This tool asks our server to open a TCP connection to the public IP address your browser used to load the page, on whichever port you pick. That mirrors what any host on the internet sees when it probes your router, not what localhost scans show inside your LAN. I built the copy around a real weekend: Plex Remote Access stayed red because my Pakistani ISP put me behind CGNAT, so forwarding TCP 32400 on the router never reached my NAS even though the service listened fine locally. Below I cover what the three statuses mean, which ports matter, and how to verify forwarding without guessing.
What this tool does (and cannot do)
JavaScript in the browser cannot initiate arbitrary TCP connections to your public IP for security reasons. Our /api/open-ports route reads your address from CF-Connecting-IP (or X-Forwarded-For) and runs a three-second outbound connect from our infrastructure. Results are open (handshake completed), closed (immediate RST: nothing listening), or filtered (timeout: firewall or NAT dropped the SYN).
Limits you should internalize: TCP only (no UDP game ports), one port per request, only your current public IP (no scanning third parties), and blind spots when you are on VPN (we hit the VPN exit, not your home router) or CGNAT (no inbound mapping at all). Disconnect VPN before testing home forwarding.
Common ports and IANA ranges
Ports are 16-bit numbers (1 through 65535). RFC 6335 divides them into well-known (0 through 1023, privileged on Unix), registered (1024 through 49151), and dynamic/ephemeral (49152 through 65535) for short-lived client sides of connections.
When you browse the web, your OS picks a high ephemeral port locally and talks to remote port 443. Inbound checks like this page reverse the direction: the internet knocks on your public IP's door number.
Default ports for common services
| Service | Port | Protocol | Typical block reason |
|---|---|---|---|
| HTTP | 80 | TCP | ISP inbound filter; residential ToS |
| HTTPS | 443 | TCP | Same; often allowed on business lines |
| SSH | 22 | TCP | Brute-force risk; some ISPs block inbound |
| FTP | 21 | TCP | Legacy cleartext; NAT issues with passive mode |
| SMTP | 25 | TCP | Anti-spam: blocked on most residential IPs |
| MySQL | 3306 | TCP | Should never be public; firewall by default |
| PostgreSQL | 5432 | TCP | Same as databases above |
| RDP | 3389 | TCP | Constant scanner target; use VPN instead |
| Minecraft Java | 25565 | TCP | Needs forwarding + Java edition firewall rule |
| Plex | 32400 | TCP | CGNAT breaks manual forward; use relay or IPv6 |
Why a port looks closed or filtered when you opened it
- ISP filtering: inbound SMTP (25) is blocked almost everywhere on residential service. Some ISPs also block 80 for hosting.
- CGNAT: your router shares a public address with neighbors; there is no unique inbound mapping unless you pay for a static IP or use a tunnel service.
- Application bind address: a service listening only on
127.0.0.1is invisible externally even if the firewall allows the port. - Host firewall: Windows Defender,
ufw, oriptablesmay drop SYN packets before they reach the daemon. - Double NAT: ISP modem plus your own router without bridge mode forwards to the wrong hop.
Port forwarding in plain language
Your router translates between one public IP and many private LAN addresses. A forward rule says "when SYN arrives on public port 32400, send it to 192.168.1.50:32400." Dynamic DNS helps when your public IP changes nightly. IPv6 with a global address per device can remove NAT entirely, but you must firewall each host because addresses are routable from the internet by default.
Testing from the command line
Local checks prove the daemon listens; external checks prove the path through NAT. Use both.
# Quick TCP probe (GNU netcat)
nc -zv 192.168.1.50 32400
# Listen test on the server
nc -l 8080
# nmap: only scan networks you own or have written permission to test
nmap -Pn -p 22,80,443,32400 YOUR_PUBLIC_IPLegacy telnet host port still works on some systems but is often uninstalled. Replace with nc or curl -v telnet://host:port where available.
Security: what open ports reveal
Open ports answer two attacker questions: is something listening, and which software fingerprint responds on connect. Running SSH on the default port 22 is not automatically unsafe if keys-only auth and fail2ban are configured, but it attracts noise. Exposing databases without VPN is never acceptable. Move admin panels behind Tailscale, WireGuard, or at minimum IP allowlists.
Frequently asked questions
Why is port 25 blocked by my ISP?
Outbound and inbound SMTP on residential networks is restricted to stop botnet spam. Use your provider's authenticated relay on submission port 587 or a transactional email API instead of running a home mail server on port 25.
How do I open a port on my router?
Log into the router admin UI, find Virtual Server / Port Forwarding, map external TCP port to the LAN IP and internal port of your machine, and assign that machine a DHCP reservation so the IP does not drift. Then verify from outside with this tool, not only from the LAN.
Is having open ports dangerous?
Intentional services (HTTPS on 443) are normal. Unexpected open database or RDP ports are high risk. Filtered is the safest default for home users; it means the internet cannot reach your host even if malware later tries to listen.
What is the difference between TCP and UDP ports?
They are separate namespaces. TCP provides reliable byte streams (HTTP, SSH, RDP). UDP is datagram-based (DNS, QUIC, many games). This tool tests TCP only; a game showing UDP open in its client is unrelated to these results.
Why does this tool say my port is closed when I opened it?
Common causes: forwarding to the wrong LAN IP, service bound to localhost, double NAT, CGNAT with no public address, host firewall, or testing while connected to VPN so we scan the VPN server instead of your home. Fix one layer at a time: local listen, LAN connect, then this external check.
Related tools
Public address: What Is My IP. Network owner: What Is My ISP. Path quality: What Is My Latency.
Sources cited above
- RFC 6335: Internet Assigned Numbers Authority port procedures
- IANA service name and port registry
- RFC 6598: Shared Address Space (CGNAT)