So I was looking into getting port forwarding set up and I realized just how closed-off the internet has gotten since the early days. It’s concerning. It used to be you would buy your own router and connect it to the internet, and that router would control port-forwarding and what-have-you.

Now, your ISP provides your router, which runs their firmware, which (in my case) doesn’t even have the option to enable port forwarding.

It gets worse - because ISPs are choosing NATs over IPv6, so even if you install a custom firmware on your router without it getting blacklisted by your ISP, you still can’t expose your server to the internet because the NAT refuses to forward traffic your way. They even devise special NAT schemes like symmetric NAT to thwart hole punching.

Basically this all means that I have to purchase my web hosting separately. Or relay all the traffic through an unnecessary third party, introducing a point of failure.

It’s frustrating.

I like to control my stuff. I don’t like to depend on other people or be in a position where I have to trust someone not to fuck with my shit. Like, if the only thing outside my apartment that mattered to my website was a DNS record, I’d be really happy with that.

Edit: TIL ISPs in the US don’t have NATs

Edit 2: OMG so much advice. My knowledge about computers is SO clearly outdated, I have a lot of things to read up on.

Edit 3: There’s definitely a CGNAT involved since the WAN ip in the router config is not the same as the one I get when I use a website that echos my IP address. Far as I can tell my devices don’t get unique IPv6 addresses either. (funnily enough, if I check my IP address on my phone using roaming data, there’s no IPv6 address at all). It’s a router/modem combo, at least I think since there’s only one device in my apartment (maybe there’s a modem managing the whole complex or something?). And it doesn’t have a bridge mode, except for OTT. Might try plugging my own router into it, but it feels like a waste of time and money from what I’m seeing. Probably best to just host services over a VPN or smth.

Edit 4: Devices do get unique IPv6 addresses, but it’s moot since I can’t do anything but ping them. I guess it wouldn’t be port forwarding but something else that I would have to do that my router doesn’t support

  • Rognaut@lemmy.worldEnglish
    114·
    1 year ago

    In the US and I use my own personal modem and router. Renting their equipment is optional.

    • NateNate60@lemmy.worldEnglish
      29·
      1 year ago

      Same here. I get $10 off for using my own router. That’s $120 off per year. A cheap router bought from a supermarket cost me $60. It works fine, the signal quality is only okay but my flat’s pretty small anyway. Getting your own router is just a financially sensible option.

      • BloodSlut@lemmy.worldEnglish
        3·
        1 year ago

        buying my own upper-midrange router still cost me less than renting from the ISP over a three year period

    • TunaLobster@lemmy.worldEnglish
      152·
      1 year ago

      Not really with ATT fiber anymore. The fiber goes straight into their router to authenticate. There is no option for me to purchase an equivalent piece of equipment. I am forced to pay to use their equipment. Fuck ATT.

    • PHLAK@lemmy.worldEnglish
      9·
      1 year ago

      Yeah, as soon as I read the second paragraph my thought was “buy your own router”. Problem solved.

    • dsemy@lemm.eeEnglish
      31·
      1 year ago

      Can you recommend a good router that isn’t extremely expensive?

      I did some research about a year ago and started using a router recommended by both random users and reviewers (TP-Link Archer AX-3000 I think) only to quickly find out it had a bad QoS implementation which broke applications sending IP packets with certain DSCP values (SSH by default, Mumble, VoWiFi on an iPhone, WhatsApp calls) so I switched back to an ISP provided router unfortunately. When I talked to TP-Link support they sent me firmware which would have allowed them to connect to my router using telent (absolutely insane IMO, especially since other users also complained about this issue).

      Further research showed that many consumer-level routers have these kinds of issues, so I’m reluctant to try this again.

    • BobGnarley@lemm.eeEnglish
      2·
      11 months ago

      Not for Spectrum it isnt, unfortunately. You can use your own router but you have to use their modem

  • slazer2au@lemmy.worldEnglish
    66·
    1 year ago

    Yes CGNAT is used quite a lot, but consider 95% of customers don’t care what their public address is and that “saves” the carrier address space.

