So I was looking into getting port forwarding set up and I realized just how closed-off the internet has gotten since the early days. It’s concerning. It used to be you would buy your own router and connect it to the internet, and that router would control port-forwarding and what-have-you.
Now, your ISP provides your router, which runs their firmware, which (in my case) doesn’t even have the option to enable port forwarding.
It gets worse - because ISPs are choosing NATs over IPv6, so even if you install a custom firmware on your router without it getting blacklisted by your ISP, you still can’t expose your server to the internet because the NAT refuses to forward traffic your way. They even devise special NAT schemes like symmetric NAT to thwart hole punching.
Basically this all means that I have to purchase my web hosting separately. Or relay all the traffic through an unnecessary third party, introducing a point of failure.
It’s frustrating.
I like to control my stuff. I don’t like to depend on other people or be in a position where I have to trust someone not to fuck with my shit. Like, if the only thing outside my apartment that mattered to my website was a DNS record, I’d be really happy with that.
Edit: TIL ISPs in the US don’t have NATs
Edit 2: OMG so much advice. My knowledge about computers is SO clearly outdated, I have a lot of things to read up on.
Edit 3: There’s definitely a CGNAT involved since the WAN ip in the router config is not the same as the one I get when I use a website that echos my IP address. Far as I can tell my devices don’t get unique IPv6 addresses either. (funnily enough, if I check my IP address on my phone using roaming data, there’s no IPv6 address at all). It’s a router/modem combo, at least I think since there’s only one device in my apartment (maybe there’s a modem managing the whole complex or something?). And it doesn’t have a bridge mode, except for OTT. Might try plugging my own router into it, but it feels like a waste of time and money from what I’m seeing. Probably best to just host services over a VPN or smth.
Edit 4: Devices do get unique IPv6 addresses, but it’s moot since I can’t do anything but ping them. I guess it wouldn’t be port forwarding but something else that I would have to do that my router doesn’t support
I am into tech/programming/devops, I make my own servers, but I would still prefer to be under CGNAT as I feel more safe. I wouldn’t open any port or tunnel to my local home network, I wouldn’t feel that safe. So for me, a CGNAT is perfect.
Yup. I’ll open a port in a cheap VPS and tunnel my traffic over that rather than directly open ports on my router. If people here can trust Cloudflare they can use their tunnels too
Yeah, I would do that before exposing my router to public and opening ports, but for the tunnel I would use something like WireGuard into a virtual network at my home just to improve security. I’m not a fan of Cloudflare.
Whatever works. I prefer OpenVPN/Softether for their SSL VPN implementations, and am too lazy to be arsed to deal with stunnel and Wireguard. But if you’re not as paranoid then Wireguard works perfectly fine
This is a friendly reminder that NAT is not a firewall and should not be treated as such.
Thank you.
Why are you saying that? I know it’s not a firewall, I’m just saying it doesn’t expose your router directly to internet, most of the routers also have firewall, and you can DMZ or port forward that you normally turn them on once you expose your router to public so bots or people can make direct requests to your router.
And there is nothing wrong with that. Both systems work for different people. I am on the I like a public address on my place camp, but I have worked where we did cgn for an apartment building and out of the 150 residences none asked for a public address. Saving us a /25 which we could sell to business customers for $5/m per /29
I have ports open (to receive backups from my other servers) but only to connections from specific ip addresses and only port 22 using a pub key (no password) I’d be hesitant to open port 80 to the public though.
Then again I’ve run a small public web server for well over a decade and never had any issues with hackers.
It’s never late to get hacked or an attack or a problem with your ISP router firmware. I don’t think that’s an excuse.
You can simply do cronjob and
scp user@server:/path/to/backup .to get things from server to your local network, I don’t see the need to expose your router to the public. For a web server, there are cheap VPS providers for less than 5 dollars a month, and you save up energy, hardware, and improve safety at home.