Remote operation port forwarding requirement

Doug

I'm somehow missing one bit of information. I just can't seem to find an answer. Is port forwarding required for remote operation? If so, which ports? I know how to set up port forwarding in my router. I just can't determine which port(s) are required. Any help appreciated.

Mike-VA3MW

Hi Doug

Check chapter 9 of the SmartSDR manual as it has all the details. The radio requires 4993 and 4994 (UDP and TCP). The outside ports can be anything you choose.

If your router support uPNP, it is automatic.

N5NHJ

Hi Doug,

Adding to Mike's note, if you are planning to use any application or device that talks to the Flex using the API ports-MorCoNI is an example- You also need to forward port 4992.

Mike-VA3MW

I really need to stress this point: opening TCP port 4992 to the outside world (WAN side) is strongly discouraged. That port is essentially the “front door” to your radio’s command and control interface. If it’s exposed directly to the internet without any kind of protection, you’re inviting serious security risks.

Here’s why:

• No Authentication on 4992: This port handles raw TCP commands that control the radio. If someone discovers it’s open—and scans for it—they can potentially send commands to your radio. There’s no login prompt or password protection baked into that layer. It's just listening for trusted connections on an internal home network.
• Highly Discoverable: There are automated tools (bots and scanners) constantly sweeping the internet looking for open ports. Once they find it, they can probe for vulnerabilities or exploit misconfigurations.
• FlexRadio Did It Right with SmartLink: SmartLink was designed to be secure—it uses encrypted authentication, NAT traversal, and a controlled backend. Port 4992 was never meant to be exposed the way 4993 and 4994 are through SmartLink.

Now, when you’re using tools like Morconi, a great remote CW solution, the safe and proper way to use them is through a VPN connection into your home network. That way:

• You’re not exposing any sensitive ports directly to the internet.
• Your traffic is encrypted end-to-end.
• Only trusted devices (connected via VPN) can reach and control the radio.

A VPN like TailScale, ZeroTier, or even a traditional OpenVPN setup will give you secure, private access to your radio from anywhere—without putting your station at risk.

If you’re not familiar with setting up a VPN, there are good guides out there—or plenty of folks here in the community willing to help.

Bottom line: keep port 4992 closed to the outside world. It’s just not worth the risk.

N5NHJ

A basic IP whitelist—supported by nearly all routers—can effectively address the lack of built-in protection.