Open Port Checker: check if a port is open from anywhere on the internet.
Run an online port check from an external server: this port scanner tests whether any TCP port is open on an IPv4, IPv6 or hostname in under 2 seconds. A fast, free alternative to an nmap scan - no install and no sign-up, so you see exactly what the rest of the internet sees.
Every network tool you'll ever need.
Purpose-built utilities for ports, IPs, DNS and email. Completely free, all powered by external probes.
Port Checker
Probe any TCP port on any host
DNS Lookup
Look up the IP addresses behind a domain
rDNS Check
Reverse DNS: map IPs back to hostnames (PTR)
Ping Tool
Check host reachability with ICMP
Speed Test
Gauge download, upload and latency
Proxy Check
Spot VPN or proxy usage
Link Checker
Confirm whether URLs are reachable
HTTP Headers Checker
Examine response headers
What Is My IP?
Reveal your current public IP
IP Subnet Calculator
Work out masks, ranges and CIDR math
IP Converter
Convert between IPv4 and IPv6 either way
ASN Lookup
Look up org, ISP and IP ranges by ASN
IP Blacklist Checker
See whether an IP is spam-listed
IPv6 Website Test
Test if a website supports IPv6 (AAAA + reachability)
SPF Record Checker
Verify your email sender policy
DMARC Validator
Read policy, alignment and reporting config
DKIM Checker
Validate DKIM signatures
Email Header Analyzer
Follow email origin and routing
How to check an open port in three steps.
To scan a port, each probe is sent from our external server in eu-west-1, never from your browser or local machine. As a result, the port check shows genuine internet reachability - revealing how firewalls, ISP blocks, and NAT rules appear from beyond your network.
Point it at a target
An IPv4, IPv6 or hostname, along with a port between 1 and 65535. The common ones are one click away.
TCP SYN from eu-west-1
Dispatched from our external server - never from your local network. To the target, it looks like a genuine internet client.
Three possible outcomes
SYN-ACK signals open. RST signals closed. No reply signals filtered.
Common Ports Reference
IANA-assigned ports for standard protocols - the ones you encounter most frequently in firewall configs, deployment checklists, and security audits.
| Port | Name | Description | |
|---|---|---|---|
| 80 | HTTP | The main port for unencrypted web browsing. Web servers generally rely on it for standard HTTP connections, and any site loaded without encryption travels over this port. | |
| 443 | HTTPS | Encrypted web traffic secured with TLS/SSL. Essential for safe e-commerce, login pages, and any site that handles sensitive information. | |
| 22 | SSH | An encrypted protocol for secure remote server access. It lets administrators sign in and run commands on remote systems safely. | |
| 21 | FTP | An older protocol for transferring files between systems. Because it has no encryption, it is insecure - use SFTP (port 22) or FTPS (port 990) for safe transfers instead. | |
| 25 | SMTP | The standard port for sending email between mail servers. ISPs often block it to curb spam, and modern email setups favor ports 587 or 465. | |
| 53 | DNS | Translates human-readable domain names into numeric IP addresses - a core internet service. It generally uses UDP for ordinary queries and TCP for larger data transfers. | |
| 110 | POP3 | An email retrieval protocol that pulls messages onto your device and removes them from the server. For an encrypted connection, use POP3S on port 995. | |
| 143 | IMAP | An email protocol that keeps messages on the server so you can reach them from several devices. For encrypted connections, use IMAPS on port 993. | |
| 993 | IMAPS | An encrypted version of IMAP protected by SSL/TLS. It is the recommended way to access IMAP email in today's email clients. | |
| 3389 | RDP | Microsoft's protocol for remotely controlling the desktop of Windows machines. It needs strong password protection and, ideally, VPN access to stay secure. | |
| 3306 | MySQL | The default TCP port for MySQL connections. Bind it only to localhost or a private interface - an open port 3306 on a public IP is a critical server misconfiguration. | |
| 5432 | PostgreSQL | PostgreSQL's default port. Proper production deployments never expose port 5432 to the public internet, so if it appears open, investigate right away. | |
| 6379 | Redis | The default port for the Redis in-memory database, widely used for caching and session management. It should require authentication and stay private rather than being publicly exposed. | |
| 27017 | MongoDB | MongoDB's default TCP port. It should never be reachable from the public internet - MongoDB instances left open on port 27017 are a common cause of data breaches on misconfigured servers. |
Made for people who practically live in a terminal.
