Access Outside LAN

Hello Everyone, i just installed Nextcloud in a old computer that i have and is working fine on LAN but i cant have access from the outside world. I am using port 443 for https and 8080 for http, the port 443 is already enabled on my router (IP adress 192.168.0.1, Internal port 443 and foward to external port 443) Also i have created a no-ip account and configured the DDNS on my router. And port 8080 and 443 are open in the Ubuntu UFW firewall. What i am doing wrong ?

Most likely it’s an issue with your router configuration, or that your ISP is blocking the port.

There are sites you can use such as https://scan.nextcloud.com and https://www.ssllabs.com/ssltest/ to test connectivity and security from outside.

You can also run tcpdump or tshark on your Nextcloud server with a filter such as ’tcp dst port 443 and not src net 192.168.0.0/16’ and see if you have any connections actually making it to your server.

Yeah, i also think that is a issue with my router, but is still not working. The ssllabs test recognized my IP booth IPv4 and IPv6 but was unable to connect with the server. And the Nextcloud Scan gave me the A ranting.

PS: I am using No-ip and the Nextcloud Snap version

Hold on now, you said you got an A rating from one and a connection failure on the other?

Yes, and i dont know why. It should have falied on booth tests, right ? I will try to check my setup again. Maybe the no-ip is not working ?

That would have been my expectation, unless the Nextcloud scan was checking another port?

Did you try tcpdump to see if packets are reaching your server on either port?

Its possible, i swiched ports multiple times. 8008,8080,8443 and 443. How i can proceed with tcp dump ?

Run from the console with the filter I gave you above or similar. It will give console output of any matching packets received as long as you leave it running. The point being, even if something on the server is misconfigured, you would still physically receive packets if the router configuration is correct.

I see, ok i will run the command and get back to you if anything changes. Thanks

Ok, i ran the TCP dump command and i am recieving packages, but still on Lan (TCP Dump worked). The domain that i created is not working, even on Lan. I have access only by IP.
I tried to reinstall everything, but this time with manual install, not by snap. Now i have access to directories and configuration files. If i enter 192.168.0.1 i have the apache welcome screen, and if i enter 192.168.0.1/nextcloud i have the Nextcloud Login screen.
I have also activated the DMZ on my router, still no external connection.
The host that i created in no-ip is type A but i also have IPV6 for AAA host type.

But the Nextcloud Web interface gave me this message:

  • Your data directory and files are probably accessible from the Internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.
    I can also update the Nextcloud using updater (Version 16.0.0 to 16.0.4)

These are my setup warnings:

There are some errors regarding your setup.

  • Your data directory and files are probably accessible from the Internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.

  • MySQL is used as database but does not support 4-byte characters. To be able to handle 4-byte characters (like emojis) without issues in filenames or comments for example it is recommended to enable the 4-byte support in MySQL. For further details read the documentation page about this.

  • Accessing site insecurely via HTTP. You are strongly adviced to set up your server to require HTTPS instead, as described in the security tips :arrow_upper_right:.

  • Your web server is not properly set up to resolve “/.well-known/caldav”. Further information can be found in the documentation.

  • Your web server is not properly set up to resolve “/.well-known/carddav”. Further information can be found in the documentation.

  • No memory cache has been configured. To enhance performance, please configure a memcache, if available. Further information can be found in the documentation.

  • This instance is missing some recommended PHP modules. For improved performance and better compatibility it is highly recommended to install them.
    intlimagick

Please double check the installation guides :arrow_upper_right:, and check for any errors or warnings in the log.

Check the security of your Nextcloud over our security scan :arrow_upper_right:.

Maybe swich router equipment ? Right now i am using the MI Router 4A Gigabit from Xiaomi. But i have an older model from Intelbras Here. If even using the DMZ didnt worked, i am thinking about a firewall from my ISP or Wrong setup of the No-IP client. How I can link my domain name to the Nextcloud config ? I just put the Domain in the Trusted_Domains list, in the Nextcloud Config. Also i am using rigth now the default ports in Apache 443 and 80, the default setup. How i can change them since I am not using the Nextcloud snap but a manual installation now ?

None of those errors are related to your router. They’re all configuration issues. You should heed the advice and go through the documentation to resolve each one.

This is about the most serious error you can have. If you run the server in that condition, you can count on your data being stolen. I would make this one top priority and close the ports in your router until it’s resolved. I’m not sure what led to .htaccess not working, but I would get the data folder out of the web folders either way since that’s best practice.

Before you go into further details, did you already check if you have a Dual Stack or a Dual Stack Lite Internet connection?

There seem to be quite a bit users struggling to make their NC accessible from the Internet and often there is a problem with IPv4 NAT.
For another user I wrote a little description:

Maybe this is worth reading and checking here as well.

Ok guys, thank you booth. I already closed all the router ports and disabled DMZ and DDNS. I will first resolve the setup issues and after that check the IPv4 nat. And i just remember that i was able to ping the server but only with IPv6 in my previous setup. But still no access.

Alright. Good luck. And please report back the outcome.

So, I just finished to fix the server setup issues, and i am ready to fix the Ouside connection issues. Now i know that i have the same public IPv4 for all my machines (Notebook, cellphones etc.) But different IPv6 for them, every device is with a different IPv6 when checking in whatismyip.com. So i am behind a NAT ? And that is why i cant have access from the internet ?

Well, that doesn’t mean or prove anything yet :wink:
What does your router say about your DSL connection: Dual Stack Lite (=DS Lite) or Dual Stack (=DS)?

Can you show us your router’s port forwarding settings? Please remember that for IPv6 “port forwarding” to your NC server you need to enter the IPv6 which is shown by whatismyip when accessed from your NC server. Alternatively you can check the “global scope” IPv6 address from your server via shell command
ip -6 addr

I am not shure how to check the type of my DSL connection. I am using fiber optics here with PPPOE. But i can try to send screenshots or pictures of my settings if helps. Also, the NO-IP (DDNS) process is running with updates every 5 minutes and NAT enabled. (Download the images for better viewing)

It’s possible that your router supports NAT but your service doesn’t actually provide you a public address, if your IPv4 address is already NAT. You can tell this easily from the IP if your “outside” address is a RFC1918 address. Is it in one of these ranges?

  • 192.168.0.0-192.168.255.255
  • 172.16.0.0-172.31.255.255
  • 10.0.0.0-10.255.255.255

If so then you will have to host on IPv6. There is no NAT in IPv6 so then it’s just a matter of opening the firewall port to the correct address.

1 Like

My IP starts with 191.7.X.X, so i not shure if is a RFC1918 address. Intenally is 192.168.31.X.
But my IP from the DDNS service (WAN) is 100.66…x.x when i added the DDNS config on my router, it gave me this IP. And even when i oppened the ports on my router and server, when i check them, the ports are closed. Even with the DMZ enabled. All ports are closed.
How i can setup to host in IPv6 ?

Maybe IPv6 is already enabled.
Does whatismyip.com return an IPv6 address for you?
On your PC or server you can also check if it already has an IPv6 address.

Windows:
ipconfig /all | findstr IPv6

Unix:
ip -6 addr

If there are no IPv6 addresses at all, you need to enable it on the router (if not prohibited by your ISP).
For that you need to check the manual of your router. At least I don’t know how to achieve that on your router model.