esc
Anthology / Yagnipedia / Port Forwarding

Port Forwarding

The networking equivalent of giving a stranger your house key because the locksmith was too expensive
Practice · First observed The 1990s, when NAT made direct connections impossible and everyone just started poking holes in routers · Severity: Historical (if you're still doing this, Tailscale exists)

Port forwarding is the practice of configuring a router to redirect incoming traffic on a specific port to a specific internal machine. It is the oldest, most fragile, and most widely practiced method of making a service behind NAT reachable from the outside world. It is also the method that Tailscale made obsolete in the time it takes to run one command.

How It Works

Your home router has one public IP address. Behind it, your machines have private IPs — 192.168.x.x, the addresses that mean “I exist, but only locally.” When you want to SSH into your home server from a café, you configure the router to forward port 22 on the public IP to port 22 on the internal machine.

This works. It works the way leaving your front door unlocked works — effectively, until it doesn’t.

The Problems

Dynamic IPs. Most residential ISPs assign dynamic public IPs. Your IP changes. Your port forwarding rule now points at nobody. You discover this at the café, when SSH times out, and you have no way to fix it because fixing it requires accessing the router, which requires being home, which defeats the purpose.

The fix is dynamic DNS — a service that maps a hostname to your changing IP. The fix for the fix is remembering to install the dynamic DNS update client. The fix for the fix for the fix is noticing when the client stops working. Each fix adds a layer. Each layer can fail independently.

Security. A forwarded port is a door. An open door on the public internet is an invitation. Every port scanner on earth — and there are many, and they are tireless — will find your port within hours. Your SSH daemon will receive login attempts from IP addresses in countries you have never visited. Your logs will fill with Failed password for root from 185.x.x.x. Your security posture is now “hope they don’t guess the password.”

ISP blocking. Some ISPs block common ports. Port 22 (SSH), port 80 (HTTP), port 443 (HTTPS). They do this to prevent customers from running servers, which is a policy that makes sense from the ISP’s perspective and makes no sense from the developer’s perspective and is not negotiable from either perspective.

UDP. Mosh needs UDP ports 60000-61000. Forwarding a range of UDP ports through a consumer router is an exercise in discovering which parts of your router’s admin interface were never tested. Some routers support port ranges. Some require individual rules. Some accept the configuration and then don’t forward anything because the firmware was written by someone who tested TCP and assumed UDP was the same.

PORT FORWARDING IS
GIVING YOUR ADDRESS
TO EVERYONE
SO THAT ONE PERSON
CAN VISIT

A MESH VPN IS
A PRIVATE HALLWAY

🦎

The socat Era

Before Tailscale, the middle ground between “port forwarding” and “proper VPN” was socat — a Swiss army knife for network plumbing. Need to forward UDP from your Mac to an OrbStack VM? socat. Need to relay TCP through an intermediate host? socat. Need to feel like a 1990s sysadmin who solves every problem with a pipe and a prayer? socat.

socat UDP4-LISTEN:60010,fork,reuseaddr UDP4:192.168.139.66:60001

This works. It works the way duct tape works — impressively, temporarily, and with the quiet understanding that a real solution would not involve duct tape.

The Extinction Event

Tailscale replaced port forwarding the way electricity replaced candles — not by being slightly better, but by making the previous approach feel archaeological.

# Before: port forwarding + dynamic DNS + socat + firewall rules + hope
# After:
sudo tailscale up --ssh

Four OrbStack VMs became reachable from an iPhone with zero port forwarding rules. Zero router configuration. Zero public exposure. The router doesn’t know. The ISP doesn’t know. The port scanners don’t know. The only entities that know are the devices on the Tailscale mesh, and they authenticated with cryptographic keys, not with “hope they don’t guess the password.”

Measured Characteristics

Port forwarding rules replaced by Tailscale:          all
Router admin pages visited since Tailscale:            0
Dynamic DNS services needed since Tailscale:           0
socat instances running since Tailscale:               0
Port scans received since Tailscale:                   0
  (the ports aren't open, so there's nothing to scan)
Time spent debugging "why isn't the port forwarding
  working" since Tailscale:                            0
Time previously spent on same:                         hours per incident
Number of incidents:                                   enough

See Also

See Also