this post was submitted on 29 Jun 2023
31 points (97.0% liked)

Selfhosted

39200 readers
265 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud
Loki
CannaVet
devve
HybridSarcasm
[email protected]
31
ISP not offering port forwarding anymore (self.selfhosted)
submitted 1 year ago* (last edited 1 year ago) by marsokod to c/selfhosted
33 comments fedilink hide all child comments
 

Hello everyone, I would need some advice on my setup.

I had an ISP with basic DSL 60/20Mbps and I was hosting my services at home with SWAG as a main proxy, opening the ports. I ordered 2 days ago a plan with a new ISP for a 1Gbps line, that offered port forwarding as well. The installation was done today and it turns out they retired the port forwarding on my offer yesterday.

I can see potentially 3 choices:

  1. stay with the old ISP and the slow-ish line. My main issue was the uplink speed that made off-site backup a pain
  2. go with the new ISP but order the higher speed plan that is £25/month more expensive, and without a proper guarantee that they will keep offering the port forwarding
  3. use the non-port forwarding option, but rent a small VPS that would act as a front-end (through zerotier/tailscale/direct wireguard), paying a small latency cost when accessing remotely.

I am not fully sure about the pros and cons of the different ways on the last option. I would be kin on keeping my home server fully capable, the point of me self-hosting being to cope with temporary disconnection at home. But then you can either have an IP table routing in the VPS to forward everything on the used port, or have another nginx proxy there to redirect everything. And I am not fully sure VPS providers are generally OK with this kind of use.

Has anyone got a similar setup to option 3 and would have some advices?

Edit 1: Thanks a lot for your comments everyone!

I got a small VPS (not the cheapest one yet) and setup a wireguard tunnel following this principle and it seems to be working so far. I'll monitor a bit the situation as I have 14 days to cancel my plan. I'll also see how it works for gitea running in docker in the NAT and ssh forwarding, I suspect this will be a fun endeavour.

I decided to avoid using cloudflare tunnel. And I am avoiding using a nginx proxy at the moment as I would need to ensure the certificates are properly synced between the two (or maybe letsencrypt allows you to have two certificates for the same domain?)

top 33 comments
sorted by: hot top controversial new old
[–] Sir_Kevin 24 points 1 year ago (1 children)

I would cancel the new ISP on principal. Fool me once shame on you, if they fool me twice it's on me. I wouldn't give them the opportunity to fuck me again.

[–] marsokod 8 points 1 year ago (1 children)

Indeed, the way they did that makes me quite angry. But at the same time, that's 1Gbps vs 20Mbps upload, and I was struggling with the limitation when working from home sometimes. The one one is also cheaper so if the tunneling option works without too much pain, I'd be willing to give it a go.

[–] eric5949 3 points 1 year ago

I have TMobile internet so port forwarding as far as I can tell is not possible unless I go with a business plan and in my experience cloudflare tunnels are extremely slow

[–] manwichmakesameal 18 points 1 year ago (1 children)

Having your ISP do your port forwarding seems alien to me as that's not the norm where I am. Since it seems like a standard thing where you are, you may run the risk of another ISP doing the same thing. Personally, if the price is right, I'd take the latency hit and get a VPS and route all inbound traffic through that via wireguard.

[–] marsokod 1 points 1 year ago

This ISP does not have enough IPv4 available so they are using carrier grade NAT: https://www.ispreview.co.uk/talk/threads/useful-notes-on-the-community-fibre-service.38704/

This was only used for their lower tier, with them confirming it on the 27th by email. The next day they changed that.

[–] [email protected] 8 points 1 year ago (1 children)

When you say "no port forwarding", do you mean you aren't given a public routable IP address and you're behind Carrier Grade NAT? Does your router get an IP address starting with 100 or 10?

If so just request a public IP, it might cost you extra but it's worth it, that should open up the port forwarding option on your router.

I imagine you're with a new altnet provider in the UK, is it LilaConnect by any chance?

[–] marsokod 1 points 1 year ago

Yes they are using carrier grade NAT. This was only affecting the lower speed but they decided to bump up for the Gbps offer.

I'll try to request a public IP by calling the cancelling line but they do not offer it officially. I am with Community Fibre. I will try to set up a VPS with wireguard for a 1-day test to see if it is worth it.

[–] [email protected] 6 points 1 year ago

A couple thoughts for you. I have a wonderful local fiber ISP and when I got hooked up, I discovered they were doing CG-NAT on residential connections. I called up and asked if I could have a public IP to host services and they just immediately gave me one. Definitely not the stereotypical ISP interaction, but if you haven’t already tried asking politely, it might be worth a shot.

On the last item, yes, letsencrypt lets you get certs for the same domain from multiple hosts, but I’ll often use a self-signed cert on the host and then get the public-facing cert at the reverse proxy level. No need to coordinate copying certs over in most cases.

