340 to another local port – 3389 (this is the default RDP port number).

Please note that the local port number that you specified in listenport should not listened (used) by another service or process. Check that the port number is not used:

netstat -na|find "3340"

Alternatively, you can check that the port is not listening locally using the PowerShell cmdlet Test-NetConnection:

Test-NetConnection -ComputerName localhost -Port 3340

check local listening state on windows 10

To create a port forwarding rule on Windows 10, run a command prompt as an administrator and run the following command:

netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110

windows port forwarding rule using netsh interface portproxy add

Where 10.10.1.110 – the current IP address of this computer.

Now, use the netstat tool to check that Windows is now listening on local port 3340:

netstat -ano | findstr :3340

netstat -ano - Get process PID

Note. If this command returns nothing and port forwarding through the netsh interface portproxy doesn’t work, make sure that you have the iphlpsvc (IP Helper) service running on your computer.

 iphlpsvc (IP Helper) service

IPv6 support must be enabled on the network interface for which the port forwarding rule is created.

ipv6 protocol enabled

These are the prerequisites for the correct operation of port forwarding. Without the IP Helper service and without IPv6 support enabled, the port redirection won’t work.

To make port forwarding work on Windows Server 2003/XP, you must additionally set the IPEnableRouter parameter to 1 in the registry key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters.

You can find out what process is listening on the specified port using its PID (in our example, the PID is 636):

tasklist | findstr 636

Let’s try to connect to this port from a remote computer using any RDP client. Port 3340 should be specified as the RDP port number. It is specified after the colon following the RDP server address. For example, 10.10.1.110:3340

RDP client connect to different port

The RDP connection should be established successfully.

If you want to forward an incoming TCP connection to a remote computer, use the following command:

netsh interface portproxy add v4tov4 listenport=3389 listenaddress=0.0.0.0 connectport=3389 connectaddress=192.168.100.101

This rule will redirect all incoming RDP traffic (from local TCP port 3389) from this computer to a remote host with an IP address 192.168.1.100.

Also, you can use the Windows SSH tunnel to forward the local port to a remote server.

Managing Port Forwarding Rules in Windows

Important. Make sure that your firewall (Microsoft Windows Defender Firewall or a third-party firewall that are often included into an antivirus software) allows incoming connections to the new port. You can add a new allow rule to Windows Defender Firewall with the command:

netsh advfirewall firewall add rule name=”forwarded_RDPport_3340” protocol=TCP dir=in localip=10.1.1.110  localport=3340 action=allow

Or using the New-NetFirewallRule PowerShell cmdlet:
New-NetFirewallRule -DisplayName "forwarder_RDP_3340" -Direction Inbound -Protocol TCP –LocalPort 3340 -Action Allow

When creating an incoming firewall rule for port 3340 via Windows Defender Firewall graphical interface, no program needs to be associated with it. This port is only listened by the network driver.

You can create any number of Windows port forwarding rules. All netsh interface portproxy rules are persistent and are stored in the system after a Windows restart.

Also, there were cases when in Windows Server 2012 R2 the port forwarding rules were reset after server reboot. In this case, you need to check whether there is a periodic disconnection on the network interface, and whether the IP address changes when the OS boots (it is better to use a static IP instead of dynamic DHCP). As a workaround, I had to add a batch script to the Windows Task Scheduler with the netsh interface portproxy rules that run on the system startup.

To display a list of all active TCP port forwarding rules on Windows, run the command:

netsh interface portproxy show all

In our case there is only one forwarding rule from local port 3340 to 3389:

Listen on ipv4:             Connect to ipv4:
Address         Port        Address         Port
--------------- ----------  --------------- ----------
10.1.1.110     3340        10.1.1.110     3389

Display all port forward rules

Tip. You can also list port forwarding settings in portproxy as follows:

netsh interface portproxy dump

#========================
# Port Proxy configuration
#========================
pushd interface portproxy
reset
add v4tov4 listenport=3340 connectaddress=10.1.1.110 connectport=3389
popd
# End of Port Proxy configuration

netsh interface portproxy dump

To remove a specific port forwarding rule:

netsh interface portproxy delete v4tov4 listenport=3340 listenaddress=10.1.1.110

To remove all existing mapping rules and completely clear the port forwarding rules table:

netsh interface portproxy reset

Important. This forwarding scheme works only for TCP ports. You won’t be able to forward UDP ports this way. Also you can’t use  the loopback interface 127.0.0.1 as the connectaddress.

You can use Windows Server with the RRAS and NAT role installed to configure port forwarding for UDP traffic. You can configure port forwarding between server interfaces using the graphical snap-in (rrasmgmt.msc) or with the command:

netsh routing ip nat add portmapping Ethernet1 udp 0.0.0.0 53 192.168.100.100 53

Another portproxy feature is an opportunity to make it look like any remote network service is running locally.

