Definition
Port forwarding is a router configuration that tells your network to deliver unsolicited inbound traffic arriving on a particular port to a specific device on your local network. It is the standard way to make a self-hosted service — such as a Bitcoin node accepting peer connections on port 8333 — reachable from the wider internet despite the barrier that network address translation normally imposes. Without a forwarding rule, your router has no idea which internal machine an incoming connection is meant for and simply drops it; the rule is you telling it.
How a forwarding rule works
You create a rule in the router's admin interface that maps an external port to an internal IP address and port. When a packet arrives from the internet on that external port, the router rewrites its destination and hands it to the chosen internal device instead of discarding it. Because the rule is tied to a fixed internal address, the target device needs a static local IP or a DHCP reservation, so the rule does not silently break the next time addresses shuffle after a reboot. The external and internal ports do not have to match — you can expose an unusual outside port that forwards to a standard inside one, a mild obscurity measure that deters only the laziest scanners but keeps logs quieter.
Common uses for node runners
Operators of Bitcoin Core nodes forward port 8333 so other peers can connect inbound. An unreachable node still works — it makes outbound connections and validates everything — but a reachable one strengthens the network by serving blocks to syncing peers and improves its own connection diversity. Others forward ports for a Lightning node, a personal VPN endpoint, a Nostr relay, or a self-hosted dashboard. The chief pitfall is exposure: any forwarded port is a door the whole internet will knock on within minutes of opening — automated scanners guarantee it — so each exposed service should be hardened, updated, and ideally placed behind authentication, a reverse proxy, or a VPN tunnel. Forward the minimum, and audit the rule list occasionally; forgotten rules pointing at long-retired devices are a classic quiet risk.
When forwarding is not possible
If your ISP uses carrier-grade NAT — increasingly common as IPv4 addresses run short — you cannot forward ports at all, because the public-facing router belongs to the ISP, not to you. In that case, reachability comes from the inside out: an outbound tunnel to a machine you control, or an onion service via Tor, which requires no inbound ports whatsoever and is the path many node runners choose anyway for privacy.
The UPnP trap
Many routers ship with UPnP (Universal Plug and Play) enabled, which lets any application on the LAN open forwarding rules automatically, with no admin approval. It is convenient for game consoles and disastrous as a security posture: malware on any device in the house can silently punch holes to itself, and years of router UPnP implementations have shipped with bugs of their own. The sovereign default is to disable UPnP and create the few rules you need by hand — a node port, perhaps a VPN endpoint — so the router's forwarding table is a short list you wrote yourself and can audit at a glance. If an application "requires" UPnP, that is an invitation to understand exactly what it needs opened and to open precisely that, nothing more.
Port forwarding directly addresses the inbound limitation described under Network Address Translation (NAT); pair every rule you create with a scoped firewall policy so the door you opened stays the only one.
In Simple Terms
Port forwarding is a router configuration that tells your network to deliver unsolicited inbound traffic arriving on a particular port to a specific device on…