Whether it's gamers debugging port forwarding, sysadmins auditing firewall rules, or developers verifying a deployment is reachable - port checking is one of those tools everyone in tech ends up needing sooner or later.
Gamers
Confirm game server accessibility by checking key multiplayer ports such as 25565 for Minecraft or 27015 for Counter-Strike. Port checking makes it easier to track down connection issues and set up port forwarding on routers.
Network Administrators
Audit open and closed ports to uncover security risks, verify firewall rules, and keep enterprise networks tightly secured. Routine checks also help confirm segmentation policies and quickly flag unexpected exposed services.
Web Developers
Confirm website and API accessibility by checking HTTP port 80 and HTTPS port 443 from outside networks. Port checking proves services are reachable during deployment and verifies firewall configurations for web applications.
System Administrators
Check port availability for remote access tools such as SSH on port 22, RDP on port 3389, or FTP on port 21. Port checking makes sure remote management protocols are set up correctly and confirms security policies are properly enforced.
Home Users
Find out whether internet service providers are blocking ports needed to host personal websites, VoIP systems, or email servers. Port checking reveals ISP restrictions and guides router configuration for home network services.
IT Support Teams
Diagnose client connectivity issues by checking remote server ports in real time. Port checking shows whether the trouble comes from port blocking, firewall misconfigurations, or service outages, enabling faster problem resolution .
What makes this open port checker different.
No account and nothing to install. Type in any IPv4, IPv6 or hostname plus a port number, and this online port tester runs the scan from an external server and delivers a real TCP result in under 2 seconds. Free, with no rate limits.
Lightning Fast
TCP probes fire off the instant you click. Our eu-west-1 prober returns results in under 2 seconds - no queues, no polling delays.
Highly Reliable
Each port check is run from a dedicated external server rather than your browser. The result mirrors true internet reachability - the very same SYN-ACK or RST that any real client would get.
Completely Free
Use every feature without registration, subscriptions, or hidden fees . Our port checker is free, with no cap on how many checks you can run.
Batch Port Checking
Test as many as 10 ports simultaneously . Batch checking is a real time-saver when probing several services or running thorough network audits.
Quick Port Selection
Enjoy one-click access to common ports such as HTTP, HTTPS, SSH, FTP, and database ports. Quick selection cuts out manual entry mistakes.
IPv4 and IPv6 Support
Check ports on both IPv4 and IPv6 addresses , along with domain names. Complete protocol support means you can verify connectivity for any network configuration.
Common questions.
Start by confirming the service listens on every network interface, not only localhost (127.0.0.1). Next, make sure your host firewall permits inbound traffic on that port, and set up NAT port forwarding on your router if you sit behind one. Use our Port Checker to probe from an external network. A closed result indicates the host is actively turning connections away, which usually means a missing firewall rule or a service that is not running. A filtered result means a firewall is quietly discarding packets before they ever reach the host.
Type in a domain name or IP address along with a port number between 1 and 65535, then click Check Port. The tool tries to open a TCP connection from our server to your target, checking reachability from beyond your own network. Open means the port accepts external connections. Closed means the host actively refused the connection with a TCP RST packet. Filtered means no reply arrived within the timeout window, which usually signals a firewall quietly dropping packets.
A port checker dispatches a TCP SYN packet to a given host and port, then reads the response. When the port is open, the host answers with TCP SYN-ACK, completing the connection handshake. When closed, the host sends back a TCP RST packet, actively refusing the connection. When filtered, no answer comes and the request times out, a sign that a firewall is quietly dropping packets.
