DrayTek Port Forwarding: Complete Step-by-Step Guide (2026)
If you run a home server, a CCTV system, a NAS device, a game server, or need to access your office PC remotely via RDP, port forwarding is how you make that happen. Your DrayTek router sits between the internet and your local network, and by default it blocks all unsolicited inbound connections — which is exactly what you want for security. Port forwarding creates a deliberate exception: when a connection arrives on a specific port, the router passes it through to the device on your LAN that is listening on that port.
DrayTek’s Vigor routers — including the widely-used Vigor 2865 and Vigor 2866 series — handle port forwarding cleanly through their NAT settings. The interface is consistent across the Vigor range, so whether you are on a Vigor 2865ac, 2866ac, or any recent Vigor 2900/3900 model, the steps in this guide will apply with minimal differences.
This guide covers everything from initial prerequisites through to testing, troubleshooting, and the security considerations you should not skip.
Prerequisites Before You Start
Know Your WAN IP Address
Port forwarding only makes sense when something on the internet can actually reach your router. That means you need a public IP address — specifically one that is routable and not hidden behind your ISP’s own NAT layer (more on CGNAT later).
Log in to your DrayTek router at 192.168.1.1 (or whichever LAN IP it is assigned) and check Online Status from the dashboard. Your WAN IP is shown there. If that IP begins with 10., 100.64–100.127, or 172.16–172.31, your ISP is using Carrier-Grade NAT (CGNAT) and you cannot port forward without first asking your ISP for a public IP — often available on a business account or for a small monthly fee.
If your public IP changes frequently (residential broadband), you should set up Dynamic DNS (DDNS) so that a hostname like yourname.draytos.net always resolves to your current IP. DrayTek routers have a built-in DDNS client under Applications → Dynamic DNS that supports providers including DrayDDNS, DynDNS, No-IP, and Cloudflare. Configure this before relying on remote access, otherwise your port forward will silently break whenever your IP changes.
If you have a static IP from your ISP, you can skip DDNS — the IP will not change.
Know the LAN IP of the Device You Are Forwarding To
Port forwarding directs inbound traffic to a specific device on your local network. You need to know the LAN IP address of that device — for example 192.168.1.50 for a NAS, or 192.168.1.100 for a PC you want to reach via RDP.
You can find this in the router’s DHCP table under Applications → DHCP Table, or on the device itself through its network settings.
Set a DHCP Reservation First
This step is important and often skipped. If the target device gets its IP address via DHCP, that IP can change the next time the device reconnects to the network. Your port forwarding rule will then point at the wrong device — or nowhere at all.
To prevent this, assign a DHCP reservation (also called a static DHCP binding) so the device always receives the same IP. In your DrayTek router go to LAN → DHCP Server Configuration and scroll down to the IP Bind List section. Enter the device’s MAC address and the IP address you want to reserve for it, then click Add and OK. From that point on, the device will always be given that IP when it connects.
Only once the target device has a stable LAN IP should you proceed to set up the port forwarding rule.
How Port Forwarding Works
Your DrayTek router uses Network Address Translation (NAT) to allow multiple devices on your LAN to share a single public IP. Outbound connections work automatically — when your laptop makes a request to a website, the router records which internal device made the request and routes the response back correctly.
Inbound connections are different. When a packet arrives from the internet destined for your public IP on a given port, the router does not know which internal device should receive it — unless you have told it explicitly. A port forwarding rule is that instruction. It says: when traffic arrives on public port X, send it to private IP Y on private port Z.
The router rewrites the destination address in real time (this is the NAT translation) and forwards the packet on. From the perspective of the device on your LAN, the connection appears to come directly to it. The external client never sees your internal IP address.
Setting Up Port Forwarding on a DrayTek Vigor Router
Step 1: Log In to the Router
Open a browser and navigate to your router’s LAN IP — typically http://192.168.1.1. Enter your admin credentials. If you have never changed them, check the label on the router or the DrayTek documentation for the default username and password. You should change these from the defaults if you have not already done so.
Step 2: Navigate to NAT → Port Redirection
From the main menu on the left, expand NAT and click Port Redirection. You will see a list of up to 20 port redirection rules (on most Vigor models). Each row can be enabled or disabled independently. Click on an empty rule number to open it for editing.
Step 3: Enable the Rule and Set the Mode
At the top of the rule configuration page you will find an Enable checkbox — tick this to activate the rule. Below that is a Mode dropdown. The options are:
- Single — forward one specific port
- Range — forward a consecutive range of ports to a device
For most use cases such as RDP, HTTPS, or a game server, select Single. For passive FTP or VoIP applications that need a range of ports, select Range (covered in more detail later).
