Port Forwarding Debacle

[Trompie67]

Hey folks,

I've been trying to open ports to no avail.

My public IP is a 102.***.**.** & this is recognised by dynudns, no issues, same as with whatismyip.

When I try open port 80 it is not seen - cannot ping it, and canyouseeme says it fails - port is not open. Tried various different ports, all pointing to an IP on my home server. Nothing works.

Then I had a look at my WAN IP as shown on my router. It is a 100.**.**.** address - which AFAIK is an internal IP? Which would explain why I cannot get the port forwarding to work!

Setup is as follows:
Openserve fibre with Webafrica as ISP.
Fibre ONT to Ubiquiti Amplifi Instant home mesh router.

To me, it seems the ONT is dishing out an internal IP to the Ubiquiti router, instead of just passing the public IP through?

Any suggestions/recommendations - anyone had this before?

TIA!

 

[odtech]

Is the incoming and local request both on port 80?

You don't need to worry about your public ip localy, just tell the router to forward port 80 to the internal IP if you didn't do that already.
If it still don't work then maybe try a custom port if you are able to.

 

[odtech]

I havn't had my hands on fibre kit yet to play with but if your ONT and the Ubiquiti router has firewall/NAT capabilities then you will have to port forward twice or disable firewall/NAT on the ubiquiti.

 

[Trompie67]

Thanks for the input.

Have told router to forward port 80 to local_ip_port 8987, as that is the application I'm wanting to access on the home server.

ONT "should" be nothing more than a conduit. Amplifi Instant router has no firewall setting that I can see anywhere in the interface, either via the app or web console.

I do not understand why the Amplifi Instant router is showing the WAN IP as what is effectively a private IP, being in the 100.**... range. It should show the public IP surely?

If I do a google of the 100 IP range it is indeed a private IP range, with the following comment (greek to me):

• A special range 100.64.0.0 to 100.127.255.255 with a 255.192.0.0 or /10 network mask; this subnet is recommended according to rfc6598 for use as an address pool for CGN (Carrier-Grade NAT)

 

[odtech]

Did you ask Webafrica if they have firewall/NAT in place?
Maybe use traceroute to your public ip to see what hops are inbetween you and it.

I know some of the WISP services you have to ask the ISP to open the port for you on their side too but i have no experience with Fibre so not sure how it works there.

If possible did you try to specify the port 8987 on the remote side so you don't have to use port 80? Just remember to update the router so it will listen for and forward to port 8987.

 

[odtech]

Oh and don't turn off your routers firewall or NAT, it's not a good idea unless you have two on your network. Rather use DMZ to test, it will forward all ports to a given ip so you only have to worry about specifying the port on the remote side but it's also not a good idea to leave it on if you can help it.

 

[Trompie67]

Have figured it out - did a google of

A special range 100.64.0.0 to 100.127.255.255 with a 255.192.0.0 or /10 network mask; this subnet is recommended according to rfc6598 for use as an address pool for CGN (Carrier-Grade NAT)

And found the following thread on myBB:

Webafrica - Double natting

Has anyone had a double natting issue with WebAfrica before ?

mybroadband.co.za

Got hold of Webafrica - (Fk me, they answered with whatsapp line within 5 minutes, must be a miracle!) & the confirmed that my public IP is shared & that my line is being CGNatted. = Carried Grade NATted.

Problem solved for an additional fee of R29-00 per month I will be allocated a static IP.

https://imgur.com/a/4DgnYzE

 

[lukekay]

Glad you got sorted, If I had have seen this earlier would have been able to point you to the end result of asking WA for a static IP instead of the CGNAT (I am yet to be charged R29.00 on my bill so who knows...)

 

[Trompie67]

Happy to report the problem is sorted. Been issued a static IP & all is now working the way it should.

 

[dhirennaidoo]

I've just been through this dance with WA support a few months back and it was enough of a battle just explaining what I was trying to do (expose my OctoPi for remote access). Thanks for the info, at leat I know I have another option.

 

[Trompie67]

Discovered another way around this over the weekend, and it will work even if you are CGNAT'ted.

Cloudflare tunnels. Super easy to set up & use - easier than NGINX Proxy manager for me anyway. Plus, as an added bonus, you do not have to have any ports forwarded on your router.