113
ISP put me behind NAT (lemmy.world)
submitted 11 months ago* (last edited 11 months ago) by kokesh@lemmy.world to c/selfhosted@lemmy.world
103 comments fedilink hide all child comments

I'm connected via a 4G modem. Got this setup about 3 years ago. In the beginning it was enough to look for the public IP (what's my IP). The modem showed some sort of private ip in the ui. I'm running stuff at home (Homeassistant, Gitea,) and bought a domain and pointed it to my home IP via Cloudflare. After some time I've noticed my modem shows the public IP also internally. For about 2 years now it ran flawlessly, the IP changed from time to time, but not really more than once in several weeks. For about a week all stopped working and the modem shows IP 100.xxxx and outside 85.something I guess I'm behind NAT now. Normal port forwarding on the modem is useless now. Is it possible to open the ports via UPNP? I've tried via miniupnp from my Ubuntu server, but it just throws an error.

upnpc -a ifconfig enp1s0| grep "inet addr" | cut -d : -f 2 | cut -d " " -f 1 22 22 TCP

Can I use this to somehow open the ports via UPNP on my modem and bypass the blocking? I can't even OpenVPN to my modem anymore.

EDIT: i also run AdguardHome, that I use as Private DNS on my Android phone

UPDATE: everything except Adguard Home used as Private DND on my Android works! I've used this: https://github.com/mochman/Bypass_CGNAT/wiki/Oracle-Cloud-(Automatic-Installer-Script) - free Oracle VPS + automated well described script. Even HTTPS works fine!

top 50 comments
sorted by: hot top controversial new old
[-] jbloggs777@discuss.tchncs.de 59 points 11 months ago

Welcome to the world of Carrier Grade NAT. 100.64.0.0/10 is reserved for this.

If you are lucky, you also have an IPv6 address. The catch is you need IPv6 on the client-side too.

A VPS or similar running wireguard and a proxy might bridge the gap.

It might also be possible to ask your provider for some port forwarding. Probably not, but check anyway.

Good luck!

[-] Kwa@derpzilla.net 4 points 11 months ago

This is exactly what happened to me, but was able to contact my ISP to drop IPv6 support and get back my ports forwarding to work on my line

[-] WaterWaiver@aussie.zone 23 points 11 months ago* (last edited 11 months ago)

N.B. to anyone reading this: ask your isp to "opt out of CG-NAT". Talking about IPv6 may confuse the staffer you're talking to, it's partially related but not the fully picture.

[-] Decronym@lemmy.decronym.xyz 53 points 11 months ago* (last edited 11 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CGNAT Carrier-Grade NAT
DNS Domain Name Service/System
Git Popular version control system, primarily for code
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
NAT Network Address Translation
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

[Thread #274 for this sub, first seen 11th Nov 2023, 18:30] [FAQ] [Full list] [Contact] [Source code]

[-] lemann@lemmy.one 15 points 11 months ago

Neat bot!

[-] Ozzy@lemmy.ml 7 points 11 months ago

Yo this bot is super helpful

[-] alnitak@yiffit.net 4 points 11 months ago

Oh I love this idea for a bot! Well done!

[-] vaselined@lemmy.world 3 points 11 months ago

Good bot

[-] Dave@lemmy.nz 35 points 11 months ago

You're already using cloudflare, so check out cloudflare tunnels. You install their software on your server which makes an outbound connection, bypassing the need for open ports or a public IP. Note this only does http traffic.

Another option is tail scale, which won't make your site public but will let you access it remotely on devices you have their software/app on.

[-] farcaller@fstab.sh 3 points 11 months ago

I’m actually not sure you can easily get tailscale up and running om such as a setup as it uses the same cgnat ip range.

[-] Dave@lemmy.nz 9 points 11 months ago

This page says (at the very bottom):

Tailscale can route its packets peer-to-peer over IPv4 or IPv6, with and without NAT, multi-layer NAT, or CGNAT in the path.

load more comments (3 replies)
[-] c10l@lemmy.world 6 points 11 months ago

Been using Tailscale behind CG-NAT for years. It works wonderfully and very rarely needs to route through the DERP infrastructure - it’s almost always a P2P connection.

