14
port opening with ipv6 host exposure (lemmy.ml)
submitted 3 weeks ago* (last edited 3 weeks ago) by GravitySpoiled@lemmy.ml to c/selfhosted@lemmy.world
13 comments fedilink hide all child comments

I moved, and now my new router has no ipv4. I can expose the host with ipv6. After opening a port and exposing the host, the host is fully exposed and all ports are open. It'ss weird. Vodafone calls ut host exposure, I can select a specific port and all ports are open.

How do you guys corcumvent that issue? Is this the infamous cgnat problem or is this why many people use a cloudflare tunnel? I just want to reach my nextcloud and immich with a normal domain.

Edit: I called my provider and now I've got an ipv4 address with port forwarding

you are viewing a single comment's thread
view the rest of the comments
[-] mholiv@lemmy.world 3 points 3 weeks ago* (last edited 3 weeks ago)

Yah that term isn’t an official term. I just meant it in the sense of a IPv6 prefix. Without knowing more about how your router firewall works / in set up I can’t be too specific.

But in general the way things work with ip addresses is that your ISP provides you with a block of IPv6 address. This block is the prefix/first part of any given ipv6 address on your network. Each host uses that prefix and generates a suffix that it adds in to it in order to generate a full globally reputable IPv6 address.

By default most hosts use the IPv6 privacy extension to random suffixes and cycle through them. This is good for privacy but bad for hosting a public service. You need to turn off the privacy extension and the second half of the IPv6 address will stay static.

Next up you need to write a firewall rule to allow traffic to that globally routable IPv6 address. In an IPv6 system the router does not intercept or rewrite the packets like it does with IPv4. So all a router does is act as a firewall saying “Yup outside hosts can or can’t make inbound connections to certain hosts/ports”

The trick with a consumer IPv6 address space is that just like IPv4 addresses given to your router, the IPv6 prefix can change randomly.

It would be annoying to have to update the firewall rule every time this happened. That’s why the idea of masking matters. You tell the firewall “ignore the prefix of this firewall rule. Just allow or deny based on the static suffix.”

The way to write such rules is different on different firewalls. Most consumer devices don’t have a way to configure such things. Even professional networking equipment mostly makes you use the cli to manage such things.

I hope this helps.

[-] GravitySpoiled@lemmy.ml 1 points 3 weeks ago

Thank you very much! There's still a lot to learn :)

this post was submitted on 29 Nov 2024
14 points (93.8% liked)

Selfhosted

40717 readers
347 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
CannaVet@lemmy.world
Loki@lemmy.world
HybridSarcasm@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz