When managing a Windows VPS server, you often encounter situations where a service is running on an internal port, but you need to make it accessible to users on the public network. Port mapping becomes the crucial bridge in this case. It precisely forwards external network access to a specific port on the server's public IP address to a specific port on a specific machine within the internal network. In a Windows environment, we don't need third-party software; we can accomplish this task directly using the built-in CMD command-line tool.

The core command for port mapping is `netsh`, a powerful network configuration tool provided by Windows. Using it, you can create forwarding rules between different network interfaces and addresses. Before starting, you need to clarify several key pieces of information: your server's public IP address (or use "any" address), the port accessed by external users, the actual IP address of the internal service (usually 127.0.0.1 if the service is on the local machine), and the internal port it listens on.

First, you need to run Command Prompt (CMD) or Windows PowerShell as administrator; this is the foundation for all subsequent operations. Next, we focus on the most common scenario: forwarding a public port to another port on the local machine. Assuming your VPS's public IP address is `203.0.113.1`, and you want to forward all traffic from users accessing the public port `8080` to a web service running on port `80` on your local machine, the command format is as follows:

netsh interface portproxy add v4tov4 listenaddress=203.0.113.1 listenport=8080 connectaddress=127.0.0.1 connectport=80

Break down this command: `add v4tov4` adds an IPv4 to IPv4 mapping rule. `listenaddress` specifies which external address to listen for requests from; here, enter the server's public IP address. `listenport` is the port accessed by external users. `connectaddress` specifies which internal address to forward requests to; on your local machine, enter 127.0.0.1. `connectport` is the port that the internal service is actually listening on. After successful execution, any request to `http://203.0.113.1:8080` will be seamlessly forwarded to port 80 on the local machine.

If the server has multiple public IP addresses, or you want to listen for connections on all network interfaces, you can set `listenaddress` to `0.0.0.0`. This is a wildcard address, indicating that it listens on all available network interfaces on the server. The command would become:

netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=8080 connectaddress=127.0.0.1 connectport=80

Sometimes, internal services run on another machine on the local area network. Suppose there is a machine on the internal network with the IP address `192.168.1.100` running a remote desktop service, with the default port being 3389. You want public users to access it through port `33389` on the server's public IP address. The command needs to be adjusted as follows:

netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=33389 connectaddress=192.168.1.100 connectport=3389

After adding the mapping rules, how do you confirm that they are effective? You can use the `view` command to list all configured port proxy rules:

netsh interface portproxy show all

This command will output a clear list showing all the addresses and ports being listened to, as well as their corresponding forwarding targets, making it easy for you to check and manage. When you need to modify or delete a rule, first use the `view` command to confirm the specific parameters of the rule, and then use the `delete` command. For example, to delete the previously created rule listening on port 8080:

netsh interface portproxy delete v4tov4 listenaddress=203.0.113.1 listenport=8080

Configuring port mapping is only the first step; the Windows Firewall is a key factor affecting successful connections. By default, the Windows Firewall blocks unauthorized inbound connections. You must manually create inbound rules in your firewall for the port you specify on `listenport` to allow external traffic. This can be done through the Windows Firewall with Advanced Security graphical interface or via the command line. For example, to allow inbound connections to TCP port 8080:

netsh advfirewall firewall add rule name="Open Port 8080" dir=in action=allow protocol=TCP localport=8080

Mappings configured using `netsh interface portproxy` take effect immediately, but note that these rules are not automatically saved after a server restart. They are stored in memory and are lost upon system reboot. To create persistent rules, one approach is to write the above commands into a batch file (.bat) and place it in the system's startup folder, or schedule it to run automatically at startup via a task scheduler. Another more modern and recommended approach is to consider configuring the port mapping service, which requires long-term stable operation, instead using the Routing and Remote Access Service built into Windows Server, which provides a more persistent and manageable solution.

For more complex network scenarios, such as forwarding traffic from one network interface to a completely different one, or handling UDP forwarding, the `portproxy` functionality of `netsh` sometimes falls short. In these cases, you can explore the lower-level `interface ipv4` subcommands within `netsh` to set static routes or assess whether configuration at the network router level is necessary. For production environments requiring high performance and stability, especially for UDP forwarding (commonly used in game servers, video streaming, etc.), using professional third-party port forwarding software (such as rinetd's Windows port forwarding) or directly configuring a hardware firewall/router is often a more reliable choice.

In short, using CMD for port mapping on a Windows VPS server is a powerful and flexible skill. It allows you to quickly build temporary access channels for service testing and remote debugging. The key is to understand the basic structure of the `netsh interface portproxy` command and remember the corresponding firewall configuration.