Ports, Firewalls & Connectivity Explained

A plain-English guide to understanding network ports, protocols, firewalls, and how to diagnose connectivity problems.

1. What is a Network Port?

A network port is a virtual communication endpoint — a number from 1 to 65535 — that operating systems use to direct incoming and outgoing network traffic to the right application. Think of an IP address as a building's street address and a port number as the specific apartment inside that building. The postman (the network) delivers packets to the building (IP address), and the apartment number (port) determines which resident (application) receives it.

When you open a website, your browser connects to the web server's IP address on port 80 (HTTP) or port 443 (HTTPS). When you SSH into a server, your SSH client connects to port 22. Each service listens on a specific port, and knowing which port a service uses is fundamental to networking, server administration, and troubleshooting.

Ports are divided into three ranges:

• Well-known ports (0–1023) — reserved for standard system services like HTTP (80), HTTPS (443), SSH (22), FTP (21), and DNS (53). Require administrator/root privileges to open.
• Registered ports (1024–49151) — used by software applications like MySQL (3306), PostgreSQL (5432), Minecraft (25565), and RDP (3389). Less restrictive than well-known ports.
• Dynamic/ephemeral ports (49152–65535) — temporarily assigned by the OS to outgoing connections. Your browser uses one of these as the source port when connecting to a web server.

2. TCP vs UDP — What's the Difference?

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are the two most fundamental transport protocols used on the internet. They both carry data between computers, but they do so in very different ways with different trade-offs.

TCP — Reliable, Connection-Oriented

TCP establishes a formal connection before any data is exchanged, using a process called the three-way handshake (SYN → SYN-ACK → ACK). Once connected, TCP guarantees that all data arrives in order and without corruption — if a packet is lost, TCP automatically retransmits it. Every packet is acknowledged by the receiver.

This reliability comes at a cost: slightly more overhead and latency compared to UDP. TCP is ideal for applications where data integrity matters more than speed, including web browsing, email, file transfers, SSH, database connections, and most server applications.

UDP — Fast, Connectionless

UDP fires packets at the destination without establishing a connection first and without waiting for acknowledgment. There's no guarantee that packets arrive, that they arrive in order, or that they aren't duplicated. What UDP sacrifices in reliability it gains in speed and simplicity.

UDP is used where low latency matters more than perfect delivery — online gaming, video streaming, VoIP calls, DNS lookups, and VPN protocols like WireGuard. A dropped frame in a video call is better tolerated than the delay caused by retransmitting it.

3. Well-Known Port Numbers

Here are the most commonly used ports across different categories. You can test any of these directly from the Port Tester or browse the full Port Library.

Web & HTTP

Remote Access

Gaming

Home Servers & Media

4. How Firewalls Work

A firewall is a security system that monitors and controls incoming and outgoing network traffic based on predefined rules. It acts as a barrier between trusted internal networks and untrusted external networks, deciding which packets to allow through and which to block.

There are several types of firewalls relevant to home and small business users:

• Router/NAT firewall — built into your home router. By default, blocks all unsolicited incoming connections from the internet while allowing outbound connections. This is why you need port forwarding to run a server at home.
• Host-based firewall — software running on your computer or server (Windows Defender Firewall, iptables, ufw on Linux). Controls which applications can accept connections on which ports.
• ISP-level firewall — some ISPs block certain ports on residential connections, particularly ports 25 (SMTP), 80, and 443, to prevent customers from running servers. This is outside your control.
• Cloud/VPS firewall — platforms like Vultr, AWS, and DigitalOcean have their own network-level firewall panels separate from the OS firewall.

When a port test returns "filtered" or "timeout," it means a firewall somewhere in the path is silently dropping packets. When it returns "closed," the packets are reaching the host but being actively rejected — meaning no firewall is blocking them, but no service is listening on that port.

5. Port Forwarding Explained

Port forwarding tells your router to redirect incoming connections on a specific port to a specific device on your local network. Without it, your router's NAT (Network Address Translation) simply drops all unsolicited incoming connections — it doesn't know which device to send them to.

For example: if you want to run a Minecraft server on a PC with the local IP 192.168.1.50, you would create a port forwarding rule in your router that says "when a connection comes in on port 25565, forward it to 192.168.1.50:25565." Friends can then connect using your public IP address on that port.

How to Set Up Port Forwarding

1. Find your router's admin panel — usually at 192.168.1.1 or 192.168.0.1 in your browser. Use the LAN → Gateway Auto-Detect feature on this site to find it automatically.
2. Log in with your router's admin credentials (check the label on the bottom of your router).
3. Find the Port Forwarding section (sometimes called Virtual Servers, NAT, or Applications & Gaming).
4. Create a new rule specifying the external port, internal IP address, internal port, and protocol (TCP/UDP/Both).
5. Make sure the application or service is actually running on the destination device.
6. Test the port using the WAN Port Tester to confirm it's open from the internet.