Port knocking conceals a service port (usually SSH on port 22) by leaving it firewalled until a client knocks on a predefined sequence of ports in the right order, for instance 7000, 8000, 9000. The firewall recognizes that sequence and briefly opens the target port for that particular IP address. Port knocking lowers exposure to automated scanners and brute-force attacks, though it is no replacement for strong authentication.
A port becomes a concern when it sits in a state you did not expect. An unexpectedly open port can point to a misconfigured service, a rogue process, or a compromised host. An unexpectedly closed or filtered port on a service you need means traffic is being blocked. The crucial difference is between closed and filtered: a closed port returns a TCP RST response, so the host is reachable but the service is not running. A filtered port returns nothing at all, so a firewall is blocking access before the host can reply.
TCP (Transmission Control Protocol) is connection-oriented and ensures reliable, ordered delivery via a three-way handshake (SYN, SYN-ACK, ACK). Typical TCP ports include 22 (SSH), 25 (SMTP), 80 (HTTP), 443 (HTTPS), and 3306 (MySQL). UDP (User Datagram Protocol) is connectionless and fires off packets without confirming they arrive, which trims latency. Typical UDP ports include 53 (DNS queries), 67 and 68 (DHCP), 123 (NTP), and game server ports like 27015 (Counter-Strike). Most port checkers, ours included, test TCP connectivity.
IANA splits network ports into three ranges. Well-known ports (0 to 1023) are reserved for standard protocols and cover HTTP (80), HTTPS (443), SSH (22), FTP (21), SMTP (25), and DNS (53). Registered ports (1024 to 49151) belong to applications that registered with IANA, such as MySQL (3306), PostgreSQL (5432), Redis (6379), and MongoDB (27017). Ephemeral or dynamic ports (49152 to 65535) are handed out temporarily by the operating system for outbound connections.
Most home ISPs block inbound connections on port 25 (SMTP), port 80 (HTTP), port 443 (HTTPS), and port 8080 to keep customers from running public-facing servers on consumer lines. Port 25 is blocked on nearly all residential IPs to limit spam at its source. A few ISPs also block port 22 (SSH) inbound. Business-grade or static IP plans usually permit these ports.
Port forwarding is a NAT (Network Address Translation) rule set on a router that steers inbound traffic arriving on a particular external port toward a private IP address and port inside the local network. When a packet reaches your router's public IP on the forwarded port, the router rewrites the destination address and passes the packet along to the internal device. Without it, all unsolicited inbound traffic is dropped at the router, since the router has no mapping telling it where to send the packet. To confirm a port forward works, run an external port checker once the rule is in place - if the port shows as open, the router is forwarding correctly to the internal service.
TCP port checking works by starting a connection handshake (SYN) and reading the reply: SYN-ACK means open, RST means closed, and no reply means filtered. UDP has no handshake at all - it sends a datagram and gets no acknowledgment when the port is open. An open UDP port just accepts the packet silently. The only signal of a closed UDP port is an ICMP port-unreachable message from the host, but many hosts suppress those messages, leaving UDP open and UDP filtered indistinguishable to a remote prober. That unreliability makes external UDP port checking impractical for most situations.
The port checker verifies that the TCP port accepts connections at the network level, yet application-layer problems can still stop your software from working. Frequent causes: the service expects TLS but your client connects without it (or the reverse); the service needs a specific hostname through SNI or virtual hosting that differs from the IP being tested; the application uses IP allowlisting that blocks your client's IP while letting the prober's through; or the service accepts the connection and then immediately closes it because authentication failed. A port shown as open means the TCP handshake finished - it is no guarantee that the service behind it will accept your particular request.
No. An external port checker fires its probes from a server on the public internet and cannot reach private IP address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or the loopback address (127.0.0.1). Those addresses are not routable on the public internet, so packets aimed at them are dropped at the first router. To check ports on a local machine or private network, run command-line tools like nc (netcat), telnet, or nmap directly from inside the same network. External port checkers are only good for testing public-facing services.
