I’m connected via a 4G modem. Got this setup about 3 years ago. In the beginning it was enough to look for the public IP (what’s my IP). The modem showed some sort of private ip in the ui. I’m running stuff at home (Homeassistant, Gitea,) and bought a domain and pointed it to my home IP via Cloudflare. After some time I’ve noticed my modem shows the public IP also internally. For about 2 years now it ran flawlessly, the IP changed from time to time, but not really more than once in several weeks. For about a week all stopped working and the modem shows IP 100.xxxx and outside 85.something I guess I’m behind NAT now. Normal port forwarding on the modem is useless now. Is it possible to open the ports via UPNP? I’ve tried via miniupnp from my Ubuntu server, but it just throws an error.

upnpc -a ifconfig enp1s0| grep "inet addr" | cut -d : -f 2 | cut -d " " -f 1 22 22 TCP

Can I use this to somehow open the ports via UPNP on my modem and bypass the blocking? I can’t even OpenVPN to my modem anymore.

EDIT: i also run AdguardHome, that I use as Private DNS on my Android phone

UPDATE: everything except Adguard Home used as Private DND on my Android works! I’ve used this: https://github.com/mochman/Bypass_CGNAT/wiki/Oracle-Cloud-(Automatic-Installer-Script) - free Oracle VPS + automated well described script. Even HTTPS works fine!

  • Joe
    link
    fedilink
    English
    arrow-up
    63
    ·
    1 year ago

    Welcome to the world of Carrier Grade NAT. 100.64.0.0/10 is reserved for this.

    If you are lucky, you also have an IPv6 address. The catch is you need IPv6 on the client-side too.

    A VPS or similar running wireguard and a proxy might bridge the gap.

    It might also be possible to ask your provider for some port forwarding. Probably not, but check anyway.

    Good luck!

    • Kwa@derpzilla.net
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      1 year ago

      This is exactly what happened to me, but was able to contact my ISP to drop IPv6 support and get back my ports forwarding to work on my line

      • WaterWaiver@aussie.zone
        link
        fedilink
        English
        arrow-up
        24
        ·
        edit-2
        1 year ago

        N.B. to anyone reading this: ask your isp to “opt out of CG-NAT”. Talking about IPv6 may confuse the staffer you’re talking to, it’s partially related but not the fully picture.

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    53
    arrow-down
    2
    ·
    edit-2
    1 year ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    CGNAT Carrier-Grade NAT
    DNS Domain Name Service/System
    Git Popular version control system, primarily for code
    HTTP Hypertext Transfer Protocol, the Web
    IP Internet Protocol
    NAT Network Address Translation
    VPN Virtual Private Network
    VPS Virtual Private Server (opposed to shared hosting)
    nginx Popular HTTP server

    [Thread #274 for this sub, first seen 11th Nov 2023, 18:30] [FAQ] [Full list] [Contact] [Source code]

  • Dave@lemmy.nz
    link
    fedilink
    English
    arrow-up
    35
    ·
    1 year ago

    You’re already using cloudflare, so check out cloudflare tunnels. You install their software on your server which makes an outbound connection, bypassing the need for open ports or a public IP. Note this only does http traffic.

    Another option is tail scale, which won’t make your site public but will let you access it remotely on devices you have their software/app on.

    • farcaller@fstab.sh
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      1 year ago

      I’m actually not sure you can easily get tailscale up and running om such as a setup as it uses the same cgnat ip range.

      • Dave@lemmy.nz
        link
        fedilink
        English
        arrow-up
        9
        ·
        1 year ago

        This page says (at the very bottom):

        Tailscale can route its packets peer-to-peer over IPv4 or IPv6, with and without NAT, multi-layer NAT, or CGNAT in the path.

        • farcaller@fstab.sh
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Yeah, you’re absolutely correct. I misread that thinking OP would have the CG NAT endpoint and taikscsle on the same physical device, which, I still think, would be a problem: you’d have two interfaces for 100.64.0.0/10. But if CG NAT terminates on the modem and you run taikscale on devices connected to it them there’s surely no issue at all.

          • c10l@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            I run it on my router which has the CG-NAT IP address.