Step 4: Set the Protocol
The Protocol dropdown offers TCP, UDP, or TCP/UDP. Choose the correct protocol for the service you are forwarding:
- RDP uses TCP only
- Minecraft uses TCP (and sometimes UDP for certain features)
- DNS uses UDP (port 53)
- If in doubt, select TCP/UDP — this catches both but is slightly less precise
Step 5: Set the WAN Interface
The WAN Interface dropdown lets you select which WAN connection the rule applies to. On a Vigor 2865 or 2866 this will typically be WAN1 if you have a single broadband connection. If you have a load-balanced or failover setup with multiple WAN connections, select the appropriate one. In most home and small business installations, WAN1 is correct.
Step 6: Enter the Public Port (External Port)
This is the port number that external clients will connect to — i.e. the port on your public IP address. For standard services this is usually the well-known port number for that service. For example, if you are hosting a web server, the public port is 443 for HTTPS. If you are setting up RDP, you might choose a non-standard port such as 50000 here (and then map it to port 3389 internally — see security notes below).
In Single mode, enter one port number in the Public Port field. In Range mode, enter the start and end ports.
Step 7: Enter the Private IP Address
In the Private IP field, enter the LAN IP address of the device you want traffic forwarded to — for example 192.168.1.50. This must match the DHCP reservation you set up earlier. Do not enter a hostname here; DrayTek port redirection rules require an IP address.
Step 8: Enter the Private Port
The Private Port is the port that the service is actually listening on inside your LAN. In most cases this is the same as the public port — for example, a web server on port 443, or Plex on port 32400. However, if you changed the public port for security reasons (e.g. exposing RDP on public port 50000), the private port would still be 3389 because that is what the Windows PC listens on.
Step 9: Save the Rule
Click OK to save the individual rule, and then click OK again on the Port Redirection list page to commit the changes. DrayTek routers apply changes immediately without requiring a reboot — the rule is active as soon as you save it.
Common Port Forwarding Rules Reference
| Service | Protocol | Default Port | Security Notes |
|---|---|---|---|
| RDP (Remote Desktop) | TCP | 3389 | Never expose on port 3389 publicly — use a non-standard port or, better, a VPN. RDP on 3389 is actively scanned and brute-forced. |
| HTTPS (web server) | TCP | 443 | Ensure your web server has a valid TLS certificate. Consider rate limiting and a WAF if serving publicly. |
| SSH | TCP | 22 | Disable password authentication and use key-based auth only. Consider a non-standard port to reduce automated scanning noise. |
| Plex Media Server | TCP | 32400 | Plex can work via relay without port forwarding. Direct connections are faster. Restrict access using Plex’s own authentication. |
| Minecraft Java Edition | TCP | 25565 | Consider a whitelist on the server to prevent strangers joining. DDoS attacks targeting game servers are common. |
| CCTV / NVR | TCP/UDP | Varies (e.g. 80, 8080, 37777) | Change default NVR credentials immediately. Dahua and Hikvision devices on default credentials are routinely compromised. Use a VPN where possible. |
Forwarding a Range of Ports
Some services require not a single port but a range of consecutive ports. Common examples include passive FTP (which negotiates a data channel on a random port within a configured range, often 49152–65535), VoIP systems using RTP for audio streams, and some older CCTV systems.
To forward a port range on a DrayTek router, open a port redirection rule as described above and set the Mode to Range. You will then be able to enter a Start Port and an End Port for both the public side and the private side. The range must be the same size on both sides — for example, public ports 10000–10100 forwarding to private ports 10000–10100 on a device at 192.168.1.60.
Be conservative with port ranges. Opening a large range of ports unnecessarily increases your attack surface. If your FTP server allows you to configure the passive port range, narrow it down to a small window — 100 or 200 ports — rather than leaving it open across thousands of ports.
Testing Your Port Forward
Once the rule is saved, you need to verify it is working. There are two important caveats to keep in mind first.
First, you cannot test a port forward from inside your own LAN by connecting to your public IP address. Most routers — including DrayTek — do not support NAT loopback (hairpin NAT) by default, which means a connection from your LAN to your own public IP will not be forwarded correctly. To test properly, you need a connection from outside your network.
Second, the service on the target device must actually be running and listening on the port in question. A port forward to a device that is offline or where the service is not started will appear to fail even if the router rule is configured correctly.
Testing Methods
- Online port check tools: Visit a site such as portchecker.co or canyouseeme.org from a device on your LAN (these tools check from their own servers, which is outside your network). Enter your public IP and port number and run the check.
- From a mobile device on 4G/5G: Turn off Wi-Fi on your phone and connect to the service using your public IP or DDNS hostname. This is the most realistic test.
- From a remote location: Ask someone on a different network to attempt the connection, or use a cloud shell/VPS.
If the port check returns open, your rule is working. If it returns closed or filtered, work through the troubleshooting section below.
Security Considerations
Port forwarding punches a hole in your router’s default deny-all inbound policy. Used carelessly, it can expose services to the entire internet and create serious security risks. Here is what you should consider for every rule you create.