The rule of thumb is to open only the ports your service truly needs and firewall everything else. High-risk ports that automated scanners often target include: 22 (SSH) - limit to specific source IPs or move it to a non-standard port; 23 (Telnet) - turn it off completely and use SSH instead; 3389 (RDP) - never expose it publicly without a VPN in front; 3306 (MySQL), 5432 (PostgreSQL), 6379 (Redis), 27017 (MongoDB) - database ports should never be publicly accessible. Swap FTP (21) for SFTP over SSH. Periodically scan your own server to make sure no unexpected services have been exposed.
The TCP three-way handshake is the connection setup sequence that runs before any data moves. Step 1: the client sends a SYN (synchronize) packet carrying a randomly chosen sequence number. Step 2: if the port is open, the server replies with SYN-ACK, acknowledging the client's sequence number and supplying its own. Step 3: the client returns ACK to confirm receipt, finishing the handshake. Port checkers lean on this mechanism to work out port state: a SYN-ACK in step 2 proves the port is open. A RST (reset) reply in place of SYN-ACK means the port is closed. No reply within the timeout window means a firewall is filtering the port.
Free port check: test any TCP port in seconds
A port check works by attempting a real TCP connection to a specific port on a target host. The tool sends a connection request and waits for a response. Based on what comes back, it reports the port as Open (connection accepted), Closed (connection actively refused), or Timeout (no response within 4 seconds). This is the same mechanism your browser or SSH client uses when it connects to a remote service.
Pingie's open port checker runs that test from an external server, so the result reflects what the public internet actually sees, not what your local network allows.
What the results mean
Each result includes the service name mapped to the port number (for example, port 80 maps to HTTP), a status badge, and the response time in milliseconds. Understanding the three statuses helps you diagnose the real problem.
- Open: The host accepted the TCP handshake. A service is actively listening on that port and is reachable from the internet.
- Closed: The host replied with a TCP RST (reset). The port is reachable but nothing is listening, or a firewall is sending an explicit rejection.
- Timeout: No reply arrived within 4 seconds. This usually means a firewall is silently dropping packets, the host is offline, or routing is broken between the checker and the target.
Closed and Timeout look similar from a user perspective but have different causes. A closed port means the host is reachable. A timeout often means the host is not reachable at all, or a stateful firewall is blocking the path.
How to use the tool
- Enter an IPv4 address, an IPv6 address, or a hostname in the IP Address or Hostname field.
- Type a port number between 1 and 65535 in the Port field, or click one of the Quick Port Buttons: HTTP 80, HTTPS 443, SSH 22, FTP 21, SMTP 25, RDP 3389, MySQL 3306, or PostgreSQL 5432.
- Click Check Port . The result appears with a status badge, service name, response time, and a short descriptive message.
To test several ports at once, open the Advanced · batch check panel and enter up to 10 comma-separated port numbers. Click Check Ports and each port is tested individually, with its own status line in the results. Previous checks are saved in your browser's local storage and shown in the history section below the form.
The tool only accepts globally routable addresses. Private ranges such as 10.x, 192.168.x, and 127.x are rejected by design, because the checker runs on an external server where those addresses are not reachable anyway.
When to run an online port scan
An online port scan from an external vantage point answers a specific question: is this port reachable from outside my network? Local tools like
telnet
or
netstat
tell you what is open on your own machine. An external ip port scanner online tells you what a remote user, a customer, or an attacker would actually see.
Common situations where this matters:
- Verifying a firewall rule change took effect on a cloud server or VPS.
- Confirming a web server is accepting HTTPS connections after installing a certificate.
- Diagnosing why a game server, mail server, or database is unreachable from the internet.
- Checking whether a port-forwarding rule on a home router is working correctly.
- Auditing which ports are publicly exposed before a security review.
The checker tests TCP connections only. UDP ports require a different method and are not supported here. If you need to verify DNS resolution alongside port availability, the DNS lookup tool is a good companion check.
How this differs from other network checks
A port checker and a ping tool both probe a remote host, but they operate at different layers. Ping sends ICMP echo requests to test basic reachability. A network port checker opens a TCP connection to a specific port to test whether a service is accessible. A host can be pingable but have all ports blocked, or it can be unpingable (ICMP disabled) while serving HTTP normally. Use the ping tool to confirm a host is reachable, then use this checker to confirm the specific service port is open.
