Set up Port Forwarding
Port forwarding enables external devices to access services running on your local network through the router's WAN interface. This is commonly used for remote access to IP cameras, NVRs, PLCs, SCADA systems, and servers at a remote site.
Prerequisites
Routable WAN IP address
Port forwarding requires a routable IP address on the router's WAN interface. Most standard mobile broadband SIMs use Carrier-Grade NAT (CGNAT), which places the router behind a shared carrier IP — inbound connections are not possible from these SIMs.
| SIM / WAN type | Works? | Notes |
|---|---|---|
| Standard mobile broadband SIM | No | CGNAT — router is behind carrier NAT with no inbound route |
| Fixed public IP SIM | Yes | Router has a public IP directly reachable from the internet |
| Fixed private IP SIM + VPN | Yes | Private IP accessible via a VPN tunnel to your network |
If you are unsure whether your SIM has a fixed public IP, contact your SIM provider or support@proroute.co.uk.
Fixed LAN IP on the target device
The device you are forwarding traffic to must have a stable LAN IP address. If the IP changes after a reboot, the port forward rule will stop working. Use one of the following approaches:
| Method | Detail |
|---|---|
| Static IP on the device | Configure the device itself with a fixed IP address, subnet mask, and gateway — typically 192.168.8.1 for the gateway |
| DHCP reservation on the router | Bind the device's MAC address to a fixed IP at Network > DHCP — the router will always issue the same IP to that device |
Security warning: Port forwarding exposes internal services directly to the internet. Ensure all forwarded devices use strong passwords and current firmware. For administrative interfaces or sensitive services, a VPN tunnel is significantly more secure than direct port forwarding.
How port forwarding works
When an inbound connection arrives at the router's WAN IP on a defined port, the router redirects the traffic to a designated LAN device and port.
| Traffic direction | Address |
|---|---|
| Inbound (from internet) | 203.0.113.50:8080 (router's WAN IP) |
| Forwarded to (LAN) | 192.168.8.100:80 (camera's LAN IP) |
Creating port forwarding rules
Location in WebUI: Network > Firewall > Port Forwards
- Log in to the WebUI at
http://192.168.8.1 - Navigate to Network > Firewall > Port Forwards
- Click Add
- Complete the rule fields (see reference table below)
- Click Add to append the rule to the list
- Repeat steps 3–5 for each additional rule
- Click Save and Apply to write all rules to the router configuration
| Network > Firewall > Port Forwards — New Rule | |
| Name | e.g. Camera-1 |
| Protocol | TCP ▼ |
| Source zone | wan ▼ |
| External port | e.g. 8080 |
| Destination zone | lan ▼ |
| Internal IP address | e.g. 192.168.8.100 |
| Internal port | e.g. 80 |
| Add Save and Apply | |
Field reference
| Field | Description | Example |
|---|---|---|
| Name | A descriptive label for the rule — used for identification only | Camera-1 |
| Protocol | TCP, UDP, or TCP+UDP. Check the target device's documentation for the correct protocol. | TCP |
| Source zone | Origin of the inbound traffic — wan for internet-facing connections |
wan |
| External port | Port on the router's WAN interface to listen on. Use a non-standard port (e.g. 8080) to reduce automated scanner exposure. | 8080 |
| Destination zone | Target network — lan for a local device |
lan |
| Internal IP address | Fixed LAN IP of the target device | 192.168.8.100 |
| Internal port | Port on which the target device's service is listening | 80 |
Port ranges
To forward a consecutive range of ports, enter the range in the format start:end in both the External port and Internal port fields (e.g. 5000:5010).
Common rule examples
| Use case | Protocol | External port | Internal IP | Internal port |
|---|---|---|---|---|
| IP camera — HTTP stream | TCP | 8080 |
192.168.8.50 |
80 |
| Remote Desktop (RDP) | TCP | 3389 |
192.168.8.10 |
3389 |
| Web server (HTTPS) | TCP | 443 |
192.168.8.20 |
443 |
| NVR remote viewing | TCP+UDP | 37777 |
192.168.8.60 |
37777 |
| SSH access to LAN device | TCP | 2222 |
192.168.8.30 |
22 |
Testing the port forward
- Find the router's public WAN IP at Status > Overview
- From an external network (e.g., a mobile phone on cellular data, not connected to the router), attempt to connect to
[WAN-IP]:[External-Port] - Alternatively, use an online port checker tool to verify the port is open from outside
Note: Testing from a device connected to the router's own LAN will not work — the test must be performed from an external network.
Security best practices
| Practice | Detail |
|---|---|
| Use non-standard external ports | Port 8080 instead of 80, or 2222 instead of 22, reduces exposure to automated internet scanners targeting well-known ports |
| Restrict by source IP | If the connecting device has a fixed public IP, use the Source IP field in the rule to whitelist it — all other sources will be blocked |
| Use IP whitelisting | For routers with a public WAN IP, enable the Remote Access IP Whitelist (Network > Firewall > Security) to restrict which IPs can reach forwarded ports |
| Prefer VPN for sensitive access | For administrative interfaces, RDP, or SCADA systems, a VPN tunnel provides encryption, authentication, and access control that port forwarding cannot |
| Keep devices updated | Ensure both the router and all LAN devices accessible via port forwards are running current firmware |
| Audit rules periodically | Remove any rules that are no longer required — every open port is an additional attack surface |
Troubleshooting
| Issue | Likely cause and resolution |
|---|---|
| Connection times out from external network | The SIM most likely uses CGNAT. Standard mobile broadband SIMs do not support inbound connections — a fixed public IP SIM is required. Check Status > Overview for the WAN IP; if it begins with 10.x, 100.64–100.127.x, or 172.16–31.x, the SIM is behind CGNAT. |
| Port shows as closed on port checker | Confirm the target device is powered on and its service is running on the expected port. Verify the internal IP and internal port in the rule are correct. |
| Connection refused at the LAN device | The service on the target device may not be listening on the expected port, or a local firewall on the device is blocking the connection. |
| Rule works intermittently | The LAN device's IP address is likely changing. Assign a static IP on the device or configure a DHCP reservation in the router. |
| Rule not visible or not working after saving | Ensure you clicked Save and Apply — clicking Add alone only adds the rule to the unsaved list. Refresh the Port Forwards page to confirm the rule is present. |