Appearance
How to check if a port is open on your public IP
One command tests it from the real internet: curl ipconfig.io/port/443 attempts a TCP connection back to your public IP on that port and tells you whether anything answered. No scan configuration, no "open/filtered" ambiguity — a plain reachable-or-not verdict from outside your network, which is the only vantage point that matters when you're debugging why your server, camera, or game session can't be reached. This guide covers reading the result and, more usefully, diagnosing the no.
Maintained by the ipconfig.io team · Reviewed 1 July 2026
Run the check
bash
curl ipconfig.io/port/443json
{
"ip": "203.0.113.42",
"port": 443,
"reachable": false
}The service dials ip:port — your public address — over TCP and reports whether the connection succeeded. Swap in any port: /port/22 for SSH, /port/25565 for a Minecraft server, /port/8080 for that reverse proxy you're setting up.
Two honest limits: it tests TCP only (game servers and VoIP on UDP need a different probe), and it tests this moment — a router mid-reboot answers differently than one settled down.
For most home connections, reachable: false on everything is the correct, healthy result. Your router's NAT and firewall are doing their job: nothing answers unsolicited connections. The check earns its keep when you want a port reachable and need to know whether the whole chain is working.
Why is my port closed even though I forwarded it?
reachable: false means the connection died somewhere in this chain. Walk it in order:
| Link | What breaks here | How to check |
|---|---|---|
| 1. Service | Not running, or listening on 127.0.0.1 only | ss -ltn on the machine — the local address must be 0.0.0.0:port or [::]:port, not 127.0.0.1:port |
| 2. Device firewall | Drops inbound before the service sees it | Test from another machine on the LAN: curl lan-ip:port |
| 3. Router forwarding | Rule missing, wrong LAN IP (DHCP moved the machine), wrong protocol | Router admin page; consider a DHCP reservation for the target machine |
| 4. ISP / CGNAT | Inbound blocked upstream, or the public IP isn't exclusively yours | See below — this one has a definitive test |
The LAN-vs-internet split localizes the fault fast: if curl lan-ip:port works from another device but curl ipconfig.io/port/<port> says unreachable, the problem is link 3 or 4 — router or ISP — not your service.
The CGNAT case: when forwarding can't work
If your ISP uses carrier-grade NAT, the "public" IP you see is shared by many subscribers, and the address the internet sees isn't routed exclusively to your router — so port forwarding is structurally impossible, no matter how correct your rules are. The tell: your router's WAN address differs from what curl ipconfig.io reports. The CGNAT guide shows the exact comparison and your options (an outbound tunnel like Cloudflare Tunnel, Tailscale or a VPS relay — or paying the ISP for a real public IP, see static vs dynamic).
Is an open port dangerous?
The port is a doorway; the risk is whatever answers the knock. reachable: true on a patched web server you meant to expose is the goal. reachable: true on a remote-desktop port, a database, or a router admin panel is an invitation — automated scanners sweep the entire IPv4 space continuously and will find it within hours, then try credentials (your IP is not a secret; obscurity is not a control).
The working rules: expose only services designed for hostile networks, patch them, and reach everything else over a tunnel or VPN instead of a raw open port. Then re-run the check to confirm the doors you meant to close actually are.
Frequently asked questions
How do I check if a port is open?curl ipconfig.io/port/<number> — a real TCP connection attempt to your public IP from outside, returning reachable: true or false.
Why is my port closed despite port forwarding? In order: service bound to localhost, device firewall, wrong forwarding target, or CGNAT — where inbound forwarding can't work at all.
Is an open port dangerous? Only as dangerous as the software behind it. Deliberately exposed and patched: fine. Forgotten RDP/database/admin ports: the actual attack surface.
Listening vs open? Listening is your program accepting connections locally; open means the internet can reach it through firewall, router and ISP combined.
Next steps
- What is CGNAT? — the definitive test for the case where forwarding can never work.
- Static vs dynamic IP addresses — keeping a reachable service reachable when your address changes.
- Monitor your public IP for changes — the cron watcher that tells you when it does.