            Whilst you’re right that it could clash, it’s very unlikely (a 1 in 4194302 chance), I imagine Tailscale would detect the clash and change IPs though I could be wrong as it never happened to me (and probably never will - though in all fairness it will eventually happen to someone).

            • farcaller@fstab.sh
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              I went looking into how that works, and, apparently, tailscale adds individual node routes (in table 52). So yeah, you have very low chances of getting into trouble even if you have an interface with 100.64/10.

      • c10l@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        Been using Tailscale behind CG-NAT for years. It works wonderfully and very rarely needs to route through the DERP infrastructure - it’s almost always a P2P connection.

  • nucleative@lemmy.world
    link
    fedilink
    English
    arrow-up
    25
    ·
    1 year ago

    A solid workaround is an ssh reverse tunnel with gateway ports enabled. You can do it for pennies with a cheap VPS.

    With this option you open an ssh tunnel outbound and then you can connect back through it from the other side for whatever local services you want to run.

    You first need a VPS with a public IP. Here’s a guide that explains it: https://www.howtogeek.com/428413/what-is-reverse-ssh-tunneling-and-how-to-use-it/

    Just remember to enable gateway ports in the VPS side sshd.conf and disable or adjust any firewall on the VPS so the internet can come in through the VPS ip address and tunnel back to your local system.

    • tal@lemmy.today
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      While I use ssh tunneling to access systems on a temporary basis, usually http, some caveats:

      • I don’t know of a daemon to set up locally that will re-establish tunnels on power loss and the like. Not technically-difficult, but something one probably wants if this is going to be how he’s gonna get at the system long-term rather than “I just need one-off access”.

      • One other downside – the service that the user here is aiming to expose is apparently ssh. For me – reaching an http server – wrapping the connection for remote use is desirable. For him, it probably isn’t, as there’ll be two layers of encryption. Not the end of the world, but it’s a hit. You do want encryption in the outer protocol at least insofar as you need it to protect authentication to the VPS anyway.

      • Kokesh@lemmy.worldOP
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        I need more ports to be exposed - I’m running secure DNS, Git on one port, Webmin on other, Jelllyfin (I can live without that on data), HTTP server on 800/443, Homeassistant 8123,… I also had 3389 open for remote desktop to my Windows machine, etc.

        • grenndel@lemmy.ca
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          You can reduce some of those ports by using a reverse proxy. Do that you can access git home assistant etc from 443 with a subhuman.

      • nucleative@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        For reestablishing the connection, use the wrapper ‘autossh’. It can be run from systemd so that it’ll auto start and restart as you command it.

        I have a couple instances using this that are absolutely rock solid after years.

          • tal@lemmy.today
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            1 year ago

            I’m the grandparent commenter, not the parent commenter, but for my very limited use, it’s not noticeable, but I’m also typically just giving a remote machine access to a local web service. I’m not trying to tunnel anything bulk (or where latency is critical, which I’d think might be a larger issue).

            The one thing I can say, though, without digging up numbers: ssh is fundamentally TCP-based. It forces ordering on anything it transports. While there are ways to cram UDP through an SSH tunnel, that’s gonna impose an unwanted constraint. if you want to provide access to anything that natively runs on UDP, I’d probably look into a UDP-based VPN – like Wireguard – that doesn’t do that.

          • nucleative@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Haven’t done any comparisons, but I’m using this in cases where my throughput isn’t too important. I can stream my webcam over it in HD, establish an rdp connection, ssh back through, and control web interfaces like octoprint. It’s acceptable.

            The big advantage is that a $2/month vps gets a static IP, therefore I don’t have to worry about a VPN provider changing the IP or blocking ports.

            Tunneling an encrypted connection through an encrypted connection is pretty much always a bad idea but when you’re evading CGnat or other network blocks, sometimes it’s the best we can conjure up on a whim.

    • zeroxxx@lemmy.my.id
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      1 year ago

      That setup will yield off the chart latency if your VPS is not near your location 😱

      • nucleative@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        For sure. If you really need to host thrn get the right package of internet services for that activity. If you need a fast fix for a small issue, this method gets around most ISP attempts to block hosting.

