Port Forwarding

Why we recommend against port forwarding, when Client VPN is the right alternative, and how to lock down a port forward if you absolutely have to use one.

Configuration Updated August 21, 2025

Critical security warning

Uplevel strongly advises against using port forwarding. Keep your ports closed and reach internal services through a Client VPN tunnel instead.

The recommended pattern: Client VPN

A Client VPN gives authenticated, encrypted access to the LAN without exposing any service directly to the public Internet. Services stay protected behind the firewall where they belong, and remain reachable for users and admins who need them.

Setup guides:

Why port forwarding is a bad default

Exposure is immediate. Within hours of opening a port, the exposed public-IP:port combination is indexed by Internet-wide scanners such as Shodan and added to attacker target lists. From that point on, the gateway’s firewall isn’t protecting that service — the service’s own application code is.

Real-world risk.

  • The gateway’s Threat Analysis catches some HTTP and HTTPS threats, but it cannot cover every protocol or every new exploit.
  • A zero-day in the exposed service can be weaponised against you the moment it becomes public.
  • The safety of your network now depends on the vendor of that service keeping their software patched ahead of attackers — a bet you don’t want to be making.

If you absolutely have to use port forwarding

If a Client VPN isn’t an option and a port forward is genuinely required, treat it as a managed risk and apply every layer of defense available:

Required protections

  1. In Portal › Firewall › Port Forwarding, set the rule to Accept traffic exclusively from certain sources.
  2. Add only the specific public IPs that genuinely need access.
  3. Review and prune that allow-list regularly.
  4. Watch system logs for suspicious activity.
  5. Apply software updates to the exposed service immediately on release.

Limits to be aware of

  • Source-IP restrictions don’t help if one of the allowed source systems is itself compromised.
  • Threat Analysis offers only basic HTTP-level protection — it isn’t a substitute for keeping the exposed service patched.
  • Any flaw in the exposed software is a direct entry point into the network behind the firewall.

The bottom line

Once a port is open, it will be attacked — continuously, by automated tooling. No matter how careful the configuration, a vulnerability will eventually surface and be exploited.

A Client VPN removes that exposure entirely. Services stay hidden from the Internet while remaining fully accessible to the team over an authenticated, encrypted tunnel.

Related articles