it lets a service on your computer be visible to the internet even though you’re using NAT.

most internal networks use addresses starting with 10. or 192.168.: these addresses can’t be routed over the internet. so if your computer has an ip of 192.168.0.7 I’ll never be able to connect to it from my network, because my computer would be trying to connect to a computer with that address on *my* network, not yours.

this is done because public ip addresses are in limited supply, we only have 4 billion or so and they all got allocated to various entities years ago. so your house gets 1 single public ip to share between all the devices on your network. your router takes care of this, sending packets out the network by replacing your internal ip address with the public ip so that the other computer knows where to send the reply. (remember if it tried to send it to your internal ip address, the other computer would end up trying to send the reply to a computer on its own network).

you can see your public ip if you type “what’s my ip” into google. you can see your internal ip if you open a cmd terminal and type ipconfig (on windows).

but what if you wanted to host a game, how could i connect to your computer? well, you can tell me your public ip, and that’s fine, but all i can connect to is your router, it’s your router that has that ip address, not your computer.

so you can set up port forwarding, say you make your game listen on port 3000 on your computer, and your computer has the internal ip 192.168.0.7, you can say to the router: “hey, if anyone tries to connect to you on port 3000, connect to my computer on port 3000 and forward any data you receive to the other end of the connection”.

your router does this, you tell your friend your public ip and that you’re on port 3000, they connect to port 3000 and your router forwards all that traffic to port 3000 on your computer. it’s just like your friend had connected directly to your machine.

now there’s no reason for the 2 ports to be the same, you could ask the router to listen on port 4000 and send everything to port 2000, it’s really just arbitrary.

games don’t like making people set this stuff up so they tend to use another feature called hole-punching (or upnp) this works differently using a different internet protocol. this only works when services are actively looking for each other with a 3rd party public server somewhere. if you wanted to set up, say a web server on your machine that everyone can see, you’d need to do port forwarding.