  • rufus@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    24
    ·
    1 year ago

    Have you reached out to your ISP to see if they can give you a dynamic public IP? I recently swapped to a new ISP that was using CGNAT but after contacting their support team with my use case, they were happy to set me up with a public IP so I could continue my self-hosting.

    • nucleative@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      1 year ago

      This. I had the same situation being put behind CGnat and told them my security webcam needs port forwarding from outside and they had me back to a public IP within minutes.

      • Nik282000@lemmy.ca
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        ISPs in Canada usually include a clause in their TOS that explicitly prohibits selfhosting. Don’t move here, it sucks.

            • tal@lemmy.today
              link
              fedilink
              English
              arrow-up
              5
              ·
              edit-2
              1 year ago

              I dunno. The IPv4 address space is getting pretty tight, and aside from rejiggering existing inefficient allocations, there’s not a lot you can do beyond NAT.

              In the US, we had it pretty good for a long time, because we had a rather disproportionate chunk of the IPv4 address space – Ford, MIT, and Apple alone each had their own Class A netblock, about half a percent of the IPv4 address space each, for example.

              But things have steadily gotten tighter as more and more of the world uses the Internet more and more.

              https://whatismyipaddress.com/ipv6-ready

              As expected, the ISPs are no longer receiving new allotments or allocations of public IPv4 addresses from the American Registry for Internet Numbers (ARIN). Some have managed to continue to provide new IPv4 addresses by reallocating some of the addresses they had been assigned in the past but perhaps had never passed on to customers. This buys them a little more time while they scramble to roll out and support IPv6 addresses.

              Like, there’s real scarcity of the resource. It doesn’t require the scarcity to be artificially-induced.

              My ISP used to let one get a /29 IPv4 block for residential users, though they stopped that years ago. Always have had a way to get publicly-facing IPv6 addresses, though.

              End of the day, the real fix is to get the world on IPv6.

        • Caveman@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          I don’t know Canada laws but does it only apply if you make money off it (or intend to). Self hosting Jellyfin server is basically just delayed uploading.

          • Nik282000@lemmy.ca
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Afaik it’s at the ISP’s digression. Up until I switched, Bell would block ports 21, 22, 53, 80 and 443.

              • Nik282000@lemmy.ca
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                It’s kinda shitty of them to block the ports that makes up +30 years of what the internet IS. Bell/Rogers want your internet connection to be unidirectional, when you host your own content you don’t consume theirs.

                • Caveman@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  1 year ago

                  Yeah, not arguing that, it doesn’t cost them extra to allow those. Still, you can use 8080, 8989, 5000, 7878 etc, for plex, Jellyfin, nextcloud and so on.

                  You can even workaround it by using cloudflare functions that forward requests to your specific port, DNS it to cloudflare and run a commercial webapp out of your garage anyway.*

                  *Except if you want to honor whatever ToS they had you agree to.

  • clericc@feddit.de
    link
    fedilink
    English
    arrow-up
    24
    ·
    1 year ago

    i’ve been on CGNAT and just pointed my domain to my ipv6 address with no issues - every isp should hand out huge v6 subnets dedicated to you.

    Since my v6 prefix is not stable, i use ddclient from my homeserver to update my domains AAAA record

    • lemmyvore@feddit.nl
      link
      fedilink
      English
      arrow-up
      16
      ·
      1 year ago

      Unfortunately IPv6 adoption is not universal. There will be parts of the internet that won’t be able to reach you at a 6-only address.

      • Still@programming.dev
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        wdym except Verizon? I have a whole section of /56 for me in ipv6, tho the Verizon website is ipv4 only

        • Encrypt-Keeper@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 year ago

          Verizon IPv6 rollout technically started but has been very limited in the last few years. I live outside one of the biggest cities in the U.S. and it hasn’t even made it here yet. In the last five years they’ve only made it to 50% of their userbase being capable.

    • baldissara@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      I tried that and couldn’t make it work. My server was unable to receive any http requests. Then I tried doing some tweaking in my ISP router configuration but with no success. So far cloudflare tunnel was the only solution I found

        • baldissara@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Yeah I set it up to forward 80:80 and 443:443 but it didn’t seem to have any effect. Does port forward work on ipv6 the same way it does on ipv4?

          • clericc@feddit.de
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            in m limited sample size of one avm fritz.box, yes. What ivp6 address did you use to try and connect? a device typically has multiple - i.e. dont use fd00::, fe80::

            • baldissara@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              I’d need to check it out, it’s been a while. But I tried pretty much all addresses that are printed out with “ip address” command on linux

  • plague-sapiens@lemmy.world
    link
    fedilink
    English
    arrow-up
    20
    ·
    edit-2
    1 year ago

    Buy a cheap VPS, setup a Wireguard or OpenVPN server (wg-easy is quite nice). Then something like Nginx Proxy Manager or plain nginx and expose your services over that.

    Edit: if you need help, hit me up, love sharing my knowledge

    • Revv@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      11
      ·
      1 year ago

      I second this. I use a couple of dirt cheap VPSs from racknerd ($24/yr for 1 CPU/512Mb ram, but you can find coupons online to get them for $10/yr 1CPU/768mb ram) one does port forwarding over wireguard to my mail server so I can keep all my data in house, the other hosts an NGINX reverse proxy for all my web services. Works great. I use the reverse proxy for nextcloud and jellyfin for myself and 6 other users. Never had an issue. (Well, never had an issue I didn’t cause myself at any rate.)

      It’s a little harder to set up than some of the other suggestions, but it’s cheap, fully transparent to users, and doesn’t expose your home network to the outside world.

      • plague-sapiens@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        1 year ago

        Netcup is my favourite hoster in the EU, but I live in DE. 2€/m for 2c, 2/4gb ram, lots of traffic. They have coupons from time to time or xmas/easter/… deals. The whole front- and backend works like a charm too. Upload your own isos/qcow images, download backups, KVM is awesomely implemented too. Sadly they don’t take crypto and you need a call verification or id via mail for your first purchase (understandable as a german hoster), besides that just wonderful :)

    • andrew@lemmy.stuart.fun
      link
      fedilink
      English
      arrow-up
      5
      ·
      edit-2
      1 year ago

      Personally I would strongly recommend learning how to do all of this. And then abandoning it for tailscale or something similar once you know what they’re doing behind the scenes. It’s incredibly useful knowledge but it’s also nice to have so much of the process automated and best practices like key rotation done for you. Plus unless your network is hugely crazy or enterprise, you can manage for the really great price of $0.

      And if you really really want to self host (which I understand) there’s headscale for a lot of the features.

  • SiblingNoah@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    arrow-down
    1
    ·
    1 year ago

    You’re probably behind a CG-NAT. Look into establishing a tunnel, like via Cloudflare.

  • cmnybo
    link
    fedilink
    English
    arrow-up
    8
    ·
    1 year ago

    I use a VPN that I setup on an Oracle free tier VPS when I need to access my stuff over IPv4. I also have IPv6, so I can connect directly when using 5G on my phone.

  • DoomBot5@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    1
    ·
    1 year ago

    Could always see if they offer a static IP. My ISP uses CG NAT and I just pay $10/month for a public static ip to bypass it.

    • poVoq@slrpnk.net
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      8
      ·
      edit-2
      1 year ago

      And if not I would cancle the contract with them as CGNAT is not an internet connection and you should not just accept this break of contract.

      • Schmeckinger@feddit.de
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        1 year ago

        Good luck getting a non CGNAT connection here without paying for it. Also it’s not a breach of contract if it’s not in the contract…

        • poVoq@slrpnk.net
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          2
          ·
          1 year ago

          If they sell an “internet connection” then selling one behind a CGNAT is a breach of contract, because it is not a connection to the internet but only a selective forwarding service from within their intranet.

          Similar to how the consumer protection agencies fought against fake speed promises and hidden “fair use” volume clauses, CGNAT should also be forbidden to be advertised as “internet”.

          • Schmeckinger@feddit.de
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            1 year ago

            We have more internet connections than IPv4’s they can’t just pull new ones out of their ass. Also IPv6 is internet too.

            • poVoq@slrpnk.net
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              3
              ·
              1 year ago

              This is a myth. There are large swath of IPv4 address spaces totally unused and many ISPs hoard them without actually using them.

              An IPv6 only internet connection would also still be miles better than CGNAT connection.