Never Forward RDP on Port 3389 Publicly
Port 3389 is relentlessly scanned by automated bots. Within minutes of opening it to the internet you will see brute-force login attempts in your Event Viewer. There are two better approaches:
- Use a VPN instead. DrayTek routers have excellent built-in VPN support — SSL VPN, L2TP/IPsec, IKEv2 — which lets you connect to your LAN as if you were on it locally, then use RDP without exposing the port at all. This is the recommended approach for business use.
- Use a non-standard public port. If you must expose RDP directly, map a high-numbered public port (e.g. 54321) to private port 3389. This will not stop a determined attacker but dramatically reduces automated scanning noise.
Restrict Source IPs Where Possible
DrayTek routers allow you to add firewall filter rules that restrict inbound traffic by source IP. If you only ever need to reach your RDP or SSH server from a known IP address (e.g. your office), create a firewall rule under Firewall → Filter Setup that blocks connections to that port from all IPs except your known address. This transforms an open port into one that is effectively invisible to everyone else.
Keep Services Updated and Use Strong Credentials
A port forward is only as secure as the service behind it. Ensure the device and service accepting connections are kept up to date with security patches, use strong and unique passwords, and where possible enforce multi-factor authentication.
Troubleshooting Port Forwarding Issues
Rule Appears Correct But Port Shows as Closed
Work through these checks in order:
- Is the service running? Confirm the application is running on the target device and that it is listening on the correct port. On Windows you can run
netstat -an | findstr :3389in a command prompt to verify RDP is listening. - Is the Windows/Linux firewall blocking the connection? The local firewall on the target device may be blocking inbound connections on that port even though the router rule is correct. Check Windows Defender Firewall or your Linux iptables/ufw rules.
- Is the private IP in the rule correct? Verify the LAN IP of the device matches what is in the rule. Check the router’s DHCP table to confirm.
- Is the rule enabled? Open the rule and confirm the Enable checkbox is ticked.
- Is there an IP Object or Filter Rule overriding NAT? DrayTek routers process firewall filter rules before NAT in some configurations. Check Firewall → Filter Setup for any rules that might be blocking inbound traffic on that port.
ISP Blocking Ports
Some ISPs block well-known inbound ports — particularly port 25 (SMTP), port 80 (HTTP), and sometimes port 443 on residential connections. If an online port checker shows the port as filtered rather than closed (filtered suggests a firewall upstream), this may be your ISP. Contact your ISP to confirm which ports are blocked, or switch to a non-standard port on the public side of your forwarding rule.
Double-NAT and CGNAT
If your router is connected to another router — for example a modem-router in bridge mode that is not actually in bridge mode, or an ISP-supplied router in front of your DrayTek — you may be dealing with double-NAT. In this case you would need to set up port forwarding on the outer device as well, pointing to your DrayTek’s WAN IP.
If your WAN IP is in the CGNAT range (100.64.0.0–100.127.255.255), you are behind your ISP’s own NAT and port forwarding will not work at all until you obtain a dedicated public IP. This is increasingly common on 4G/5G broadband and some fibre residential services.
Rule Works Intermittently
If the port forward works sometimes but not reliably, check whether the target device’s IP is changing. Verify your DHCP reservation is in place and that the device is actually receiving the reserved IP (check the device’s network settings). Also check whether the service on the target device is crashing and restarting.
Using DMZ as an Alternative
DrayTek routers also offer a DMZ setting under NAT → DMZ Host. When you assign a device as the DMZ host, all inbound traffic on any port that does not match an existing port redirection rule is forwarded to that device. It effectively gives the device a direct connection to the internet with no NAT protection from the router.
DMZ has legitimate uses — for example, placing a dedicated firewall appliance or a gaming console in the DMZ — but in most cases you should not use it. A device in the DMZ is exposed on every port, meaning any service running on it (including ones you may not be aware of) is reachable from the internet. The targeted port redirection approach covered in this guide is almost always the right choice because it exposes only the specific ports you intend to expose.
If you do use DMZ, ensure the device in the DMZ has its own firewall configured correctly and is not running any unnecessary services.
Summary
Port forwarding on a DrayTek Vigor router is straightforward once you understand the three essentials: a reachable public IP (or DDNS hostname), a stable LAN IP for the target device (DHCP reservation), and a correctly configured NAT → Port Redirection rule with the right protocol, public port, private IP, and private port.
The configuration path is: NAT → Port Redirection → select a rule slot → enable, set mode, protocol, WAN interface, public port, private IP, private port → OK.
Always test from outside your network, consider the security implications of every port you expose, and where possible use DrayTek’s built-in VPN functionality rather than forwarding sensitive ports like RDP directly to the internet. DrayTek routers are well-suited to both purposes — the same device that handles your port forwarding can also terminate VPN connections for staff working remotely, giving you the best of both approaches.