    We are the 5% that do care and if you call your ISP they likely have an option to exclude you from cgn and get an actual public IP.

    • Rambomst@lemmy.worldEnglish
      27·
      1 year ago

      This. I have been with multiple ISPs that use CGNAT and all had a solution to allow you to self host, just need to contact them.

    • ⲇⲅⲇ@lemmy.mlEnglish
      83·
      1 year ago

      I am into tech/programming/devops, I make my own servers, but I would still prefer to be under CGNAT as I feel more safe. I wouldn’t open any port or tunnel to my local home network, I wouldn’t feel that safe. So for me, a CGNAT is perfect.

      • MigratingtoLemmy@lemmy.worldEnglish
        9·
        1 year ago

        Yup. I’ll open a port in a cheap VPS and tunnel my traffic over that rather than directly open ports on my router. If people here can trust Cloudflare they can use their tunnels too

        • ⲇⲅⲇ@lemmy.mlEnglish
          1·
          1 year ago

          Yeah, I would do that before exposing my router to public and opening ports, but for the tunnel I would use something like WireGuard into a virtual network at my home just to improve security. I’m not a fan of Cloudflare.

          • MigratingtoLemmy@lemmy.worldEnglish
            1·
            1 year ago

            Whatever works. I prefer OpenVPN/Softether for their SSL VPN implementations, and am too lazy to be arsed to deal with stunnel and Wireguard. But if you’re not as paranoid then Wireguard works perfectly fine

        • ⲇⲅⲇ@lemmy.mlEnglish
          1·
          1 year ago

          Why are you saying that? I know it’s not a firewall, I’m just saying it doesn’t expose your router directly to internet, most of the routers also have firewall, and you can DMZ or port forward that you normally turn them on once you expose your router to public so bots or people can make direct requests to your router.

      • slazer2au@lemmy.worldEnglish
        4·
        1 year ago

        And there is nothing wrong with that. Both systems work for different people. I am on the I like a public address on my place camp, but I have worked where we did cgn for an apartment building and out of the 150 residences none asked for a public address. Saving us a /25 which we could sell to business customers for $5/m per /29

      • FMT99@lemmy.worldEnglish
        2·
        1 year ago

        I have ports open (to receive backups from my other servers) but only to connections from specific ip addresses and only port 22 using a pub key (no password) I’d be hesitant to open port 80 to the public though.

        Then again I’ve run a small public web server for well over a decade and never had any issues with hackers.

        • ⲇⲅⲇ@lemmy.mlEnglish
          21·
          1 year ago

          I’ve run a small public web server for well over a decade and never had any issues with hackers.

          It’s never late to get hacked or an attack or a problem with your ISP router firmware. I don’t think that’s an excuse.

          receive backups from my other servers

          You can simply do cronjob and scp user@server:/path/to/backup . to get things from server to your local network, I don’t see the need to expose your router to the public. For a web server, there are cheap VPS providers for less than 5 dollars a month, and you save up energy, hardware, and improve safety at home.

          • lud@lemm.eeEnglish
            1·
            1 year ago

            Why use your ISPs router then? Just buy your own.

            And a webserver is probably the safest thing to put online.

            You can also put the server in a DMZ and or use reverse proxy’s and a bunch of other stuff.

            • ⲇⲅⲇ@lemmy.mlEnglish
              1·
              1 year ago

              I already have my own router, even if a web server is safer, you are still exposing your IP which is what I don’t want to do. DMZ doesn’t solve anything, is just worse than setting up a port forward as you are opening all the ports to the server at home, your server at home has access to all your network so once infected by any 0-day exploit, you are fucked up.

              I just hire online servers and I have my own Ansible playbooks to manage those servers, this way I don’t provide my real IP (my home) to anyone.

