Is there a difference between port forwarding and tunneling?



I was a bit confused whether there is a difference between port forwarding and tunneling. What I have concluded is that a port forwarder forwards application data to another port perhaps potentially on a remote host. A tunnel on the other hand, doesn't carry application data directly, but rather carries the PDUs of another IP protocol. So can it be said that a tunnel is a special type of forwarder wherein unlike a normal forwarder where the mediator server makes a direct connection to the ultimate destination and forwards the data to the destination, a tunnel, rather injects the protocol data into its operating system networking stack to be routed to the ultimate destination?

But this doesn't always appear to hold true. For example, SSH tunnels are often referred to as secured tunnels. But are they really tunnels? The data that is being carried in these secure channels are application data and not IP protocol data.

Maybe I am over-analyzing this and they both refer to the same thing.

So for the following scenario where I have an Application A, B, C. A is a client application that connects to B. B simply forwards the data to Application C. Would B be considered to be port forwarding because there is no additional "value" being added to the data stream? If so, what about the same scenario but assume that the connection between A and B is unencrypted and the connection between B and C is encrypted. Would B now be tunneling data in this case as opposed to port forwarding since there is now a "value add" of encryption?

Ashaman Kingpin

Posted 2014-05-05T13:10:52.363

Reputation: 153

the main difference (and they are very different in manifestation), is that port forwarding generally happens inside a single device (a NAT wall of some kind) so its essentially just routing, with some TCP redirection and session state mapping. On a packet level Tunneling is like putting armor around your packet (the packet is placed inside another packet that is its tunnel). on a stream level its like the tube your data is in, is itself inside another tube (the tunnel). – Frank Thomas – 2014-05-05T14:34:38.227

It make help to have a concrete example. lets say I have a L4 tunnel over SSH, and I want to connect to a remote server at port 80 through the tunnel. My system will create an IP packet for the remote tunnel endpoint, with an ssh segment at TCP/22. I also create an IP packet for the webserver, with a http (tcp/80) segment. I then put the packet containing the http segment INSIDE the SSH segment, and send it into the tunnel. The remote endpoint recieves the ssh packet, and pulls the inner packet out of it. then it sends the http packet on to the webserver, which will respond back the same way. – Frank Thomas – 2014-05-05T14:39:20.267



Port forwarding does not wrap the PDUs of one protocol in another, so it is not synonymous with tunneling. Port forwarding is typically part of a NAT facility that accepts traffic from an allowed port, then modifies the destination address to the configured mapped IP address, and notes this so it can route outgoing traffic back correctly.

Generally the only reason why you want to encapsulate the PDUs of one protocol into another is to hide it or protect it, typically for security reasons. (PPP is a possible notable exception to this). So the great majority, if not all, of real-world tunneling scenarios will involve the user tunneling to a server that can then forward traffic elsewhere, if nothing else to localhost on that system to reach another type of server (HTTP, etc.) Typically what is doing this is some sort of tunneling or access server, i.e. an SSH server, VPN server, etc.


Posted 2014-05-05T13:10:52.363

Reputation: 63 487


Tunneling allows you to do a few different things by encapsulating data inside of another form of data:

  • Security - you can use an encrypted tunnel to securely transport data over an untrusted network, such as unencrypted wifi networks or the public internet
  • Obscurity - you can use a tunnel on one port to transfer data that would normally be transmitted on another port, bypassing network security while being transparent to both the client and server
  • Versatility - you can use a tunnel to link two devices or networks, using something other the transport network's native protocol. You can run TCP/IP over MPLS, for example

Port forwarding is much more simple, it just forwards and possible routes connections on the network.


Posted 2014-05-05T13:10:52.363

Reputation: 1 476

So for the following scenario where I have an Application A, B, C. A is a client application that connects to B. B simply forwards the data to Application C. Would B be considered to be port forwarding because there is no additional "value" being added to the data stream?

If so, what about the same scenario but assume that the connection between A and B is unencrypted and the connection between B and C is encrypted. Would B now be tunneling data in this case as opposed to port forwarding since there is now a "value add" of encryption? – Ashaman Kingpin – 2014-05-05T19:59:23.473


@Bert has given a good answer (+1), but I think the two biggest differences between the two, are that:

  1. port forwarding can be performed using only the data available in the network packet envelope. Tunneling requires inspection of the data inside the packet (at least to establish the tunnel).
  2. port forwarding is 'stateless' in the sense that all data matching the rules is forwarded. Tunnels are stateful, and are controlled from outside the network protocol, and data from one packet is related to/dependent on data in another.

As a result, port forwarding can be performed by low-spec network gear, all it does is inspect the incoming port/host combination, and rewrite envelope, and redirect the packet somewhere else. Tunneling requires adding logic in to the stream, implies a heavier load, and a beefier system to implement it on.


Posted 2014-05-05T13:10:52.363

Reputation: 771