Port forwarding

By default, Keenetic routers do not allow incoming connections from the Internet to computers or network devices on your home network. Suppose you have a webcam running at home and connected to the Internet via Keenetic. Computers on your home network will be able to connect to it, but you won't be able to connect to your webcam from the Internet without port forwarding. In this case, sometimes it is said 'you need to open the port on the router'. The term 'port forwarding' is sometimes replaced by the same term 'port mapping'.
Port forwarding is a part of the NAT (Network Address Translation) mechanism. The goal of port forwarding is to provide access from the Internet to your network services using an open port.

Using the UPnP service, home network devices can allow their own connections. UPnP allows you to forward ports programmatically. Now torrent clients, messengers, game consoles, media servers and others use UPnP. Enable the UPnP service on your home network device or application. In order for Keenetic to accept UPnP settings, all you need to do is make sure that the UPnP service component is installed, which will allow you to automatically configure the necessary NAT and firewall rules. You can do this on the General system settings page in the 'Updates and components options' section by clicking on 'Component options'.

In some cases, you may need to open certain ports manually. For example, to provide access from the Internet to a network storage (NAS) or a server (WWW, FTP, etc.) on a local network; to provide remote access from the Internet to a computer on a home network using special services for remote connection of desktops (Remote Desktop from Windows, or via Radmin, VNC, etc.); to perform a port mapping to another port.

NOTE: Important! Port forwarding will only work if the router uses a public IP address to access the Internet. You will find more information in the article 'What is the difference between a public and private IP address?'.

TIP: Tip: Before setting up port forwarding, find out which protocol and port number is used in the application, network device or server. Usually, this information can be found in the settings menu or in the documentation. If you do not know which port number is being used, go to http://www.portforward.com/cports.htm. for information. There you will find a list of the most popular applications, protocols and their port numbers. 

Below is an example of port forwarding configuration in the Keenetic router.
Suppose you want to provide access to your home computer from the Internet using the Windows Remote Desktop (RDP) application (server).
In the Keenetic settings, you will need to open a specific TCP/UDP port that is used for incoming connections. In this example, RDP uses TCP port number 3389 by default.

Register the connected device on the home network to which the ports will be redirected. When registering, you must enable the 'Static IP' option so that the computer on the home network always receives the same IP address. You can find more information in the article 'Connected device registration'.

1. Port forwarding


In the 'Port forwarding rule' window that appears, configure the rule.


Select an interface or set a subnet for incoming traffic, protocol and port to be passed to the local network. Select the connected device or interface to which the appropriate traffic is forwarded.

You need to correctly specify the value of the 'Input' field. In this field, select the connection or interface through which Keenetic accesses the Internet. In most cases, you should select the 'Provider' interface. If you have an Internet connection via PPPoE, PPTP or L2TP, you should select the appropriate connection. When connecting to the Internet via 3G/4G USB modem, you should specify this connection, and when connecting via WISP, select the connection with the name of the network to which Keenetic is connected.

In the 'Output' field, select the device, connection or interface to which the appropriate traffic will be forwarded (in our example it is a PC registered in the home network). In the 'Output' field you can select 'Other device' and specify the IP address. If you select 'This Keenetic', the destination address will be Keenetic itself.

In the 'Protocol' field, you can specify a protocol from the list of pre-installed ones, which will be used when redirecting the port. If you choose 'TCP' or 'UDP', you can manually specify the port number or port range (in our example, the 'TCP' protocol is used and in the 'Open the port' field the application port 3389 is specified).

In the 'Work schedule' field you can add the schedule, according to which this rule will function.


NOTE: Important! In order to check the port forwarding performance, you need to access the router's WAN interface from the Internet. Port forwarding will not work when accessing from the local network.

Now, to connect to the desktop from the Internet, you will need to use an address in the form of Keenetic_WAN_IP-address:port_number.
For instance:

NOTE: Important! There is no need to make additional settings of the firewall, because when you use the forwarding rule, the router opens access to the specified port by itself.

2. Port forwarding with port number changing (port mapping)

Sometimes there is a situation when you need to change one port number X to another Y. Port mapping can be used in case of blocked common port numbers on the ISP side or when the required port numbers are already occupied.

2.1 Let's take an example of an RDP server running on TCP port number 3389 and being accessed from the Internet using the new port number 4389. In this case, the connection to port 4389 will be forwarded to the specific local IP address and port 3389.


In the 'Open the port' field, specify a new destination port (for Internet access), and in the 'Destination port' field, enter the real port number used on the server in the local network.

NOTE: Important! When creating a port forwarding rule, port mapping will only work from the WAN to the LAN (Internet to home network). Port forwarding will not work when accessing from the home network.


Now, to connect to the desktop from the Internet, you will need to use an address in the form of Keenetic_WAN_IP-address:new_port_number
For example:

2.2 Let's consider an example when two identical IP-cameras (with IP-addresses and are placed in the local network of the Keenetic router and their web-interfaces are available on port 80. It is necessary to configure remote access to IP-cameras from the Internet.
In this case, we use port mapping to make the web interface of the first camera available when accessing from the Internet on port 10101, and the second camera on port 10102.




Now, to connect to IP cameras from the Internet, you will need to use a Keenetic_WAN_IP-address:new_port_number
For example: to access the first camera and to access the second camera.

TIP: Tips:

If port forwarding does not work for some reason, see the article 'What to do if port forwarding doesn't work'.

Sometimes there is a task to organize a DMZ-host in the local network of the Keenetic router (it can be a web-server, a network video recorder, IP-camera or other device), which has all the ports open and thus provide full access to it from the Internet: 'Forwarding all ports to the local host (DMZ host)'.

Read 'In what cases should I Use Port Forwarding and Firewall Rules?'.

Additional information for connecting game consoles: 'Using Xbox and PS4 when connecting via Keenetic'.

If there is a public IP address for Internet access, with the help of the port forwarding setting, you can organize remote access to the device of the local network: 'Access from the Internet to an IP-camera connected to the Keenetic'.


Have more questions? Submit a request



Please sign in to leave a comment.