Taking the key points from this article: http://woshub.com/port-forwarding-in-windows/
These are the prerequisites for the correct operation of port forwarding in Windows. Without the IP Helper service and without IPv6 support enabled, the port redirection won’t work.
Make sure that you have the iphlpsvc (IP Helper) service running on your Windows device. Check status of the service using services.msc
or use Get-Service iphlpsvc
in PowerShell.
IPv6 support must be enabled on the network interface for which the port forwarding rule is being created.
Port must first be opened in Windows Defender Firewall (if applicable). Rules can be added and removed using the following cmdlets:
# Add a rule to Windows Defender
$port = 3340
$name = "forwarder_RDP_3340"
New-NetFirewallRule -DisplayName $name -Direction Inbound -Protocol TCP –LocalPort $port -Action Allow
# Remove a rule from Windows Defender
$ruleName = "RDP_3340"
Remove-NetFirewallRule -Name $ruleName
To make port forwarding work on Windows Server 2003/XP, you must additionally set the IPEnableRouter parameter to 1 under the registry key HKEY_LOCAL_MACHINE\ System\CurrentControlSet\services\Tcpip\Parameter. This can be done using PowerShell:
Set-ItemProperty -Path HKLM:\system\CurrentControlSet\services\Tcpip\Parameters -Name IpEnableRouter -Value 1
Using the Test-NetConnection cmdlet in PowerShell.
# See the `TcpTestSucceeded` property of the returned object.
Test-NetConnection -ComputerName localhost -Port 3340
Using netstat in cmd.
REM -a Displays all connections and listening ports
REM -n Displays addresses and port numbers in numerical form
REM -o Displays the owning process ID associated with each connection
netstat -na|find "3340"
REM or...
netstat -ano | findstr :3340
REM Then identify the process that is listening
tasklist | findstr <pid>
You can create any number of port forwarding rules in Windows. All netsh interface portproxy rules are persistent and remain after a Windows restart. Rules are stored in the registry. You can list the netsh forwarding rules in the registry using PowerShell or cmd:
Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp
To display a list of all enabled TCP port forwarding rules on Windows, run the command:
netsh interface portproxy show all
Note that the portproxy mode in Windows doesn’t support saving the source IP in a forwarded network packet. If you forward port 443 from a Windows device to an internal web server, then all incoming connections will appear on the target server as coming from the same IP address (from your Windows host with netsh portproxy enabled). If you need to use source IP forwarding, you need to use NAT on an external firewall or on Hyper-V.
Several times I encountered cases when in Windows Server 2012 R2 the port forwarding rules were reset after the server was rebooted. In this case, you need to check whether there is a periodic disconnection on the network interface and whether the IP address changes when the OS boots (it is better to use a static IP instead of dynamic DHCP). As a workaround, I had to add a batch script with the netsh interface portproxy rules to the Windows Task Scheduler that run on the system startup.
Windows cannot forward a range of TCP ports. If you need to forward multiple ports, you will have to manually create multiple portproxy redirecting rules.
# https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh
$localAddress = "10.1.2.24"
$localPort = "5000"
$toAddress = "192.168.1.3"
$toPort = "5000"
# Add a port forwarding rule
netsh interface portproxy add v4tov4 listenaddress=$localAddress listenport=$localPort connectaddress=$toAddress connectport=$toPort
# Change a rule
netsh interface portproxy set v4tov4 listenport=3340 listenaddress=10.10.1.110 connectport=3300 connectaddress=10.10.1.110
# Delete a rule
netsh interface portproxy delete v4tov4 listenport=3340 listenaddress=10.1.1.110
# Delete all port forwarding rules
netsh interface portproxy reset