Compared to a full port scanner like Nmap, this tool is narrower in scope by design. It checks one port (or up to 10 in batch mode) against one host. It does not fingerprint services, scan port ranges, or perform OS detection. That makes it appropriate for quick verification tasks rather than broad reconnaissance.
FAQ
The tool attempts a TCP three-way handshake to the port you specify. It sends a SYN packet and waits for a SYN-ACK (open), a RST (closed), or nothing at all (timeout). This confirms whether a service is accepting connections from the public internet. It does not log in, read data, or interact with the service beyond the initial connection attempt.
Open means the host completed the TCP handshake, so a service is listening and reachable. Closed means the host sent a TCP RST, meaning it is reachable but nothing is listening on that port (or a firewall is actively rejecting the connection). Timeout means no response arrived within 4 seconds, which typically indicates a firewall is silently dropping packets, the host is offline, or there is a routing problem between the checker server and the target.
Yes. Open the Advanced · batch check panel, enter up to 10 comma-separated port numbers, and click Check Ports . Each port is tested as a separate TCP connection, and results appear individually with their own status and response time. The limit of 10 ports per request keeps response times reasonable and prevents the tool from being used as a broad scanner.
The checker runs on a server on the public internet. Private IP ranges (10.x, 192.168.x, 127.x) are not routable from outside your local network, so any check against them would always time out and produce a meaningless result. The tool validates the input and rejects private ranges upfront to avoid misleading results. To test a private address, you need a tool running inside the same local network.
No. The tool tests TCP connections only. UDP is a connectionless protocol, so there is no handshake to complete or refuse. Probing UDP ports requires sending protocol-specific payloads and waiting for application-level responses or ICMP unreachable messages, which is a fundamentally different process. If you need to check a UDP-based service such as DNS or DTLS, you will need a dedicated UDP testing tool.
Ping sends ICMP echo packets to test whether a host is reachable at the network layer. A port check opens a TCP connection to a specific port to test whether a service is accessible at the transport layer. A host can respond to ping but have all TCP ports blocked by a firewall, or it can serve web traffic on port 443 while blocking ICMP entirely. Use the ping tool to confirm basic reachability, then use the port checker to confirm a specific service is accessible.
Yes. You can enter an IPv6 address directly in the host field, and hostnames that resolve to IPv6 addresses are also supported. The TCP connection attempt is made over IPv6 in those cases. If you want to verify whether your website is reachable over IPv6 specifically, the IPv6 website test provides a dedicated check for that scenario.
The tool allows up to 10 checks per minute from a single IP address. This limit applies to individual checks and batch requests combined. It exists to keep the service available to all users and to prevent the tool from being used as a high-volume scanner. For most diagnostic and verification tasks, 10 checks per minute is more than sufficient.
The history panel you see on the page is stored in your browser's local storage and never sent to the server. However, each check request is logged server-side for abuse prevention and service monitoring purposes, including the target host, port, result, and your IP address. If you have questions about data retention, the privacy policy has the full details.
The checker confirms only that a TCP connection can be established from the checker's server to the target port. Your application may be failing for other reasons: TLS certificate errors, authentication failures, application-level protocol mismatches, or geographic IP blocks that affect your location but not the checker's server location. An open result rules out firewall and routing issues but does not guarantee the service will work correctly for every client.
The Quick Port Buttons cover the most commonly checked TCP ports: HTTP (80), HTTPS (443), SSH (22), FTP (21), SMTP (25), RDP (3389), MySQL (3306), and PostgreSQL (5432). Clicking a button fills the port field automatically. You can still type any port number between 1 and 65535 manually if the port you need is not in the preset list.
Yes. The port checker is free with no account required. The rate limit of 10 checks per minute per IP address applies to all users. There is no paid tier that removes this limit. The tool is part of the broader set of network diagnostics available at the Pingie tools hub , all of which are free to use in the same way.