              • lud@lemm.eeEnglish
                1·
                1 year ago

                as you are opening all the ports to the server at home, your server at home has access to all your network so once infected by any 0-day exploit, you are fucked up.

                No, the entire point of a DMZ is to insulate a device from the rest of the network and you can (should) configure which ports that are forwarded to the DMZ, don’t just forward everything. You can (should) also configure a bunch of other normal firewall rules for the DMZ.

                Personally I don’t consider “exposing” your home IP to be a big deal. It’s just an IP.

                • ⲇⲅⲇ@lemmy.mlEnglish
                  1·
                  1 year ago

                  https://en.wikipedia.org/wiki/DMZ_(computing)#DMZ_host -> By definition, this is not a true DMZ (demilitarized zone), since the router alone does not separate the host from the internal network.

                  Home routers aren’t firewalls or something similar, they have some minimal logic that can act like a firewall, but they aren’t. There is no need to expose your IP, there are many alternatives to do stuff without exposing it.

  • nutsack@lemmy.worldEnglish
    38·
    1 year ago

    i repeatedly petitioned our landlord (once a year) to allow an alternative isp to hook up to the building, and he eventually was so pissed from my requests that he threatened to press charges against me personally if the electrical box were ever opened

    • theblueredditrefugee@lemmy.dbzer0.comOPEnglish
      171·
      1 year ago

      My internet is included in rent. Which is convenient for day-to-day use but gives me less capacity for customization. Like, I admit it, the system works really well for normal people, I’m just a weirdo who likes tinkering with technology, hosting websites, and whatnot

      • nutsack@lemmy.worldEnglish
        3·
        1 year ago

        i threatened to do this in my petitions, as my calls with work were dropping due to jitter

  • heyitsmikey128@lemmy.worldEnglish
    32·
    1 year ago

    What ISP do you have and what country are you in? I have Comcast in the US and do not have this issue even though they are a big and shitty ISP (I even use their modem, but I do have my own router which I HIGHLY suggest).

    • ChuckEffingNorris@lemmy.mlEnglish
      13·
      1 year ago

      The older and shittier the ISP the more blocks of IPV4 addresses they have. They have blocks from when they were given out willy nilly.

      New ISPs, the ones that compete and bring the prices down have to buy addresses and that costs money and is a cost bigger and older ISPs do not have.

      This is a case for regulation - either mandating a move to V6 or mandating the release of stockpiled v4 addresses. ISPs will not do that on their own, the addresses can currently be sold for lots of money.

  • Corgana@startrek.websiteEnglish
    21·
    1 year ago

    Apologies if you’ve answered this elsewhere but I’m assuming there’s a reason you haven’t bought your own router?

  • TCB13@lemmy.worldEnglish
    13·
    1 year ago

    It gets worse - because ISPs are choosing NATs over IPv6,

    Yes, because they’re mostly pieces of shit, technically inept and unable to properly deploy IPv6 at a large scale.

    Either way IPv6 doesn’t fix everything as you’ll still need a real IPv4 to access a large part of the internet or some translation (MAP-T/MAP-E). Even if your ISP provided dual stack with a real public IPv6 + CGNAT / MAP-T IPv4 it would still be annoying as you wouldn’t be able to do port forwarding on the IPv4 and won’t be able to access your self-hosted services from a LOT of networks that are IPv4 only.

    There are two versions of MAP – translated (MAP-T) and encapsulated (MAP-E). In MAP-E IPv4 traffic is encapsulated into IPv6 using a v6 header before it is sent over the v6 network. At the network operator’s boundary router, the IPv6 header is then stripped, and the IPv4 traffic is forwarded to the v4 Internet. In MAP-T, the IPv4 packet header is mapped to the IPv6 header and back. The difference between the two options is evident in their names. MAP-E uses IPv6 to encapsulate and de-encapsulate IPv4 traffic, whereas MAP-T uses NAT64 to translate IPv4 to IPv6 and back.

