I moved, and now my new router has no ipv4. I can expose the host with ipv6. After opening a port and exposing the host, the host is fully exposed and all ports are open. It’ss weird. Vodafone calls ut host exposure, I can select a specific port and all ports are open.

How do you guys corcumvent that issue? Is this the infamous cgnat problem or is this why many people use a cloudflare tunnel? I just want to reach my nextcloud and immich with a normal domain.

Edit: I called my provider and now I’ve got an ipv4 address with port forwarding

  • mholiv@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    23 days ago

    I’m glad you got it working with IPv4. For the record though the way to do such a thing in the future is to think in IPv6. In IPv6 there is no nat or port forwarding. Even if you have host exposure. You need to set an appropriate rule in your router firewall.

    On the host itself you need to use public IPv6 addresses. Then on the router firewall you set a firewall rule with an appropriate delegation mask allowing traffic to the specified port.

    It’s different than IPv4 but once you learn IPv6 it’s easy.

    • GravitySpoiled@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      22 days ago

      Thx for the explanation!

      I can’t find much on “ipv6 delegation mask”. is there another name for it?

      The router firewall can only either be enabled or disabled. In case the delegation mask is the port I can open in the UI. That’s the part that’s not working correctly.

      • mholiv@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        22 days ago

        Yah that term isn’t an official term. I just meant it in the sense of a IPv6 prefix. Without knowing more about how your router firewall works / in set up I can’t be too specific.

        But in general the way things work with ip addresses is that your ISP provides you with a block of IPv6 address. This block is the prefix/first part of any given ipv6 address on your network. Each host uses that prefix and generates a suffix that it adds in to it in order to generate a full globally reputable IPv6 address.

        By default most hosts use the IPv6 privacy extension to random suffixes and cycle through them. This is good for privacy but bad for hosting a public service. You need to turn off the privacy extension and the second half of the IPv6 address will stay static.

        Next up you need to write a firewall rule to allow traffic to that globally routable IPv6 address. In an IPv6 system the router does not intercept or rewrite the packets like it does with IPv4. So all a router does is act as a firewall saying “Yup outside hosts can or can’t make inbound connections to certain hosts/ports”

        The trick with a consumer IPv6 address space is that just like IPv4 addresses given to your router, the IPv6 prefix can change randomly.

        It would be annoying to have to update the firewall rule every time this happened. That’s why the idea of masking matters. You tell the firewall “ignore the prefix of this firewall rule. Just allow or deny based on the static suffix.”

        The way to write such rules is different on different firewalls. Most consumer devices don’t have a way to configure such things. Even professional networking equipment mostly makes you use the cli to manage such things.

        I hope this helps.

  • catloaf@lemm.ee
    link
    fedilink
    English
    arrow-up
    3
    ·
    24 days ago

    If that’s your only option, I would expose a single host for solely VPN, and connect to that for access to everything else.

    • GravitySpoiled@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      23 days ago

      Good idea. That means also having one device with thee reverse proxy.

      I wonder if you can expose a container as a host

  • ShortN0te@lemmy.ml
    link
    fedilink
    English
    arrow-up
    2
    ·
    24 days ago

    Host exposure does what it says, exposing the host. Thats not port forwarding.

      • ShortN0te@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        23 days ago

        Because in the local/private network are many hosts, like your phone, pc and your server. Exposing means that the device that is exposed gets basically everything forwarded what usually the router would handle. Exposing does expose a host to the WAN.

        Forwarding a Port only forwards the specified ports. You can use multiple hosts for that. For example you can port forward port 80 to your Phone to port 321 or whatever and port 443 to your server at port 20.

        • GravitySpoiled@lemmy.mlOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          23 days ago

          My router has a setting to expose the host X with port X. The port does nothing. That’s the weird part.

          • ShortN0te@lemmy.ml
            link
            fedilink
            English
            arrow-up
            1
            ·
            23 days ago

            So for port forwarding you need the port on the router the host and the port the traffic should get forwarded to on the selected host.

            So you are saying, when exposing a host then the host is reachable over internet but when using port forwarding it is not?

            How you check this? What commands/procedure?

  • miau@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    2
    ·
    24 days ago

    I had a similar scenario.

    My solution was to by a new router, flash it with openwrt, then configure ISP in bridge mode and configure proper firewall on openwrt