For example, let’s redirect the connection from the local port 5555 to a remote HTTP server with IP address 157.166.226.25 (CNN website):

netsh interface portproxy add v4tov4 listenport=5555 connectport=80 connectaddress= 157.166.226.25 protocol=tcp

Now if you go to http://localhost:5555/ in your browser, the CNN Start page will open. So despite the browser is accessing the local computer, it opens a page from an external web server.

localhost:5555 open remote page on localhost

Port forwarding rules can also be used to forward a port from the external IP address of a physical NIC to a port of a virtual machine running on the same host. In Hyper-V, you can configure port forwarding on a Virtual Switch level (see below).

Windows cannot forward a range of TCP ports. If you need to forward multiple ports, you will have to manually create multiple portproxy forwarding rules. The easiest way is to generate a list of netsh interface portproxy add commands with different port numbers  in notepad and then paste them into the command prompt for execution.

Port Forwarding in Hyper-V Server

When using the Hyper-V role on your computer (it can be installed on both Windows 10 and Windows Server, or as a free Hyper-V Server), you can configure DNAT port forwarding rules using PowerShell. Suppose you want to redirect all https traffic that your Hyper-V host receives to the IP address of the virtual machine running on the host. To do this, use the Hyper-V StaticMapping commands.

First you need to create a Virtual Switch with NAT:

New-VMSwitch -Name "HTTPS-NAT" -SwitchType NAT -NATSubnetAddress 192.168.100.0/24

Then you need to connect the necessary VM to the specified vswitch and enable the address translation rule for all virtual machines connected through this Hyper-V virtual switch:

New-NetNat -Name HTTPS-NAT -InternalIPInterfaceAddressPrefix 192.168.100.0/24
Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 443 -Protocol TCP -InternalIPAddress "192.168.100.77" -InternalPort 443 -NatName HTTPS-NAT

After executing these PowerShell commands, all HTTPS traffic that comes to port 443 of the Hyper-V host will be forwarded to the private IP address of the virtual machine.

 

25 comments
5
Facebook Twitter Google + Pinterest
previous post
Securing RDP Connections with Trusted SSL/TLS Certificates
next post
How to Fix the ‘Too Many Open Files’ Error in Linux?

Related Reading

How to Sign a PowerShell Script (PS1) with...

February 25, 2021

How to Shadow (Remote Control) a User’s RDP...

February 22, 2021

Configuring PowerShell Script Execution Policy

February 18, 2021

Configuring Proxy Settings on Windows Using Group Policy...

February 17, 2021

Updating Group Policy Settings on Windows Domain Computers

February 16, 2021

25 comments

Port Forwarding in Windows | Windows OS Hub | W... March 13, 2015 - 1:15 pm

[…] In Microsoft Windows, starting from Windows XP, there is a built-in ability to set up network ports forwarding (port forwarding). Due to it, any connection  […]

Reply
Dagg July 1, 2020 - 10:58 am

Man you saved my life! I have spent literally weeks for several sites that we host, trying everything. Looks like Windows Server 2016 isn’t best suited for hosting files outside .asp file domain (Node.js for example).

Reply
George May 13, 2015 - 2:18 am

Hi, this is a good article.
I would like to ask if there is any mechanism to not only forward  but also to copy data? For example, my server listen to TCP port 8845 and will do something when data comes in. I want to keep the original structure but in addition, to copy all coming data and then forward to another server via TCP port 8844. I know to write some codes can do it, but is there any built-in function in Windows Server 2012 can perform this?
Thank you.
George
 

Reply
Max May 13, 2015 - 10:10 am

Do you mean that some application on server processes some way the incoming network data and sends them over the network to another host or modified data is stored locally?

Reply
George May 14, 2015 - 12:29 am

My scenario is: I have a server A to listen TCP 8845 port. There is a program installed in server A to process data when it detects data comes in. What I want to do is to keep the structure in server A, but make a copy to the original incoming data and then send it to server B using TCP 8844 port from server A.
I know we can just write a program to do it, but I want to know if there is any built-in functions in Windows Server 2012 can fulfill my demands.
Thanks.

Reply
Micah Hoover April 7, 2016 - 3:51 pm

You have to use rewrites. The easiest way I could do this was to set up an IIS server, download and install ARR, then configure AAR and “URL Rewrite” in the IIS Manager. Took about a day for a software engineer (sys admin novice) to do it and get everything straightened out.

Reply
Matt November 18, 2015 - 1:31 am

Great write up!!!  Do you know if connections going through the forwarded ports count towards the Windows 7 client connection limit of 20 concurrent connections?  I’m looking to forward some traffic on my network so I can easily run scripts to redirect it if a downtime occurs but I need to know if I’m going to hit an upper limit of concurrent connections.  THANKS!

Reply
jt November 25, 2015 - 12:40 am

thank you so so so so so much youjust saved me 8 hours of driving back to a computer i forgot

Reply
MV January 19, 2016 - 4:45 pm

Excellent article. 
I would like to isolate all incoming traffic destined for port 80 to say port 8080. But all locally originated traffic for port 80 as it is. Could you please let me know how this is possible (if at all) in WINDOWS server ?