  • yamanii@lemmy.worldEnglish
    12·
    1 year ago

    Yep, the US reserved most of the ipv4 for them so they have no need for CGNAT, I had to change my ISP to host a terraria server for my friends because of it, but if you don’t live in a big city you have no options.

    I read that you can say to your ISP that you need port forwarding to use a remote camera system and they will make an exception for you, but I just switched since I even got a better speed deal.

  • TheInsane42@lemmy.worldEnglish
    8·
    1 year ago

    I’d advice to look into ipv6 tunnels and try to get that working. Abandon ipv4 when your isp refuses to ipv6.

  • misophist@lemmy.worldEnglish
    5·
    1 year ago

    In my country, the ISP rents you a modem and router. I told them I had my own modem and router during setup and my monthly cost is slightly less than their advertised price.

    I am fortunate that my ISP gives me a routable address, but it is still only dynamic and may change a couple times a year. I would have to pay for a commercial plan if I want a static IP. Some other local ISPs use carrier grade NAT, but you can still request a publicly routable static IP with a business plan. Maybe you can ask your ISP for that?

  • bayank@sh.itjust.worksEnglish
    4·
    1 year ago

    Might not be ideal but perhaps simpler, do you have the ability to upgrade your service to business class? Usually the business tiers allow such things and they will support self hosting and open up the ports for you if you ask. It will likely cost more for the same speed you currently have. Another option to consider

    • theblueredditrefugee@lemmy.dbzer0.comOPEnglish
      2·
      1 year ago

      I’ve thought about using AWS for hobbyist web applications, but I worry about difficult-to-predict costs

      That said, after a cursory glance, HOLY SHIT IT’S FREE

      Obviously still not a great solution if DMCA is a concern

      • gornius@lemmy.worldEnglish
        1·
        1 year ago

        If you’re lucky enough to successfully create an account on Oracle Cloud, you can also try Oracle Cloud Free Tier. You can have free ARM64 x4 CPU and 24 GiB RAM totally free of charge. There might be problems with availability during VM registration, but there are scripts that automate spamming for checking every 80 seconds.

        I’ve been using it for 2 years and it’s great. However be aware that your VM might get erased if you have a free account. That too can be remedied if you update to a premium subscription (You still get Free Tier resources without a charge). Nobody has reported an erased VM on a premium plan yet.

        Still, I am pretty sure they can erase it if you do illegal stuff with it. I’ve been using it only to host Minecraft Server, as well as other services using Docker. So far so good.

  • bruhduh@lemmy.worldEnglish
    4·
    1 year ago

    Cheapest vps plus “sshuttle” may work, host everything on your home server but have dedicated ip of your vps

    • WindowsEnjoyer@sh.itjust.worksEnglish
      4·
      1 year ago

      First time hearing about sshuttle, thanks! What I did some time ago is to order small VPS in Linode, hosted wireguard server and let my router connect to it. Since connection is established - I’ve port-forwarded all ports (except 22) from VPS to my router via established wireguard connection.

      Then all I have to do is to manage port forwarding on my router, but if I want to connect to my router from outside - I must use VPS IP.

      Worked great, except the fact that I used to have mobile internet and as a rule of thumb - upload speed of mobile internet suck ass…

  • BearOfaTime@lemm.eeEnglish
    3·
    1 year ago

    On the flip side, direct open ports to your home network isn’t really a great idea anyway.

    At one time it wasn’t as bad, but today I’d be hesitant because of the number and capability of bad actors and I’m not a network security expert (though I have a lot of training in networks, just shy of that kind of expertise).

    In a way, these restrictions have promoted the use of even more secure approaches, like using Cloudflare tunnels, VPS’s with VPN connections to your network, or things like Wireguard/Tailscale, which provide a virtual (encrypted) network layered on top of the public (untrusted) network.

    All of these can provide an externally controlled (secured and encrypted) access to specific resources within your own network. As mentioned, VPS with VPN, Cloudflare tunnels, or Tailscale Funnel or Share.