port forwarding Port Forwarding

[SirPirate]

Walk of shame to the ltt forums for yet another failed project.
Im trying to have my rpi 4 be ssh accessible from outside my local network.
I opened ports on my router for the pi's local ip (reserved it too).
I thought my isp may have a firewall or in some way be blocking ports so I contacted them.They responded saying they do nothing of the sort and all ports should be accessible.
Trying the ports with a port checker yields no results, they all come back closed.
Any advice would be appreciated!

[mtz_federico]

Make sure the ip that you portforwaded the port to (port 22 for ssh) is still the same ip that the rpi 4 has.

 

Also, for security reasons it is higly recommended that you set ssh to only login with a key

[SirPirate]

2 minutes ago, mtz_federico said:

Make sure the ip that you portforwaded the port to (port 22 for ssh) is still the same ip that the rpi 4 has.

 

Also, for security reasons it is higly recommended that you set ssh to only login with a key

I made sure it has a reserved ip 192.168.0.103 and I tried 22;9000;9001;1200;1201;1;20 and a whole bunch more ports.Its just that all the ports are closed and I cant get them to open up.

[Windows7ge]

Have you checked that you're not behind a Double-NAT? What Connection type do you have to your ISP? (Coax,Fibre,DSL,LTE,etc)

7 minutes ago, mtz_federico said:

Make sure the ip that you portforwaded the port to (port 22 for ssh) is still the same ip that the rpi 4 has.

 

Also, for security reasons it is higly recommended that you set ssh to only login with a key

You can help obfuscate the fact you have a SSH server on your network by not opening port 22 on the WAN. Use a port higher than 30,000 preferably one not being used by any network services. Most bots that scan network ports across the Internet do not scan that high. On the LAN you can set Port 22 so the Pi gets a request on 22.

[SirPirate]

11 minutes ago, Windows7ge said:

Have you checked that you're not behind a Double-NAT? What Connection type do you have to your ISP? (Coax,Fibre,DSL,LTE,etc)

You can help obfuscate the fact you have a SSH server on your network by not opening port 22 on the WAN. Use a port higher than 30,000 preferably one not being used by any network services. Most bots that scan network ports across the Internet do not scan that high. On the LAN you can set Port 22 so the Pi gets a request on 22.

Its possible its a double nat situation from what I read from the internet.I really wish I could tell you more about connection type but the isp ran a cable through my wall to my router.I have literally no clue as to anything more.Regular copper cable with an rj45 jack.They mentioned its fiber when they were installing it.

[Windows7ge]

17 minutes ago, SirPirate said:

Its possible its a double nat situation from what I read from the internet.I really wish I could tell you more about connection type but the isp ran a cable through my wall to my router.I have literally no clue as to anything more.Regular copper cable with an rj45 jack.They mentioned its fiber when they were installing it.

If they say it's fibre but it's an ethernet cable into your house it may just be a media converter but as I've heard sometimes with fibre ISP providers they actually put you behind a router. A router you don't have access to. If this is the case you're behind a Double NAT your only option is to take it up with them and hope they can do something about it.

 

But we don't know that yet. The person you spoke to said it should work so that's a good sign.

 

Have you tried connecting to your server or have you only used the port tester? Are you connecting via Public IP or a Domain?

[SirPirate]

1 minute ago, Windows7ge said:

If they say it's fibre but it's an ethernet cable into your house it may just be a media converter but as I've heard sometimes with fibre ISP providers they actually put you behind a router. A router you don't have access to. If this is the case you're behind a Double NAT your only option is to take it up with them and hope they can do something about it.

 

But we don't know that yet. The person you spoke to said it should work so that's a good sign.

 

Have you tried connecting to your server or have you only used the port tester? Are you connecting via Public IP or a Domain?

I had a friend who's in the it field try to connect to it, I've tried on mobile data and I used the port tester.Just public ip.

[mtz_federico]

check if you are double nated or behind Carrier grade nat.

 

You can do a traceroute to any ip (8.8.8.8) and if you get two internal ips at the beggining of the traceroute you have have double nat.

 

if your routers WAN ip is different than an ip that you get with ipchicken.com (or any other whats my ip service) then you are behind carrier grade nat.

 

If you are double nated you need to either bridge them or set the second one as AP only.

If you are behind carrier grade NAT, unless your isp lets you pay to get an ip or you get ipv6, you can't open ports.

 

If you can't open ports or decide to not have to deal with this I recommend ZeroTier, it is a virtual network app

[SirPirate]

4 minutes ago, mtz_federico said:

check if you are double nated or behind Carrier grade nat.

 

You can do a traceroute to any ip (8.8.8.8) and if you get two internal ips at the beggining of the traceroute you have have double nat.

 

if your routers WAN ip is different than an ip that you get with ipchicken.com (or any other whats my ip service) then you are behind carrier grade nat.

 

If you are double nated you need to either bridge them or set the second one as AP only.

If you are behind carrier grade NAT, unless your isp lets you pay to get an ip or you get ipv6, you can't open ports.

 

If you can't open ports or decide to not have to deal with this I recommend ZeroTier, it is a virtual network app

Well, I checked and its double nat. Unfortunately my isp is brushing me off entirely regarding this (guessing they dont have requests like this much).Ill look into zero tier and hopefully something comes of it.
Help was much appreciated.