Reply
admin February 3, 2016 - 6:33 am

Try to use the following command:
netsh interface portproxy add v4tov4 listenport=80 listenaddress=127.0.0.1 connectport=8080 connectaddress=127.0.0.1

Reply
zeyad February 4, 2016 - 5:01 pm

Hi ,
i don’t understand how to forward the port ( 80 for examble ) to any ip and port .

Reply
admin February 5, 2016 - 4:39 am

Use following sintax:

netsh interface portproxy add v4tov4 listenaddress=[your_local_ip_adress] listenport=80 connectaddress=[any_ip_adress] connectport=[any_tcp_port]

For example,

netsh interface portproxy add v4tov4 listenaddress=192.168.1.100 listenport=80 connectaddress=192.168.120.120 connectport=8080

 

Reply
jb March 11, 2016 - 8:48 pm

Thanks for this write-up!  Been trying to figure out a particularly problematic issue with a legacy application and hoping maybe this can help.
Can this be used to redirect traffic originating on the local machine and directed to a particular IP address to instead send it to a different IP?  For example, I have an application that is hard-coded to seek data in an archive at IP x.x.x.10, but the data has been moved and now resides at x.x.x.20 (and I can’t just re-IP the new archive location to make it x.x.x.10).  Any thoughts on how to get the application’s requests, even though coming out of the application addressed to x.x.x.10, to instead be redirected and sent to x.x.x.20?  Hope this makes sense…

Reply
ILGUIZ July 15, 2016 - 9:55 pm

Thanks for the quick and nice article.  The double quotes in the firewall command appear unicode not ascii.  My command line shell accepts both but makes the two names different.

Reply
Sean Vreeland August 1, 2016 - 12:49 am

THIS IS A GREAT WRITEUP!
However, question:
1) Does this work with IPv6?
2) When I’m connected to my VPN (w/ IPv6 enabled, all the ports that I have opened at my router and Win Firewall are now closed, eventho it says “listening on 0.0.0.0”.  So, do I need to forward the ports from 0.0.0.0 to the Local LAN adapter, or from the IP address of the VPN adapter to the local LAN adapter?  Kinda confused about this. 
Thanks!

Reply
Tony September 16, 2016 - 1:18 pm

Is there any effective way to adjust Windows Firewall to whitelist IP addresses to the ports created with portproxy?  My WF rules seem to have no effect.

Reply
nomadewolf September 20, 2016 - 3:49 pm

i want to redirect traffic that goes from a local app to a specific remote address and force it to go to a specific port:
i tried something like:
netsh interface portproxy add v4tov4 listenaddress=[remote_address] connectport=[port_i_want_to_forward_to] connectaddress=[remote_address]
can i do something like this?

Reply
ted October 19, 2016 - 7:56 am

Very good post !! Thank you

Reply
Carlos February 16, 2017 - 6:25 pm

Hi
Could I redirect 80 or 53 to other server?
Ex. My oficial site is hosted in a linux server with the same DNS name at AD server.
If I use primary DNS from AD server on stations, I can’t open my site and applicatons throug DNS hosted on second server.

Thanks

Reply
admin February 22, 2017 - 7:28 am

Hi
I did not understand, do you want to forward HTTP connections for internal clients from AD server to Linux?

PS. You can forward this way only TCP connections (DNS work over UDP potocol).

Reply
Jason April 11, 2017 - 10:06 am

You are a legend. Thanks for the great article worked like a charm!

Reply
Can I configure the Windows hosts file to use IP address plus port? – Blog SatoHost July 7, 2018 - 4:25 pm

[…] Windows Port Forwarding Example […]

Reply
pavan June 12, 2019 - 8:35 pm

Thanks . This is very useful.

It worked for me

Reply
Jasper November 2, 2019 - 7:01 am

Excellent article on the topic. We have In The Netherlands static IP addresses so a DNS is not necessary. But with some routers here (KPN Experia box) . you need to port forward on 2 different places within the router and that can be a real challenge.

Reply
Johny September 1, 2020 - 10:27 pm

Hello i cant enter pc remotely with any domain accaunt, when i wanna try show error, “Logon attemp failed, or incorrect user amd password” but username and password are correct

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021
  • Fixing “Winload.efi is Missing or Contains Errors” in Windows 10

    February 5, 2021
  • How to Move (Clone) Windows to a New Hard Drive (HDD/SSD)?

    February 4, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Allow Multiple RDP Sessions in Windows 10?
  • How to Repair EFI/GPT Bootloader on Windows 10?
  • How to Restore Deleted EFI System Partition in Windows 10?
  • Network Computers are not Showing Up in Windows 10
  • How to Run Program without Admin Privileges and to Bypass UAC Prompt?
  • How to Configure Google Chrome Using Group Policy ADMX Templates?
  • Error Code: 0x80070035 “The Network Path was not found” after Windows 10 Update
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top