---
title: "How NeedPorts Works - Public Ports Behind CGNAT"
description: "How NeedPorts gives machines behind CGNAT or restrictive networks a stable public endpoint and dedicated forwarded ports using an outbound tunnel."
image: "https://needports.com/og-image.svg"
canonical: "https://needports.com/how-it-works.html"
html: "https://needports.com/how-it-works.html"
---
# Public ports for machines that cannot receive public inbound traffic directly.


NeedPorts helps when your service works locally, your machine can reach the internet, but the public internet cannot reach your machine because of CGNAT, blocked inbound ports, or provider network restrictions.


## The short version


Instead of relying on your ISP, router, or hosting provider to accept inbound connections, your machine opens an outbound tunnel to NeedPorts. NeedPorts gives you a stable public endpoint and an assigned range of forwarded ports. Public traffic arrives at NeedPorts first, then travels through the outbound tunnel to your local service.


## Connection flow

**1. Your service runs locally.**

Examples: SSH, an inference API, a dashboard, Home Assistant, a game server, or a web app.

**2. The NeedPorts client connects outbound.**

Outbound connections usually work even when inbound port forwarding is blocked by CGNAT or provider policy.

**3. NeedPorts receives public traffic.**

Users connect to your assigned public endpoint and dedicated forwarded ports.

**4. Traffic is forwarded through the tunnel.**

The traffic reaches your machine without requiring router port forwarding, a residential public IPv4 address, or manual inbound firewall exposure at the edge.


## When this is the right tool


- Your app works locally but times out from outside.
- Your router WAN IP is private or does not match your external public IP.
- Your Vast/GPU host needs stable inbound ports for workloads, dashboards, SSH, or APIs.
- Your ISP or provider blocks normal inbound port forwarding.
- You want a stable public endpoint without upgrading to a static/public IPv4 plan.


## What to check first


- Confirm the service is running and listening on the expected local port.
- Confirm it is not bound only to `127.0.0.1` unless that is intentional.
- Confirm the local firewall allows traffic to the service.
- Confirm the machine can make outbound internet connections.


## Related guides

[

### Vast/GPU hosts


Need stable inbound ports for Vast.ai or remote GPU workloads.

](/vast-ai-port-forwarding.html)[

### CGNAT port forwarding


Why normal router rules fail behind carrier-grade NAT.

](/cgnat-port-forwarding.html)[

### Port forwarding not working


A practical troubleshooting checklist before choosing a fix.

](/port-forwarding-not-working.html)[

### Self-hosting behind CGNAT


Expose home servers, APIs, and dashboards from networks without public inbound reachability.

](/self-hosting-behind-cgnat.html)

## Ready to get a public endpoint?


Choose a plan, install the client on the machine that needs inbound reachability, and use your assigned endpoint and ports for the service you control.

[GPU host setup](/?usecase=vast#order)[Self-hosted setup](/?usecase=selfhost#order)

```json
{
  "@context": "https://schema.org",
  "@graph": [
    {
      "@type": "Organization",
      "name": "NeedPorts",
      "url": "https://needports.com/",
      "@id": "https://needports.com/#organization"
    },
    {
      "@type": "Service",
      "name": "NeedPorts",
      "serviceType": "Public endpoint and dedicated port forwarding for CGNAT",
      "url": "https://needports.com/",
      "description": "NeedPorts provides static public endpoints and dedicated forwarded ports for machines behind CGNAT or restrictive networks.",
      "provider": {
        "@type": "Organization",
        "name": "NeedPorts",
        "url": "https://needports.com/",
        "@id": "https://needports.com/#organization"
      }
    },
    {
      "@type": "Article",
      "headline": "How NeedPorts works",
      "description": "How NeedPorts creates public inbound reachability for machines behind CGNAT using outbound tunnels and assigned forwarded ports.",
      "url": "https://needports.com/how-it-works.html",
      "mainEntityOfPage": "https://needports.com/how-it-works.html"
    },
    {
      "@type": "BreadcrumbList",
      "itemListElement": [
        {
          "@type": "ListItem",
          "position": 1,
          "name": "Home",
          "item": "https://needports.com/"
        },
        {
          "@type": "ListItem",
          "position": 2,
          "name": "How it works",
          "item": "https://needports.com/how-it-works.html"
        }
      ]
    }
  ]
}
```