Why Some Games Need Ports Opened to Host or Play

Patrick Miltner · · 9 min read

You set up a Minecraft server for you and your friends. It runs perfectly on your own machine. You can connect to it using localhost all day long. But the moment your friend tries to join using your IP address, they get "Connection timed out" and nothing works.

This is one of the most common networking headaches people run into, and it almost always comes down to one thing: ports that need to be opened. The frustrating part is that there isn't just one place to open them. Depending on your setup, a single connection might have to pass through three or four separate gatekeepers, and any one of them can silently block the whole thing.

This guide walks through why hosting needs open ports, why joining usually doesn't, and every single place a port might be getting blocked.

Why Joining a Game Works but Hosting Doesn't

Here's the part that confuses most people. You can join almost any online game without touching a single setting. So why does hosting your own server suddenly require all this configuration?

It comes down to the difference between outbound and inbound connections.

When you join someone else's game, you are the one starting the connection. Your computer reaches out to their server. This is an outbound connection, and your router and firewall are perfectly happy to let it through. They assume that if you started the conversation, you want to hear the reply, so the response traffic is allowed back in automatically. This is how almost all normal internet use works: you click a link, your browser asks for the page, the page comes back.

When you host a server, the situation flips. Now other people's computers are reaching out to you, unprompted. This is an inbound connection, and by default, your router and firewall block these. They have no idea whether that incoming connection is your friend trying to join Minecraft or a malicious bot scanning for vulnerable machines. So they block it to be safe. Opening a port is how you tell them "connections arriving here are expected, let them through."

What a Port Actually Is

If your IP address is like the street address of your house, a port is like a specific door or window. Your computer has 65,535 of these ports, and different services listen on different ones. Web traffic comes in on port 443, email uses others, and game servers each claim their own.

When your friend types your IP address into Minecraft, their game doesn't just knock on your front door. It knocks on a very specific door: port 25565, the default Minecraft port. If that door is locked at any point along the way, the connection fails. (For a deeper rundown of ports and other networking terms, see our network glossary.)

So when we talk about "opening a port," we mean unlocking that specific numbered door so that incoming traffic addressed to it can reach the program waiting behind it.

The Gatekeepers: Every Place a Port Can Be Blocked

This is the heart of the problem. A connection from your friend's computer to your game server has to pass through a series of checkpoints. Each one can block it independently. If you only fix one and the others are still blocking, it still won't work, which is why people spend hours troubleshooting and getting nowhere.

Here's the full path, in the order traffic travels, from the outside world to your game server:

  1. Your ISP's network (CGNAT, if present)
  2. Your router or modem (NAT and port forwarding)
  3. Your computer's firewall (Windows Defender Firewall, macOS firewall)
  4. Third-party antivirus or security software
  5. The game or server software itself

Let's go through each one.

Gatekeeper 1: Your Router

This is the big one, and the place most people need to make changes. Your router sits between your home network and the internet, and it uses something called NAT (Network Address Translation) to let all your devices share one public IP address.

The side effect of NAT is that when an inbound connection arrives at your public IP, the router has no idea which device it's meant for. You might have a laptop, a phone, a console, and a desktop all behind that one address. So unless you tell it otherwise, the router just drops the connection.

Port forwarding is the fix. You log into your router (usually by typing something like 192.168.1.1 into a browser) and create a rule that says: "any traffic arriving on port 25565 should be sent to the computer at this internal address." Now the router knows exactly where to deliver those Minecraft connections.

What you'll need to set up a port forward

The exact menu location varies by router brand, but you're looking for a section called "Port Forwarding," "Virtual Servers," or sometimes "NAT Forwarding."

Gatekeeper 2: Your Computer's Firewall

Even after the router correctly forwards the traffic to your computer, your operating system has its own firewall that can block it. This trips up a lot of people: they get the router configured perfectly, the traffic arrives at the right machine, and then Windows silently refuses it.

Windows Defender Firewall

On Windows, the built-in firewall blocks unsolicited inbound connections by default. When you first launch a game server, Windows often pops up a dialog asking whether to allow it on private and/or public networks. If you click "Cancel" or miss that popup, the server is blocked.

To fix it manually, you create an inbound rule in Windows Defender Firewall with Advanced Security. You specify the port (25565), the protocol (TCP), and tell it to allow the connection. Make sure you allow it on the correct network profile: if your home network is set to "Public," a rule that only allows "Private" won't help.

macOS firewall

macOS has a simpler application-based firewall. It's off by default for most setups, but if it's enabled, you may need to explicitly allow the game server application to accept incoming connections under System Settings, Network, Firewall.

