ISP Changed and now my external domain WAN connection is borked

[Clackdor 109]

@AncyAndalMy advice would be to first call your ISP and see what it would take to get you off of CG-NAT and get a public dynamic IP. Depending on the ISP it will hopefully be minimal cost. 

Once you have an IP that you can successfully port forward with, it's highly recommended to get a domain name and setup dynamic DNS to point the domain to your IP. The advantage with this is that:

A. Your family can connect to your services with an easy to remember domain name.

B. you can setup a Let's encrypt certificate so that all traffic is encrypted over HTTPS. A domain name should be relatively inexpensive (less than $15 a year) depending on the tld and registrar.

If for whatever reason you can't get out from behind CG-NAT (ISP won't offer a public IP or cost is too high etc.) your only other options would be to rent a VPS with a public IP and forward everything through the VPS back to your home network over a VPN, use tailscale, or possibly cloudflare tunnels (I'm not 100% clear on cloudflare's TOS for streaming content through their free services) 

[AncyAndal 1]

3 hours ago, AncyAndal said:

I have a Dynamic IP atm but ive been trying to set up a DDNS to stablise my IP through No-IP for free but i am still having issues.

@ClackdorThanks for the advice, the ISP was pretty good with getting off the CGNAT. I opted to look at setting up my DDNS with NO-IP acting as my domain i.e XXXX.dns.net  does that sound about right? When i emailed them for customer support they said i was still behind a VPN or VPS but i am currently getting the same public IP address across everything so I shouldnt be. 

[Clackdor 109]

@AncyAndalIf you're off of CG-NAT then the next thing you should probably test is forwarding a port so the it's externally accessible and using a port checking tool like canyouseeme to verify it's actually open. You should also test it from a separate connection like mobile data. If you're unsure about how to forward ports in your router you'll need to refer to manufacturer documentation as the process will vary greatly between router models and manufacturers.

Assuming your emby server is running on the default http port 8096, forward port 8096 to your emby server's ip. Disconnect your phone from wifi and test from by going to http:// public IP:8096 or http:// domain:8096 assuming your ddns is working. If emby shows up you know port forwarding is working.

After this test I would highly suggest removing the port forwarding rule you created in your router as http is a plaintext connection where anyone in the middle can see usernames, passwords and all data that's being transmitted.

From this point you're going to need to get a TLS certificate to encrypt the connection between your server and external users. Let's encrypt provides free certificates that are pretty much universally trusted by all devices/browsers these days. 

As far as free dynamic DNS services that provide you with a subdomain, I haven't used one in ages. I'm not sure if there are any limitations with getting a certificate issued by let's encrypt to such subdomains.

Assuming let's encrypt will issue a cert for such a subdomain, it will have to be done by http authorization meaning port 80 will need to be forwarded to whatever machine is requesting the certificate, at least for the request and any time you need to renew the cert.

The other option would be to use a self signed certificate with the caveat that it's going to pop up a scary looking warning saying that the connection is untrusted.  This will likely make others wary of using your services despite the connection being encrypted

Either way you definitely want any exposed services (especially emby) to be delivered via an encrypted https connection.

Edited December 29, 2024 by Clackdor
Clarification

[AncyAndal 1]

 

29 minutes ago, Clackdor said:

From this point you're going to need to get a TLS certificate to encrypt the connection between your server and external users. Let's encrypt provides free certificates that are pretty much universally trusted by all devices/browsers these days. 

@Clackdor Ill take a look at TLS certs next thanks 

Here is something i posted in another post that might help with some context

"Network and Hardware Setup

• Router: D-Link  (configured with port forwarding).
• Server: Unraid server hosting Docker containers, including:

   

  binhex-emby: Emby media server (port 8096).

  binhex-jackett: Jackett (ive only just have it there i havent configed it yet not running)

  binhex-qbittorrentvpn: qBittorrent with VPN support.

  firefox: Docker container running Firefox for browser-based access.

  GluetunVPN: VPN container for secure connections. (not running yet was looking at it)

  NoIp: No-IP Dynamic Update Client (DDNS updates,).

  DDNS Provider: No-IP, .

• IP Configuration: Dynamic IP (192.168.X.X) reserved via router DHCP.

Steps Taken to Resolve Issues

• ENABLED DHCP Server:

  Set rule for DHCP on the server.

• Port Forwarding and DDNS:

  Port 8096 mapped to the Emby server at 192.168.X.X.

  Verified No-IP Docker updates the correct public IP.

• Local and Remote Access:

  Emby is accessible locally over the LAN.

  Remote access fails.

  Port-checking tools (e.g., CanYouSeeMe) report "Connection timed out" for port 8096.

Unresolved Issues

• Remote Access to Emby: Connection fails despite correct setup.
• Port Accessibility: External port checks indicate port 8096 is not open.
  
  Anything at all I would be greatful, I am even happy to start again from the begining but I wouldnt even know where to start or how to resest things back to default. Thank you for your time and even if you dont help thats okay hopefully my little post here can people trouble shoot somethings they might not of thought of like ISP CGNAT

"

[CrankstaWho 3]

On 12/28/2024 at 11:41 PM, AncyAndal said:

How did you go with this, i am having the same issue took me 3 days of pain to learn i was on CGNAT i didnt even know it was a thing. I have a Dynamic IP atm but ive been trying to set up a DDNS to stablise my IP through No-IP for free but i am still having issues. I am just trying to make a server so i can share the love with my family but this hobby is starting to cost more than hardware lol. I really dont want to have to buy a static IP or domains all that BS lol. Any advice thats not changing ISP again lol.

So the ISP that was supplying the CGNAT was entirely uncooperative in finding a solution for my needs. I ended up going back to Cox, and have had no issues ever since.

It looks like someone more knowledgeable is helping you through workarounds, and I wish you luck!