Can I port forward behind CGNAT?

Not with normal router forwarding alone. You need the ISP to provide a public IP, or you need an outbound tunnel/public endpoint service.

No. DDNS only names an IP address; it does not create an inbound route through upstream CGNAT.

How do I know if I am behind CGNAT?

Compare the router WAN IP with curl -4 ifconfig.me. Addresses in 100.64.0.0/10 or private ranges are strong CGNAT signals.

Do I need router access for NeedPorts?

No. NeedPorts uses an outbound connection from your machine to a public tunnel endpoint.

Can I expose Docker, SSH, APIs, or game servers?

Yes, if the local service is listening and the NeedPorts plan/port supports the needed protocol.

API exposure

Expose an API behind CGNAT

Publish a local API behind CGNAT with health checks, firewall validation, NeedPorts port mapping, and production security notes.

Quick diagnosis checklist

Confirm the service is listening locally.
Confirm the service responds from the host itself.
Check host firewall rules before changing router rules.
Compare the host/router WAN address with the public IP seen by the internet.
Test from a different network, not from the same LAN.
If inbound traffic still times out, use a public forwarded endpoint instead of relying on upstream NAT.

Commands to run first

# What public IPv4 does the internet see?
curl -4 ifconfig.me

# What is listening locally?
ss -tulpen
sudo ss -tulpen

# Test a local web/API service
curl -v http://127.0.0.1:8080
curl -v http://127.0.0.1:8000/health

# Check common Linux firewalls
sudo ufw status verbose
sudo iptables -S
sudo nft list ruleset

Setup example

YOUR_SETUP_TOKEN is shown after signup/trial checkout and binds the client to your assigned endpoint.

curl -fsSL https://api.needports.com/install | sudo bash -s YOUR_SETUP_TOKEN --accept-tos
sudo needports setup --dry-run
sudo needports expose custom --public-port 30000 --local-port 8080 --name "Service" --confirm --restart
curl -v http://your-needports-endpoint:30000

Security notes

Expose only services you intend to make public.
Use SSH keys, HTTPS/TLS, app authentication, or IP restrictions where appropriate.
Never expose the Docker daemon socket or unauthenticated admin panels.
Keep a private fallback access method for critical systems.

FAQ

Can I port forward behind CGNAT?: Not with normal router forwarding alone. You need the ISP to provide a public IP, or you need an outbound tunnel/public endpoint service.
Does DDNS fix CGNAT?: No. DDNS only names an IP address; it does not create an inbound route through upstream CGNAT.
How do I know if I am behind CGNAT?: Compare the router WAN IP with curl -4 ifconfig.me. Addresses in 100.64.0.0/10 or private ranges are strong CGNAT signals.
Do I need router access for NeedPorts?: No. NeedPorts uses an outbound connection from your machine to a public tunnel endpoint.
Can I expose Docker, SSH, APIs, or game servers?: Yes, if the local service is listening and the NeedPorts plan/port supports the needed protocol.

Ready for a stable public endpoint?

Start with a NeedPorts trial, map one service, and test the public port from another network before depending on it for production traffic.

Start a trial Read more guides