[-] Greg@lemmy.ca 2 points 11 months ago

I haven't had any issues running Tailscale and cloudflared on the same machines

load more comments (1 replies)
[-] clericc@feddit.de 24 points 11 months ago

i've been on CGNAT and just pointed my domain to my ipv6 address with no issues - every isp should hand out huge v6 subnets dedicated to you.

Since my v6 prefix is not stable, i use ddclient from my homeserver to update my domains AAAA record

[-] lemmyvore@feddit.nl 16 points 11 months ago

Unfortunately IPv6 adoption is not universal. There will be parts of the internet that won't be able to reach you at a 6-only address.

load more comments (1 replies)
load more comments (9 replies)
[-] rufus@lemmy.sdf.org 24 points 11 months ago

Have you reached out to your ISP to see if they can give you a dynamic public IP? I recently swapped to a new ISP that was using CGNAT but after contacting their support team with my use case, they were happy to set me up with a public IP so I could continue my self-hosting.

[-] nucleative@lemmy.world 7 points 11 months ago

This. I had the same situation being put behind CGnat and told them my security webcam needs port forwarding from outside and they had me back to a public IP within minutes.

load more comments (10 replies)
[-] nucleative@lemmy.world 24 points 11 months ago

A solid workaround is an ssh reverse tunnel with gateway ports enabled. You can do it for pennies with a cheap VPS.

With this option you open an ssh tunnel outbound and then you can connect back through it from the other side for whatever local services you want to run.

You first need a VPS with a public IP. Here's a guide that explains it: https://www.howtogeek.com/428413/what-is-reverse-ssh-tunneling-and-how-to-use-it/

Just remember to enable gateway ports in the VPS side sshd.conf and disable or adjust any firewall on the VPS so the internet can come in through the VPS ip address and tunnel back to your local system.

[-] Zeroxxx@lemmy.my.id 2 points 11 months ago

That setup will yield off the chart latency if your VPS is not near your location 😱

load more comments (1 replies)
[-] tal@lemmy.today 2 points 11 months ago* (last edited 11 months ago)

While I use ssh tunneling to access systems on a temporary basis, usually http, some caveats:

  • I don't know of a daemon to set up locally that will re-establish tunnels on power loss and the like. Not technically-difficult, but something one probably wants if this is going to be how he's gonna get at the system long-term rather than "I just need one-off access".

  • One other downside -- the service that the user here is aiming to expose is apparently ssh. For me -- reaching an http server -- wrapping the connection for remote use is desirable. For him, it probably isn't, as there'll be two layers of encryption. Not the end of the world, but it's a hit. You do want encryption in the outer protocol at least insofar as you need it to protect authentication to the VPS anyway.

[-] kokesh@lemmy.world 2 points 11 months ago

I need more ports to be exposed - I'm running secure DNS, Git on one port, Webmin on other, Jelllyfin (I can live without that on data), HTTP server on 800/443, Homeassistant 8123,... I also had 3389 open for remote desktop to my Windows machine, etc.

load more comments (1 replies)
[-] nucleative@lemmy.world 2 points 11 months ago

For reestablishing the connection, use the wrapper 'autossh'. It can be run from systemd so that it'll auto start and restart as you command it.

I have a couple instances using this that are absolutely rock solid after years.

load more comments (3 replies)
[-] SiblingNoah@lemmy.world 10 points 11 months ago

You’re probably behind a CG-NAT. Look into establishing a tunnel, like via Cloudflare.

[-] cmnybo@discuss.tchncs.de 8 points 11 months ago

I use a VPN that I setup on an Oracle free tier VPS when I need to access my stuff over IPv4. I also have IPv6, so I can connect directly when using 5G on my phone.

[-] skookumasfrig@sopuli.xyz 2 points 11 months ago

Oracle is awesome in this one specific way. They suck in all other ways but this is really good.

load more comments (4 replies)
load more comments (2 replies)
[-] DoomBot5@lemmy.world 7 points 11 months ago

Could always see if they offer a static IP. My ISP uses CG NAT and I just pay $10/month for a public static ip to bypass it.