6. Open, Closed, and Filtered Ports

When you run a port test, the result will be one of three states. Understanding what each means is essential for diagnosing network problems.

Open

An open port means a service is actively listening and accepting connections on that port. The TCP handshake completed successfully — a SYN packet was sent and a SYN-ACK was received in return. This is the expected result when a server is running correctly and the firewall allows the connection.

Closed

A closed port means the host received the connection attempt but rejected it with a TCP RST (reset) packet. The port is reachable — no firewall is blocking it — but no application is currently listening on that port. This typically means the service isn't running, is running on a different port, or has crashed.

Filtered / Timeout

A filtered port produces no response at all — the connection attempt times out. A firewall or network device is silently dropping the packets before they reach the destination. Unlike a closed port, which actively replies with a rejection, a filtered port gives no indication that the packets were received. This is the most common state when port forwarding is misconfigured, an ISP blocks the port, or a cloud firewall rule is missing.

7. SSL/TLS Certificates

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that provide encrypted, authenticated communication over a network. When you see HTTPS in a browser's address bar, it means the connection is secured with TLS. The padlock icon indicates a valid certificate is in place.

What is an SSL Certificate?

An SSL/TLS certificate is a digital document that binds a public cryptographic key to a domain name and organization. It's issued by a trusted Certificate Authority (CA) — such as Let's Encrypt, DigiCert, or Sectigo — after verifying that the applicant controls the domain. The certificate allows browsers to verify they're talking to the legitimate server and not an impersonator, and enables encryption of all data in transit.

Certificate Expiry

SSL certificates have an expiry date — typically 90 days for Let's Encrypt certificates and 1–2 years for commercial certificates. When a certificate expires, browsers show a warning and block access to the site. Monitoring certificate expiry is critical for any web service. Use the SSL Cert checker on this site to view the exact expiry date and days remaining for any domain.

Common Certificate Fields

• Common Name (CN) — the primary domain the certificate is issued for (e.g. ipporttest.com)
• Subject Alternative Names (SANs) — additional domains or subdomains covered by the same certificate
• Issuer — the Certificate Authority that signed the certificate
• Valid From / Valid To — the certificate's active date range

8. Troubleshooting Connectivity Problems

When a service isn't reachable, there's a logical order to diagnose the problem. Work from the outside in — start with the most external point and work toward the application itself.

Step 1 — Is the host online?

Use the Ping test to check if the host is reachable at all. If the host doesn't respond to ping, it may be offline, the IP may be wrong, or ICMP may be blocked. If ping succeeds, the host is online and the problem is port-specific.

Step 2 — Is the port open?

Use the TCP Port test to check reachability. Open = service is running and accessible. Closed = service isn't running or is on the wrong port. Filtered/timeout = a firewall is blocking it.

Step 3 — If filtered, which firewall?

Test from multiple locations if possible. If the port is filtered from the internet but open on LAN (using the LAN scanner), the problem is in your router's port forwarding rules or your ISP. If it's filtered even on LAN, the problem is the host's local firewall (Windows Firewall, iptables, ufw, or a cloud firewall panel).

Step 4 — If the service is running but connections fail

Check that the service is bound to the right interface. Many applications default to binding only to 127.0.0.1 (localhost), which means they only accept connections from the same machine. You need to configure the service to bind to 0.0.0.0 to accept external connections.

9. Common Port Issues and Fixes

Port shows open on LAN but filtered from WAN

This is almost always a port forwarding issue. Check your router's port forwarding rules: verify the internal IP is correct (use a static DHCP reservation), verify the port matches, verify the protocol (TCP/UDP/Both), and make sure your ISP isn't blocking the port on residential connections. Ports 25, 80, and 443 are commonly blocked by ISPs.

Port shows closed but the service is running

The service may be listening on a different port, bound only to localhost, or the service may have started but crashed. Check the application logs, run netstat -tlnp (Linux) or netstat -an (Windows) to see what's actually listening and on which address.

SSL certificate shows expired but I just renewed it

Your web server may still be serving the old certificate. Restart Apache (sudo systemctl restart apache2) or Nginx, and verify the new certificate is correctly referenced in your virtual host configuration.

HTTP check returns 301 or 302

This is a redirect — normal and expected for sites that redirect HTTP to HTTPS, or non-www to www. Check the "Redirect" field in the HTTP check result to see where you're being redirected. If the redirect target is correct, everything is working as intended.

Home Assistant / Plex / Jellyfin not accessible from outside

These applications require port forwarding from your router. First confirm the service is accessible on your LAN using the LAN scanner, then set up port forwarding on your router, and finally verify it's open using the WAN port tester with your public IP. Also check whether the application has its own built-in firewall or requires a specific network configuration.

Ready to test your network? Use the free port tester →