Local Forwards
Local forwarding is the most common type of SSH port forwarding. It lets you reach a service on or behind the SSH server by opening a listening port on your own device. Traffic flows from your device, through the encrypted SSH tunnel, and out to the destination on the remote side.
Equivalent SSH command: ssh -L [bind_address:]bind_port:remote_host:remote_port user@server
When to use local forwarding
Section titled “When to use local forwarding”Use local forwarding any time you want to access a service that is only reachable from the SSH server or its local network. Typical scenarios:
- Web UIs behind a firewall: Proxmox (8006), Grafana (3000), Pi-hole (80), Home Assistant (8123), Portainer (9443), Cockpit (9090).
- Databases: PostgreSQL (5432), MySQL/MariaDB (3306), MongoDB (27017), Redis (6379). Connect your local database client through the tunnel instead of exposing the port to the internet.
- Remote desktop: VNC (5900), RDP (3389), SPICE (5930). Forward the port and connect your viewer to localhost.
- Development servers: A Node.js or Python dev server running on the SSH host that only binds to 127.0.0.1 remotely.
- Network equipment admin pages: Routers, switches, or access points on the server’s LAN that have web interfaces on private IPs.
How ZestSSH implements it
Section titled “How ZestSSH implements it”When you start a local forward, ZestSSH binds a real TCP server socket on the address and port you specify. For each incoming connection to that socket, it opens a direct-tcpip SSH channel to the destination host and port, then relays data bidirectionally between the local socket and the SSH channel. This matches the behavior of OpenSSH’s -L flag and supports multiple simultaneous client connections through the same tunnel.
If you set the source port to 0, the operating system assigns an ephemeral port automatically. ZestSSH reports the actual bound port so you know where to connect.
Bind address options
Section titled “Bind address options”The Bind Address field controls which network interface the local listener binds to. This determines who can use the tunnel:
| Bind Address | Who can connect | When to use |
|---|---|---|
127.0.0.1 (default) | Only your device | Almost always. This is the safest option. |
0.0.0.0 | Any device on your local network | When you want other devices (a second laptop, a tablet) to route through your tunnel. For example, forwarding a database port so a colleague on the same Wi-Fi can connect. |
| A specific LAN IP | Only devices that can reach that IP | Rare. Useful if your device has multiple network interfaces and you want to restrict the listener to one of them. |
Security note: Binding to 0.0.0.0 exposes the tunnel to your entire local network. Anyone on that network can connect to the forwarded port on your device. Only use this when you trust the network and specifically need it.
Step-by-step example: reaching Proxmox on a private LAN
Section titled “Step-by-step example: reaching Proxmox on a private LAN”You have an SSH server at myserver.com (public IP). Behind it, there is a Proxmox host at 192.168.1.10 with its web UI on port 8006. You want to manage Proxmox from your phone.
- Connect to
myserver.comin ZestSSH. - Open the port forwarding screen (swap arrows icon).
- Tap Add Forward and configure:
- Type: Local
- Nickname:
Proxmox - Source Port:
8006 - Destination Host:
192.168.1.10 - Destination Port:
8006 - Bind Address:
127.0.0.1 - Auto-activate: On
- Tap Add, then start the forward.
- Open your browser and navigate to
https://localhost:8006.
You will see the Proxmox login page, served securely through your SSH tunnel.
More examples
Section titled “More examples”PostgreSQL on the server itself:
Source Port: 5432Destination Host: localhostDestination Port: 5432Then connect your database tool (pgAdmin, DBeaver, DataGrip) to localhost:5432. The word localhost in the Destination Host field means the SSH server’s own loopback — not your device.
Web app dev server on a different port:
Source Port: 3000Destination Host: localhostDestination Port: 3000Browse to http://localhost:3000 to see the dev server running on the SSH host.
Internal wiki on another LAN machine:
Source Port: 8080Destination Host: 10.0.0.25Destination Port: 80Browse to http://localhost:8080. The SSH server reaches out to 10.0.0.25:80 on your behalf.
- Source and destination ports do not have to match. If port 80 is already in use on your device, forward from a different source port like 8080. The destination port is what matters on the remote side.
- Use the presets. When adding a forward, the Web and Database preset chips fill in sensible defaults so you do not have to remember common port numbers.
- Label your forwards. Nicknames like “Proxmox” or “Prod DB” make it easy to identify which tunnel is which when you have several running.
- Auto-activate saves time. For tunnels you use every session, enable auto-activate so the forward starts as soon as you connect.
- Port 0 for throwaway tunnels. Set the source port to 0 and let the OS pick a free port. ZestSSH shows the actual port it bound to.
Related
Section titled “Related”- Port Forwarding overview — the three types compared side by side.
- Remote Forwards — the reverse direction.
- Jump Hosts — combine a jump host with local forwarding to reach deeply nested networks.