Free Open Port Checker - Test Port Forwarding & Firewall

Complete Guide to TCP Port Checking and Firewall Testing

In computer networking, a port is a logical endpoint that identifies a specific process or service running on a host. The TCP/IP protocol suite supports 65,535 available TCP ports, divided into three ranges: well-known ports (0-1023) assigned by IANA to standard protocols like HTTP, SSH, and SMTP; registered ports (1024-49151) used by vendor-specific applications such as MySQL, PostgreSQL, and game servers; and dynamic or private ports (49152-65535) used for ephemeral client-side connections.

When our tool checks a port, it initiates a TCP three-way handshake. Your browser sends a SYN (synchronize) packet to the target host on the specified port. If the service is running, the host responds with a SYN-ACK (synchronize-acknowledge) packet, and our server completes the handshake with an ACK packet. A port is considered "open" when this handshake completes successfully, "closed" when the host responds with a RST (reset) packet indicating no service is listening, and "filtered" when no response is received because a firewall is silently dropping the packets.

Port checking is an essential practice for server administration, security hardening, and troubleshooting network connectivity. Whether you are deploying a web application, configuring a mail server, or setting up remote access to your home network, verifying that the correct ports are accessible from the public internet is the first step in confirming your infrastructure is working as intended.

When to Check Port Status

Setting Up Game Servers: Minecraft (25565), Valheim (2456-2458), and CS2 (27015) all require specific ports to be forwarded and accessible for players to connect.
Configuring NAS Remote Access: Synology, QNAP, and TrueNAS devices need ports like 5000, 5001, or custom HTTPS ports opened for access outside your LAN.
Testing Web Server Deployment: Verify that ports 80 and 443 are properly forwarded to your web server after configuring Apache, Nginx, or Caddy.
Verifying VPN Ports: OpenVPN uses UDP 1194 by default, WireGuard uses UDP 51820, and IKEv2 uses UDP 500 and 4500. Confirm they are reachable.
Email Server Configuration: SMTP (25, 587), IMAP (143, 993), and POP3 (110, 995) ports must all be accessible for a self-hosted mail server to function.
Database Remote Access: MySQL (3306), PostgreSQL (5432), and MongoDB (27017) require open ports when accessed from external applications or monitoring tools.

Troubleshooting Closed Ports

Check Router Port Forwarding: Log into your router admin panel and verify that the port forwarding rule points to the correct internal IP address and port number of your device.
Verify Local Firewall Settings: Windows Defender Firewall, macOS Application Firewall, and Linux iptables/nftables can all block incoming connections even when router forwarding is correct.
ISP CGNAT Blocking: If your public IP is in the 100.64.0.0/10 range, your ISP uses Carrier-Grade NAT and port forwarding from your router will not work. Contact your ISP to request a public IP.
Double NAT Issues: If you have two routers in series (ISP modem-router plus your own router), you need to either bridge the first device or forward ports on both.
Service Not Running: The port will appear closed if the application or daemon that should be listening on it has crashed, failed to start, or is bound to localhost only.
Wrong IP Address: Ensure you are testing your public IP address, not your local network address (192.168.x.x or 10.x.x.x). Use our What Is My IP tool to confirm.

Port Forwarding and NAT Explained

Network Address Translation (NAT) is the process your router uses to share a single public IP address among all the devices on your local network. When a device on your LAN sends a request to the internet, the router replaces the private source IP with its own public IP and keeps track of the mapping in a translation table. This works seamlessly for outgoing connections, but incoming connections from the internet have no way to reach a specific device behind NAT unless you configure port forwarding rules.

Port forwarding tells your router to direct all incoming traffic on a specific port to a designated device on your local network. For example, forwarding TCP port 25565 to your gaming PC at 192.168.1.50 allows external players to connect to your Minecraft server. UPnP (Universal Plug and Play) can automate this process by allowing applications to request port forwards dynamically, though it introduces security risks and is often disabled on enterprise networks. As a last resort, placing a device in the routers DMZ (Demilitarized Zone) forwards all ports to that device, but this exposes it to the entire internet without any port filtering.

It is important to understand the security implications of open ports. Every open port is a potential entry point for attackers. Only forward the ports that are absolutely necessary, keep the services behind them updated and patched, and use strong authentication. Port triggering is a more secure alternative that only opens an inbound port temporarily when an outbound connection is detected on a trigger port, reducing the attack window compared to static port forwarding.

Comprehensive Port Reference Guide

Not sure which port to test? Here are the standard ports for the most commonly used internet services and their security considerations:

Port	Protocol	Service	Security Notes
20-21	TCP	FTP (Data/Control)	Transmits credentials in plain text. Use SFTP (port 22) instead.
22	TCP	SSH / SFTP	Secure but frequently targeted by brute-force bots. Use key-based auth.
25	TCP	SMTP	Often blocked by ISPs to prevent spam. Use port 587 for submission.
53	TCP/UDP	DNS	Should only be open on DNS servers. Can be abused for amplification attacks.
80	TCP	HTTP	Unencrypted web traffic. Redirect to HTTPS (443) in production.
110	TCP	POP3	Legacy email retrieval. Use POP3S (995) with TLS encryption.
143	TCP	IMAP	Email access protocol. Use IMAPS (993) with TLS for security.
443	TCP	HTTPS	Encrypted web traffic via TLS. The standard for all modern websites.
3306	TCP	MySQL	Never expose directly to the internet. Use SSH tunnels or VPN access.
3389	TCP	RDP	High-value target for ransomware. Use VPN or change default port.
5432	TCP	PostgreSQL	Restrict to trusted IPs via pg_hba.conf. Never expose publicly.
8080	TCP	HTTP Alternate	Common for development servers, proxies, and application containers.
25565	TCP	Minecraft	Only open when actively hosting. Use whitelist to limit access.
27015	TCP/UDP	Source Engine (CS2, TF2)	Game traffic only. Consider using RCON password protection.

Frequently Asked Questions

Why is my port showing as closed even though port forwarding is set up?

The most common causes are: the service is not actually running on the target device, the port forwarding rule points to the wrong internal IP (which can change if DHCP assigns a new address), a local firewall on the device is blocking the port, or your ISP uses Carrier-Grade NAT which prevents inbound connections regardless of your router configuration.

Is it dangerous to have open ports?

An open port is only as dangerous as the service running behind it. A fully patched web server on port 443 is relatively safe. An outdated, unpatched service with known vulnerabilities is a significant risk. The best practice is to minimize your attack surface by only opening ports that are strictly necessary and keeping all exposed services updated.

What is the difference between TCP and UDP ports?

TCP (Transmission Control Protocol) provides reliable, ordered delivery with error checking and retransmission. It is used for web browsing, email, and file transfers. UDP (User Datagram Protocol) is faster but unreliable, with no guarantee of delivery or ordering. It is used for DNS queries, video streaming, VoIP, and online gaming where speed matters more than perfection.

How do I check ports on my own computer?

On Windows, open Command Prompt and run netstat -an to see all listening ports. On macOS or Linux, use ss -tlnp or netstat -tlnp. These commands show locally open ports. To check if a port is accessible from the internet, you must test from an external source like this tool.