Gatekeeper 3: Antivirus and Security Software

If you run third-party security software (Norton, McAfee, Bitdefender, ESET, and others), it often includes its own firewall that operates separately from the Windows one. This is a sneaky source of blocked connections, because you can have the Windows firewall perfectly configured and still get blocked by the antivirus firewall layered on top.

If you've opened the port on your router and in Windows Firewall and it's still not working, your security suite is a prime suspect. Look in its settings for a firewall or network protection section and add an exception for your game server's port or application. Temporarily disabling the security software (briefly, to test) is a quick way to confirm whether it's the culprit.

Gatekeeper 4: The Game or Server Software

Finally, the server software itself has to actually be listening on the port you think it is. A few things commonly go wrong here:

The Hidden Gatekeeper: CGNAT

This one deserves special attention because it can make port forwarding impossible no matter what you do, and people waste enormous amounts of time before discovering it.

CGNAT (Carrier-Grade NAT) is when your ISP puts you behind their NAT, sharing a single public IP address among many customers. This is increasingly common, especially with mobile and some fiber providers, because of the global shortage of IPv4 addresses.

If you're behind CGNAT, you don't actually have your own public IP address. The address you'd forward to doesn't belong solely to you, so there's no way to set up port forwarding that reaches your machine. Your router's port forwarding settings will appear to work, but inbound connections never make it to you.

How to tell if you're behind CGNAT

Compare two things: the IP address shown in your router's status page (the "WAN" or "Internet" IP), and the public IP shown by an external service like our What's My IP tool. If they're different, you're almost certainly behind CGNAT. Another tell: your WAN IP falls in the 100.64.x.x to 100.127.x.x range, which is reserved specifically for carrier-grade NAT.

What to do about it

You generally can't fix CGNAT yourself. Your options are to call your ISP and ask for a dedicated public IP address (sometimes free, sometimes a small monthly fee), or to use a workaround like a VPN with port forwarding support, or a tunneling service that gives you a public endpoint without needing your own open port.

Common Game and Server Ports

Different games and server applications use different default ports. Here are some of the most common ones people need to forward:

Game / ServicePort(s)Protocol
Minecraft (Java)25565TCP
Minecraft (Bedrock)19132UDP
Terraria7777TCP
Valheim2456-2457UDP
ARK: Survival7777, 27015UDP
Counter-Strike 227015TCP/UDP
Rust28015UDP
Project Zomboid16261UDP

Always double-check the current documentation for your specific game, since ports can change between versions and some games need several ports open at once. Note that some games use TCP, some use UDP, and some need both, so forwarding the wrong protocol is another easy mistake.

How to Check If Your Port Is Actually Open

After all this configuration, you need a way to verify whether the port is genuinely reachable from the outside. Checking from your own network doesn't count, because traffic from inside your house doesn't have to pass through the same gatekeepers as traffic from the internet.

The reliable way is to test from an external source. Our Port Checker tool does exactly this: it attempts to reach a given port on your public IP from our servers, which is the same path your friend's connection would take. If it reports the port as open, you know all the gatekeepers are letting traffic through. If it reports closed, at least one of them is still blocking, and you can work back through the list above.

This is genuinely the fastest way to troubleshoot, because it tells you whether the problem is on the network side at all. If the port checker says the port is open but your friend still can't connect, the issue is more likely in the game software or their setup, not your ports.

A Note on UPnP and Security

Many routers support UPnP (Universal Plug and Play), which lets applications open ports automatically without you configuring anything. Some game servers and consoles use it. It's convenient, and it's why your Xbox or PlayStation usually works online without any manual port forwarding.

The tradeoff is security. UPnP lets any device on your network open ports without asking you, which means malware on a compromised device could expose services you never intended to. For occasional hosting, manually forwarding a single specific port is more secure than leaving UPnP wide open.

Whichever method you use, keep two security principles in mind: only open the specific ports you actually need, and close them again when you're done hosting. An open port is an open door, and the fewer doors you leave unlocked, the smaller your exposure. If you're running a public-facing server long-term, make sure the server software is kept updated and consider putting it on an isolated part of your network.

Quick Troubleshooting Checklist

When a hosted game won't accept outside connections, work through this in order:

Ninety percent of the time, the culprit is either a missing firewall rule on the host computer or CGNAT on the ISP side. Knowing all the gatekeepers exist is half the battle.

Check If Your Port Is Open →