[–] [email protected] 6 points 1 year ago

Slap CloudFlare tunnel in front of your web services and call it a quits?

[–] [email protected] 6 points 1 year ago

What's the ISP? Is it one of those ISPs that do CG-NAT by chance?

It seems weird that port forwarding is even considered to be a feature on the ISP side, that's usually a router thing.

Any chance you could run your own router? Because as long as your router can connect to the ISP, and get a public IP from it, there's not much the ISP can do unless they have firewalls or a NAT system.

The only situation that makes sense to not do port forwarding is those CG-NAT ISPs and carriers.

Otherwise, yeah, you can get the smallest possible VPS possible (some can be obtained for $3-$5/mo) and you can just VPN your stuff home pretty easily.

[–] [email protected] 5 points 1 year ago

Do you have IPv6? Just let your service’s IP/port through the firewall.

(If you have no IPv6 but CGNAT, the ISP is bad…)

[–] [email protected] 4 points 1 year ago

I would consider cancelling as well because its a bait and switch. BUT if the price and speed are good then just roll with Cloudflare tunnels in docker. It bypasses both their port forward, and your routers and creates essentially a VPN between your containerized services and Cloudflare's ingress points.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago) (2 children)

I switched to a fiber to the home ISP and only found out they do CG-NAT afterwards. I opted to go VPS with Wireguard and it has been problem free and only cost me $2.50 USD/mo.

[–] elghoto 2 points 1 year ago

what's the VPS provider that you are using?

[–] [email protected] 3 points 1 year ago

I have about 25 letsencrypt certificates on the same domain, so that is definitely not an issue.

[–] [email protected] 3 points 1 year ago (1 children)

Just use a cloudflare tunnel. It's free and can be used on pretty much any network that sends and receives data.

[–] [email protected] 1 points 1 year ago

I second this. cloudflare tunnels are nice and convenient af. Fine even if you don't have a static IP, as long as you're keeping configs server-side.

[–] [email protected] 2 points 1 year ago (1 children)

Do they not offer an opt-out of CG-NAT? or a surcharge for a static IP?

[–] marsokod 1 points 1 year ago (1 children)

No dedicated opt-out offered, but I can migrate to the 3Gbps plan that is not using CG-NAT (for now...) But that is £25/month more expensive. That's a nice VPS.

[–] [email protected] 2 points 1 year ago

I think 25 euro more for a 3gig non-cgnat plan is worth it. But I'm Australian and paying $150aud per month for 1000/50 (or $200 for 250/100 if i wanted) so I'm not the best judge of value. I've been long propagandised into thinking decent internet is a luxury for large tech corporations only.

[–] lhx 2 points 1 year ago

The last option. VPS are freaking fast, and if you have Gbps at home, that should be plenty fast.

[–] [email protected] 2 points 1 year ago (1 children)

Your ISP gives you 1Gbps but doesn't give you your own IP so you need port forwarding?

[–] marsokod 1 points 1 year ago (1 children)

Yes exactly

[–] [email protected] 2 points 1 year ago

I'm assuming CGNAT is the problem here? Interesting that they ever even offered a port-forwarding option since that'd be the first time I have heard of that.

[–] fedev 1 points 1 year ago

IPv6 is a viable option. Depending on how you set things up, you'd have to firewall the devices pretty good as in IPv6, devices are exposed to the internet. All open ports would be accessible.

[–] [email protected] 1 points 1 year ago

If your self-served stuff is just for you or family, I use tailscale for that. Nothing publicly enabled, have to be in the tailscale net to access.

[–] [email protected] 1 points 1 year ago (1 children)

Have you considered keeping both plans? You said it was a different isp - dsl and fiber use different cables is it may be possible. Depending on what youre after, this may be a fun project for tying two lines together.

[–] marsokod 2 points 1 year ago

I did consider it, and I have not cancelled the old one yet. But that becomes more expensive than migrating to the higher end plan without CG NAt of the provider.

[–] RandomPickle13 1 points 1 year ago* (last edited 1 year ago)

I have a setup for option 3 almost exactly as you describe, using Wireguard to connect the servers to the vps and Nginx on the vps to redirect everything. I dont have any noticable latancy, although I do not run anything that relies on realtime interaction, so ymmv.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

So it sounds to me like you may have to deal with a IPv4 only address behind CGNAT, which makes port forwarding not work anymore. It's how my connection is set up, but luckily it does fully support IPv6 and that doesn't require any forwarding so I make do.
If IPv6 isn't an option for you or you'd like to access your services from IPv4 only networks, I'd just go with Tailscale myself. I've been a happy user for years and it just works so well, should be good in your situation as well.