--- title: "Vast.ai Port Forwarding Not Working? Symptoms, Tests, and Fixes | NeedPorts" description: "Diagnose why Vast.ai port forwarding fails: CGNAT, firewall rules, wrong bind address, blocked inbound traffic, SSH issues, and unreachable services." image: "https://needports.com/og-image.svg" canonical: "https://needports.com/vast-ai-port-forwarding-not-working.html" html: "https://needports.com/vast-ai-port-forwarding-not-working.html" --- # Vast.ai port forwarding not working? Diagnose why Vast.ai port forwarding fails: CGNAT, firewall rules, wrong bind address, blocked inbound traffic, SSH issues, and unreachable services. ## Quick diagnosis checklist 1. Confirm the service is listening locally. 2. Confirm the service responds from the host itself. 3. Check host firewall rules before changing router rules. 4. Compare the host/router WAN address with the public IP seen by the internet. 5. Test from a different network, not from the same LAN. 6. If inbound traffic still times out, use a public forwarded endpoint instead of relying on upstream NAT. ## Commands to run first ``` # What public IPv4 does the internet see? curl -4 ifconfig.me # What is listening locally? ss -tulpen sudo ss -tulpen # Test a local web/API service curl -v http://127.0.0.1:8080 curl -v http://127.0.0.1:8000/health # Check common Linux firewalls sudo ufw status verbose sudo iptables -S sudo nft list ruleset ``` ## Most likely causes ### Wrong local port The app listens on 8000 but the public mapping points somewhere else. ### Service not started Docker or systemd says the process exists, but nothing is listening. ### Firewall drop UFW, iptables, nftables, cloud firewall, or provider filtering drops inbound packets. ### CGNAT The host can connect outbound, but the public internet cannot initiate inbound sessions. ## Before and after ``` # Before: local service works, public port times out curl http://127.0.0.1:8080 nc -vz public-ip-or-host 8080 # After: assigned public NeedPorts port reaches the local service sudo needports expose custom --public-port 30001 --local-port 8080 --name "Dashboard" --confirm --restart curl http://your-needports-endpoint:30001 ``` ## FAQ **Why is my Vast.ai host online but not reachable?** The host may be able to make outbound connections while inbound traffic is blocked by CGNAT, upstream firewalling, Docker bind settings, or a local firewall. **Does Vast.ai always provide public inbound ports?** Not always. Your machine, ISP, datacenter, or rented network path may still prevent unsolicited inbound connections. **Can NeedPorts expose SSH for a Vast.ai host?** Yes, map an assigned public port to local SSH, then connect with ssh -p. Use SSH keys and avoid password-exposed root login. **Can I expose Docker services or APIs?** Yes. Expose the host port that Docker publishes locally, then test the public NeedPorts endpoint from outside. **Do I need router access?** No. NeedPorts uses an outbound tunnel, so it can work when router access or ISP port forwarding is unavailable. ## Deep troubleshooting examples ### Example 1: SSH works locally but public SSH times out This usually means the SSH daemon is healthy but the public network path is blocked. Confirm the daemon first, then test the public path from outside the host. ``` # On the host sudo ss -tulpen | grep ':22' systemctl status ssh || systemctl status sshd # From another machine, not the same LAN nc -vz your-public-host.example 22 ssh -vvv user@your-public-host.example ``` If local SSH is listening but the outside test times out, changing SSH keys will not fix the network path. Use a public forwarded port or fix the upstream firewall/NAT. ### Example 2: Docker publishes a port but renters cannot reach it Docker port publishing creates a host listener; it does not guarantee public internet reachability. Check the published host port, then map that host port to an assigned NeedPorts public port. ``` docker ps --format 'table {{.Names}} {{.Ports}}' ss -tulpen | grep 8080 curl -v http://127.0.0.1:8080 sudo needports expose custom --public-port 30001 --local-port 8080 --name "Docker Web UI" --confirm --restart curl -v http://your-needports-endpoint:30001 ``` ### Example 3: API binds to 127.0.0.1 Binding to localhost is not always a problem if the NeedPorts client runs on the same host and forwards to 127.0.0.1. It is a problem if Docker, the tunnel client, or another network namespace cannot reach the service. ``` # Local process bind check ss -tulpen | grep 8000 curl -v http://127.0.0.1:8000/health curl -v http://$(hostname -I | awk '{print $1}'):8000/health ``` If only localhost works, expose from the same host or adjust the service bind address intentionally. Do not bind sensitive admin panels publicly unless they have strong authentication. ## Before/after connection examples ### Before NeedPorts ``` $ nc -vz public-ip 8000 nc: connect to public-ip port 8000 (tcp) failed: timed out $ curl http://127.0.0.1:8000/health ok ``` ### After public forwarding ``` $ nc -vz your-needports-endpoint 30001 Connection to your-needports-endpoint 30001 port [tcp/*] succeeded! $ curl http://your-needports-endpoint:30001/health ok ``` ## When NeedPorts is not the right fix - The app is not running locally. - The app has no authentication and should not be public. - You only need private admin access between your own devices; a private mesh may be better. - You need CDN/WAF features for a public website; use a web/CDN platform. ```json { "@context": "https://schema.org", "@graph": [ { "@type": "Organization", "@id": "https://needports.com/#organization", "name": "NeedPorts", "url": "https://needports.com/" }, { "@type": "BreadcrumbList", "itemListElement": [ { "@type": "ListItem", "position": 1, "name": "Home", "item": "https://needports.com/" }, { "@type": "ListItem", "position": 2, "name": "Guides", "item": "https://needports.com/guides.html" }, { "@type": "ListItem", "position": 3, "name": "Vast.ai Port Forwarding Not Working? Symptoms, Tests, and Fixes | NeedPorts", "item": "https://needports.com/vast-ai-port-forwarding-not-working.html" } ] }, { "@type": "Article", "headline": "Vast.ai Port Forwarding Not Working? Symptoms, Tests, and Fixes | NeedPorts", "description": "Diagnose why Vast.ai port forwarding fails: CGNAT, firewall rules, wrong bind address, blocked inbound traffic, SSH issues, and unreachable services.", "mainEntityOfPage": "https://needports.com/vast-ai-port-forwarding-not-working.html", "author": { "@id": "https://needports.com/#organization" }, "publisher": { "@id": "https://needports.com/#organization" } }, { "@type": "FAQPage", "mainEntity": [ { "@type": "Question", "name": "Why is my Vast.ai host online but not reachable?", "acceptedAnswer": { "@type": "Answer", "text": "The host may be able to make outbound connections while inbound traffic is blocked by CGNAT, upstream firewalling, Docker bind settings, or a local firewall." } }, { "@type": "Question", "name": "Does Vast.ai always provide public inbound ports?", "acceptedAnswer": { "@type": "Answer", "text": "Not always. Your machine, ISP, datacenter, or rented network path may still prevent unsolicited inbound connections." } }, { "@type": "Question", "name": "Can NeedPorts expose SSH for a Vast.ai host?", "acceptedAnswer": { "@type": "Answer", "text": "Yes, map an assigned public port to local SSH, then connect with ssh -p. Use SSH keys and avoid password-exposed root login." } }, { "@type": "Question", "name": "Can I expose Docker services or APIs?", "acceptedAnswer": { "@type": "Answer", "text": "Yes. Expose the host port that Docker publishes locally, then test the public NeedPorts endpoint from outside." } }, { "@type": "Question", "name": "Do I need router access?", "acceptedAnswer": { "@type": "Answer", "text": "No. NeedPorts uses an outbound tunnel, so it can work when router access or ISP port forwarding is unavailable." } } ] } ] } ```