[-] poVoq@slrpnk.net 2 points 11 months ago* (last edited 11 months ago)

And if not I would cancle the contract with them as CGNAT is not an internet connection and you should not just accept this break of contract.

[-] Schmeckinger@feddit.de 3 points 11 months ago* (last edited 11 months ago)

Good luck getting a non CGNAT connection here without paying for it. Also it's not a breach of contract if it's not in the contract...

[-] poVoq@slrpnk.net 6 points 11 months ago

If they sell an "internet connection" then selling one behind a CGNAT is a breach of contract, because it is not a connection to the internet but only a selective forwarding service from within their intranet.

Similar to how the consumer protection agencies fought against fake speed promises and hidden "fair use" volume clauses, CGNAT should also be forbidden to be advertised as "internet".

[-] Schmeckinger@feddit.de 2 points 11 months ago* (last edited 11 months ago)

We have more internet connections than IPv4's they can't just pull new ones out of their ass. Also IPv6 is internet too.

load more comments (29 replies)
[-] vettnerk@lemmy.ml 4 points 11 months ago* (last edited 11 months ago)

Unless they're willing to give you your own IP (dynamic, or maybe static for a fee), that's a good reason for replacing your ISP imo.

[-] KairuByte@lemmy.dbzer0.com 8 points 11 months ago

You say that as if most don’t hold a monopoly in their available regions. At least in America, you typically have the choice of one, maybe more if you’re in a largeish city, and I suppose you have the option of a 5G hub but that’s terrible for running services.

[-] vettnerk@lemmy.ml 4 points 11 months ago* (last edited 11 months ago)

Ouch, I was not aware of that. Here in scandinavialand we have a few local or regional ones in each area, plus a few big ones that cover the entire country.

Once the fiber is in the ground, "any" ISP can use them, regardless who buried it. I think it's a remnant from 20ish years ago when the default was ADSL over copper, and the telecom cables were considered public infrastructure.

[-] KairuByte@lemmy.dbzer0.com 5 points 11 months ago

Dude I’d kill for that availability. Here, the companies own the infrastructure, and can offer to let others use it if they’d like but that doesn’t usually happen.

[-] Glitchington@lemmy.world 3 points 11 months ago

Yeah, the US is very limited in ISP options. In my area there is one massive provider, and two or three small providers. The massive provider does up to 1Gb but it's cable and speeds fluctuate. The other providers can manage 250Mb and that's it. Also, upload on ALL plans available in my area caps out at 20Mb/s. It's a joke and the city won't let any fiber companies in because of an exclusivity contract with the big cable provider. It's baaaaaad

[-] vettnerk@lemmy.ml 2 points 11 months ago* (last edited 11 months ago)

I've had plenty of rants about Norwegian broadband (or lack thereof) over the past 25 years. It's a bit of a long story, but the gist of it is that during the 90's there was this one company (Telenor) which had practical monopoly on telecom (it was the private remnant of what used to be part of the government), and of course they didn't want to develop broadband 8nfrastructure as the made shitloads of money by selling ISDN at the time. Broadband was available in the biggest cities only, and even there it was limited. And the punchline of that joke was that when I was on dialup I had to pay by the minute. During that time, hearing about not having to pay by the minute in the US sounded like paradise to me.

But luckily competition happened, and Telenor realized they had to allow modernization or be left out of the market entirely. Small communities could sign up to have broadband "delivered", and once enough people had signed up for an ISP to considet it profitable, digging would start. Today, twenty years later, I'm pretty satisfied with how it turned out. I live practically in the middle of nowhere, in a tiny industrial town sqeezed to fit into the terrain, where three of the cardinal directions are blocked by mountains and the fourth being a fjord. And I have 1gbit both up and down.

load more comments (1 replies)
load more comments
view more: next ›
this post was submitted on 11 Nov 2023
113 points (100.0% liked)

Selfhosted

39665 readers
152 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz