So I was looking into getting port forwarding set up and I realized just how closed-off the internet has gotten since the early days. It’s concerning. It used to be you would buy your own router and connect it to the internet, and that router would control port-forwarding and what-have-you.
Now, your ISP provides your router, which runs their firmware, which (in my case) doesn’t even have the option to enable port forwarding.
It gets worse - because ISPs are choosing NATs over IPv6, so even if you install a custom firmware on your router without it getting blacklisted by your ISP, you still can’t expose your server to the internet because the NAT refuses to forward traffic your way. They even devise special NAT schemes like symmetric NAT to thwart hole punching.
Basically this all means that I have to purchase my web hosting separately. Or relay all the traffic through an unnecessary third party, introducing a point of failure.
It’s frustrating.
I like to control my stuff. I don’t like to depend on other people or be in a position where I have to trust someone not to fuck with my shit. Like, if the only thing outside my apartment that mattered to my website was a DNS record, I’d be really happy with that.
Edit: TIL ISPs in the US don’t have NATs
Edit 2: OMG so much advice. My knowledge about computers is SO clearly outdated, I have a lot of things to read up on.
Edit 3: There’s definitely a CGNAT involved since the WAN ip in the router config is not the same as the one I get when I use a website that echos my IP address. Far as I can tell my devices don’t get unique IPv6 addresses either. (funnily enough, if I check my IP address on my phone using roaming data, there’s no IPv6 address at all). It’s a router/modem combo, at least I think since there’s only one device in my apartment (maybe there’s a modem managing the whole complex or something?). And it doesn’t have a bridge mode, except for OTT. Might try plugging my own router into it, but it feels like a waste of time and money from what I’m seeing. Probably best to just host services over a VPN or smth.
Edit 4: Devices do get unique IPv6 addresses, but it’s moot since I can’t do anything but ping them. I guess it wouldn’t be port forwarding but something else that I would have to do that my router doesn’t support
And this is why I’m unlikely to change isp. I have a /29 ipv4 block and /48 ipv6 block. No extra charge. Grandfathered features from over a decade ago.
HOLY SHIT YOU HAVE A /29 IPV4 BLOCK???
That’s like having a change jar with copper pennies or something, nice
Yep. The ISP doesn’t offer it any more. They stopped, I think when RIPE officially “ran out” of new net blocks. But I’ve moved address twice so far and have kept the allocation. Well, on the last move they messed up and gave new a new single IP. I complained, and they asked why it matters so much to have my old IP. I pointed out I had a netblock, and they fixed it up pretty quickly.
Pretty soon, full fibre will be in my area and available on the same ISP. So, hoping for a smooth transition to keep it for a bit longer.
How does it feel hoarding IPs from 7 other people who want one?
Apologies if you’ve answered this elsewhere but I’m assuming there’s a reason you haven’t bought your own router?
Is that possible with something like T-Mobile Home Internet?
idk that’s why I asked
I had a fun little issue a while back where my isp replaced our fiber modem to one that didn’t allow for port forwarding. The settings were missing but when I set up dmz host on that to allow our equipment to work again, I noticed it was behind some nat in their system. I found out I could call them to get functionality restored for a fee, but instead I plugged in the old box and still keep an external ip with port forwarding enabled and no nat. To be honest the old one has been a lot less stubborn as it doesn’t drop every 10th packet on the network. I switched back about 6 months ago, and I’ve not had any issues, so we’ll see when they call demanding me to plug in the new one. Their explanation for switching systems was that their old one wasn’t powerful enough for gigabit speeds, even though both have interfaces for gigabit sfp. After some testing, the old one was more capable and stable at those speeds. I assume they wanted to switch systems due to some licensing thing, or to get more money from the .5% of people who care about these features.
It’s really shitty. My isp offers a static ip plan but it costs a lot more, so I try using tailscale and it works ok. It’s a shame though
Use cloudflare tunnel.
Are you trying to offer a port for peer sharing (XDCC/BT)? I’ve never tried using it like this but I think Tailscale Funnel could work.
It’s a sort of reverse VPN, I guess you could call it. Tailscale maintains the public IP and when someone connects to your advertised port they tunnel it to you through (encrypted) WireGuard. It passes through NAT because connections are outgoing to their servers.
The catch is that wireguard is easily detectable through deep packet inspection so if your ISP is a real asshole they can kill the connections, but if they go that far then NAT traversal is the least of your worries.
In my country we just buy a router and ask the ISP to set the modem/router in bridge mode
On the flip side, direct open ports to your home network isn’t really a great idea anyway.
At one time it wasn’t as bad, but today I’d be hesitant because of the number and capability of bad actors and I’m not a network security expert (though I have a lot of training in networks, just shy of that kind of expertise).
In a way, these restrictions have promoted the use of even more secure approaches, like using Cloudflare tunnels, VPS’s with VPN connections to your network, or things like Wireguard/Tailscale, which provide a virtual (encrypted) network layered on top of the public (untrusted) network.
All of these can provide an externally controlled (secured and encrypted) access to specific resources within your own network. As mentioned, VPS with VPN, Cloudflare tunnels, or Tailscale Funnel or Share.
I don’t know what you mean by ISPs in the US don’t have NATs. They most certainly do NAT at the gateway device. But they also typically provide a way to DMZ to your own router instead. I don’t have to deal with double NAT simply because I effectively have my ISP gateway in bridge mode (forwarding all traffic to a specific device, in this case, my personal router).
Note: I have gigabit FTTH from AT&T. I left cable internet the moment fiber service was made available.
Standard IPv4 NAT or CGNAT?
Are you using their modem AND router? Or just their modem? If it’s a modem router combo, can you place it in bridge/passthrough mode?
Even if it’s CGNAT and no bridge mode, their are solutions available.
Are you looking to host private services like NextCloud? Or public services like a website?
Far as I can tell there’s no bridge mode, and there’s only one device in the space that connects me to the internet. Pretty sure it’s a CGNAT, and I wanna host a website
What do you need to do, why do you need a public IP?
Well, I don’t need it, not really. It’s just I’m finally in a position where I’m not stressed about things like rent and healthcare, and I’m realizing I wanna fuck around with hosting my own websites. Possibly a lemmy instance, I was toying with the idea of developing a P2P social networking protocol that federates with lemmy. But also the idea of building my own websites so I’m not dependent on others for my income, or just making it easier for people to download stuff that I’m the only seeder of.
Definitely not a need. My rent is paid, my food is healthy, healthcare is cheap. So now I can worry about stuff like this that ultimately doesn’t matter
You can rent a server in a data center. Hetzner is pretty good… unless it thinks you’re a “risky customer” and bans you.
Here in Germany I get a “real” (non-shared) IPv4 address and a /48 IPv6 subnet I think. With Telekom at least. Vodafone is another story. I think the user must be able to use their own router because of some EU law.
Can’t switch ISPs? I’d tell them exactly why I’m switching.
Did you contact your ISP about this? Most of them can adjust a setting for you to remove the NAT part, the feature is usually called dual-stack. If you are in the EU, you even have a fundamental right to use your own router, you just have to register your MAC with them.