I moved, and now my new router has no ipv4. I can expose the host with ipv6. After opening a port and exposing the host, the host is fully exposed and all ports are open. It’ss weird. Vodafone calls ut host exposure, I can select a specific port and all ports are open.

How do you guys corcumvent that issue? Is this the infamous cgnat problem or is this why many people use a cloudflare tunnel? I just want to reach my nextcloud and immich with a normal domain.

Edit: I called my provider and now I’ve got an ipv4 address with port forwarding

  • mholiv@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    19 days ago

    I’m glad you got it working with IPv4. For the record though the way to do such a thing in the future is to think in IPv6. In IPv6 there is no nat or port forwarding. Even if you have host exposure. You need to set an appropriate rule in your router firewall.

    On the host itself you need to use public IPv6 addresses. Then on the router firewall you set a firewall rule with an appropriate delegation mask allowing traffic to the specified port.

    It’s different than IPv4 but once you learn IPv6 it’s easy.

    • GravitySpoiled@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      18 days ago

      Thx for the explanation!

      I can’t find much on “ipv6 delegation mask”. is there another name for it?

      The router firewall can only either be enabled or disabled. In case the delegation mask is the port I can open in the UI. That’s the part that’s not working correctly.

      • mholiv@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        18 days ago

        Yah that term isn’t an official term. I just meant it in the sense of a IPv6 prefix. Without knowing more about how your router firewall works / in set up I can’t be too specific.

        But in general the way things work with ip addresses is that your ISP provides you with a block of IPv6 address. This block is the prefix/first part of any given ipv6 address on your network. Each host uses that prefix and generates a suffix that it adds in to it in order to generate a full globally reputable IPv6 address.

        By default most hosts use the IPv6 privacy extension to random suffixes and cycle through them. This is good for privacy but bad for hosting a public service. You need to turn off the privacy extension and the second half of the IPv6 address will stay static.

        Next up you need to write a firewall rule to allow traffic to that globally routable IPv6 address. In an IPv6 system the router does not intercept or rewrite the packets like it does with IPv4. So all a router does is act as a firewall saying “Yup outside hosts can or can’t make inbound connections to certain hosts/ports”

        The trick with a consumer IPv6 address space is that just like IPv4 addresses given to your router, the IPv6 prefix can change randomly.

        It would be annoying to have to update the firewall rule every time this happened. That’s why the idea of masking matters. You tell the firewall “ignore the prefix of this firewall rule. Just allow or deny based on the static suffix.”

        The way to write such rules is different on different firewalls. Most consumer devices don’t have a way to configure such things. Even professional networking equipment mostly makes you use the cli to manage such things.

        I hope this helps.