Does port forwarding 9 for Wake On Lan expose my network to attackers?

I'm trying to set up Wake on WAN so that I can turn on my computer when I'm not home.

By port forwarding UDP 9 everything works flawlessly, but I'm concerned of the security risks.


Any port forwarding is a security risk.

If you're forwarding to a specific (unicast) IP address with a static ARP entry in the router you can minimize the risk. The MAC address in the static ARP entry isn't even relevant - if it's unknown or its node is down it's flooded to the entire network anyway. However, with a specific MAC, all the other nodes' NICs won't even accept the frame but just ignore it. The static ARP entry is required as the router would otherwise try to dynamically ARP the unicast IP and, failing that, drop the packet.

Forwarding to a broadcast address makes all active nodes receive that potentially dangerous IP packet. However, if there's no application listening on UDP port 9 anywhere, the datagram is dropped/ignored again. You might be just fine with that as well. (Port 9 for both TCP and UDP is officially used by the Discard protocol that just blackholes data, so it's ideally suited for WoL.)

Of course, any which way anyone on the Internet can wake up machines in your network that they know (or guess) the MAC address of. If you're using Wi-Fi bridged into Ethernet (the common way), those MAC addresses may be visible on wireless.

The proper way to do all that is to set up a VPN on your router, connect to that and then send the WoL magic packet through the tunnel.