this post was submitted on 29 Nov 2024
14 points (93.8% liked)

Selfhosted

40493 readers
727 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud
Loki
CannaVet
devve
HybridSarcasm
[email protected]
14
port opening with ipv6 host exposure (lemmy.ml)
submitted 5 days ago* (last edited 4 days ago) by [email protected] to c/selfhosted
12 comments fedilink hide all child comments
 

I moved, and now my new router has no ipv4. I can expose the host with ipv6. After opening a port and exposing the host, the host is fully exposed and all ports are open. It'ss weird. Vodafone calls ut host exposure, I can select a specific port and all ports are open.

How do you guys corcumvent that issue? Is this the infamous cgnat problem or is this why many people use a cloudflare tunnel? I just want to reach my nextcloud and immich with a normal domain.

Edit: I called my provider and now I've got an ipv4 address with port forwarding

all 13 comments
sorted by: hot top controversial new old
[–] mholiv 5 points 4 days ago (1 children)

I’m glad you got it working with IPv4. For the record though the way to do such a thing in the future is to think in IPv6. In IPv6 there is no nat or port forwarding. Even if you have host exposure. You need to set an appropriate rule in your router firewall.

On the host itself you need to use public IPv6 addresses. Then on the router firewall you set a firewall rule with an appropriate delegation mask allowing traffic to the specified port.

It’s different than IPv4 but once you learn IPv6 it’s easy.

[–] [email protected] 1 points 3 days ago (1 children)

Thx for the explanation!

I can't find much on "ipv6 delegation mask". is there another name for it?

The router firewall can only either be enabled or disabled. In case the delegation mask is the port I can open in the UI. That's the part that's not working correctly.

[–] mholiv 3 points 3 days ago* (last edited 3 days ago)

Yah that term isn’t an official term. I just meant it in the sense of a IPv6 prefix. Without knowing more about how your router firewall works / in set up I can’t be too specific.

But in general the way things work with ip addresses is that your ISP provides you with a block of IPv6 address. This block is the prefix/first part of any given ipv6 address on your network. Each host uses that prefix and generates a suffix that it adds in to it in order to generate a full globally reputable IPv6 address.

By default most hosts use the IPv6 privacy extension to random suffixes and cycle through them. This is good for privacy but bad for hosting a public service. You need to turn off the privacy extension and the second half of the IPv6 address will stay static.

Next up you need to write a firewall rule to allow traffic to that globally routable IPv6 address. In an IPv6 system the router does not intercept or rewrite the packets like it does with IPv4. So all a router does is act as a firewall saying “Yup outside hosts can or can’t make inbound connections to certain hosts/ports”

The trick with a consumer IPv6 address space is that just like IPv4 addresses given to your router, the IPv6 prefix can change randomly.

It would be annoying to have to update the firewall rule every time this happened. That’s why the idea of masking matters. You tell the firewall “ignore the prefix of this firewall rule. Just allow or deny based on the static suffix.”

The way to write such rules is different on different firewalls. Most consumer devices don’t have a way to configure such things. Even professional networking equipment mostly makes you use the cli to manage such things.

I hope this helps.

[–] [email protected] 3 points 5 days ago (1 children)

If that's your only option, I would expose a single host for solely VPN, and connect to that for access to everything else.

[–] [email protected] 1 points 4 days ago

Good idea. That means also having one device with thee reverse proxy.

I wonder if you can expose a container as a host

[–] [email protected] 2 points 5 days ago (2 children)

I had a similar scenario.

My solution was to by a new router, flash it with openwrt, then configure ISP in bridge mode and configure proper firewall on openwrt

[–] [email protected] 1 points 4 days ago

I got an ipv4 address now and everything works as before

[–] [email protected] 2 points 5 days ago (1 children)

Host exposure does what it says, exposing the host. Thats not port forwarding.

[–] [email protected] 2 points 4 days ago (1 children)

Why do you need to specify a host to expose it?

[–] [email protected] 2 points 4 days ago (1 children)

Because in the local/private network are many hosts, like your phone, pc and your server. Exposing means that the device that is exposed gets basically everything forwarded what usually the router would handle. Exposing does expose a host to the WAN.

Forwarding a Port only forwards the specified ports. You can use multiple hosts for that. For example you can port forward port 80 to your Phone to port 321 or whatever and port 443 to your server at port 20.

[–] [email protected] 2 points 4 days ago (1 children)

My router has a setting to expose the host X with port X. The port does nothing. That's the weird part.

[–] [email protected] 1 points 4 days ago

So for port forwarding you need the port on the router the host and the port the traffic should get forwarded to on the selected host.

So you are saying, when exposing a host then the host is reachable over internet but when using port forwarding it is not?

How you check this? What commands/procedure?