              • Schmeckinger@feddit.de
                link
                fedilink
                English
                arrow-up
                1
                ·
                edit-2
                1 year ago

                How? You can literally turn IPv4 off on your whole network, or selectively by device. But if you turn off your IPv4 you will get cut off of a good chunk of the internet.

                And the only reason we have unused IPv4’s is because a big part of the internet is behind NAT of some kind like CGNAT.

                • poVoq@slrpnk.net
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  arrow-down
                  2
                  ·
                  1 year ago

                  There is nothing wrong with an organization sharing an single IPv4 internally via NAT, but if your ISP sells you a connection to the internet, this by definition means you get a unique public IP address, otherwise it isn’t an internet connection.

                  IPv6 support could be better for sure, but it is still much better than not having an internet connection at all as in the case of a CGNAT.

  • vettnerk@lemmy.ml
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    1 year ago

    Unless they’re willing to give you your own IP (dynamic, or maybe static for a fee), that’s a good reason for replacing your ISP imo.

    • KairuByte@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      8
      ·
      1 year ago

      You say that as if most don’t hold a monopoly in their available regions. At least in America, you typically have the choice of one, maybe more if you’re in a largeish city, and I suppose you have the option of a 5G hub but that’s terrible for running services.

      • vettnerk@lemmy.ml
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        1 year ago

        Ouch, I was not aware of that. Here in scandinavialand we have a few local or regional ones in each area, plus a few big ones that cover the entire country.

        Once the fiber is in the ground, “any” ISP can use them, regardless who buried it. I think it’s a remnant from 20ish years ago when the default was ADSL over copper, and the telecom cables were considered public infrastructure.

        • KairuByte@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          5
          ·
          1 year ago

          Dude I’d kill for that availability. Here, the companies own the infrastructure, and can offer to let others use it if they’d like but that doesn’t usually happen.

        • Glitchington@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          Yeah, the US is very limited in ISP options. In my area there is one massive provider, and two or three small providers. The massive provider does up to 1Gb but it’s cable and speeds fluctuate. The other providers can manage 250Mb and that’s it. Also, upload on ALL plans available in my area caps out at 20Mb/s. It’s a joke and the city won’t let any fiber companies in because of an exclusivity contract with the big cable provider. It’s baaaaaad

          • plague-sapiens@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Exactly the same in many parts of DE. In Bavaria we have cable (docsis 3+) from Vodafone and then there’s copper and fibre from Telekom (most other ISPs use their infrastructure). Depending on where you are in Germany, cables is provided by another company. There are some fibre companies too.

            I’m currently moving from Nuremburg to a smaller town next to it. Currently I have 250/50Mbit/s and in the street I’m moving I can only utilize 100/40… Like wtf, 100m down the road there’s the citiy hall, they have fibre and it’s street to the next small city will get fibre next year. I won’t until idk years. C’mon I would pay a shitton to get synchronous 1 Gbit/s. I’m gonna test 5G there too and maybe for my high bandwidth stuff that’s an option. Still fucked up. It’s 2023 an we still live in the stoneage of the internet. Fuck our politicians…

          • vettnerk@lemmy.ml
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            1 year ago

            I’ve had plenty of rants about Norwegian broadband (or lack thereof) over the past 25 years. It’s a bit of a long story, but the gist of it is that during the 90’s there was this one company (Telenor) which had practical monopoly on telecom (it was the private remnant of what used to be part of the government), and of course they didn’t want to develop broadband 8nfrastructure as the made shitloads of money by selling ISDN at the time. Broadband was available in the biggest cities only, and even there it was limited. And the punchline of that joke was that when I was on dialup I had to pay by the minute. During that time, hearing about not having to pay by the minute in the US sounded like paradise to me.

            But luckily competition happened, and Telenor realized they had to allow modernization or be left out of the market entirely. Small communities could sign up to have broadband “delivered”, and once enough people had signed up for an ISP to considet it profitable, digging would start. Today, twenty years later, I’m pretty satisfied with how it turned out. I live practically in the middle of nowhere, in a tiny industrial town sqeezed to fit into the terrain, where three of the cardinal directions are blocked by mountains and the fourth being a fjord. And I have 1gbit both up and down.