Ports closed. No access from outside home network. But where's the problem?!

ℹ️ Support 📦 Appliances (Docker, Snappy, VM, NCP, AIO)
1

Hello everyone,

please bear with me as I am an absolute newbie to all of this. :sweat:

I would like to create my own cloud to use with all of my devices (iphone, ipad pro, macbook pro) to not violate gdpr (I’m a teacher and I handle student data).
I have installed nextcloudpi on my raspberry pi 3 B+ and plugged in an external hard drive via usb. Within my network everything works nicely as far as I can see. I can sync folders and when using the web interface on my iphone or ipad I can access my files.
However, I cannot access my nextcloud from outside my network. There seem to be so many possible reasons and I would really appreciate some help in identifying the problem.
I am using a fritzbox 6490 (cable) that I got from my provider. Since I get my internet via cable that apparently means that I do not have a public IPv4. Port forwarding just doesn’t seem to work although I have configured it within my router. My nextcloudpi wizard keeps telling me that both ports 80 and 443 are closed.
I have spent two days (I’m on summer holidays, so truly two days) going through everything I could find (and understand) to try and solve this. So as I said, I am an absolute newbie but very willing to learn and a patient helper would be greatly appreciated!

Thanks a lot!

2

Hi @kittysuzuki

Looks like you found my post and the other thread already. I link it here anyway for other visitors:

As you can read from the other post, you need your own IPv4 address or you switch to IPv6 with some more effort.
For your own IPv4 address most ISPs offer an “IPv4 option”, meaning your ISP will activate an IPv4 address for you either for free or you have to pay a monthly fee.

3

Hi @Schmu

Thank you for taking the time to reply! You’re quite right I have found the other thread in which you offered assistance regarding what seems to be the same problem.
I will call my provider to find out about the IPv4. But I’m still not sure if this is the only thing that is wrong with my setup.
Is there anything that I can do in the meantime to make sure everything else is installed and set up correctly?
Also, if I understand it correctly it would generally be possible to access my nextcloud via IPv6, right?

4

Hi @kittysuzuki

Sorry I couldn’t answer yesterday. It was already too late.

If you can connect to your server via LAN, it is a good indication, that you set up the server correctly in general. Assuming you can access the server via port 80 (http://) and 443 (https://), there is no firewall blocking the requests and the web server is listening on the expected ports, which your raspi wizard is complaining about being closed. Your fritzbox should have the IPv4 forwarding for port 80 to :80 and port 443 to :443. If that’s the case everything is fine here, too.

To check that the wizard is right, you can always test the server’s availability (from the Internet) with a smartphone when you disable wifi and access your public IP. Online network scanners can also help you to check for open ports. If both checks/ tests fail, you know at least, that your server is not reachable.
It is most likely DS-Lite however, which causes the unavailability from outside your LAN.

Yes, that is correct. With DS-Lite only the IPv6 is uniquely assigned to you. It is just the IPv4 which is “natted” (NAT) and while you cannot access the ISPs routers for enabling port-forwarding to your fritzbox, the outside world only sees closed ports.

To check the availability of your server via IPv6 you need to enable IPv6 in your network first. If you understand german, you can read the guide from AVM on the following link under point 3:
https://avm.de/service/fritzbox/fritzbox-7390/wissensdatenbank/publication/show/573_IPv6-Unterstuetzung-in-FRITZ-Box-einrichten/

I try to translage the Guide in english and hope I guess the correct menu translation.

  1. In the fritzbox web GUI click “home network” (maybe named “network” or “local network” instead)
  2. Now click “Overview”
  3. Click on the tab “Network Settings” (or “Network Configuration”)
  4. Click the button “IPv6 Addresses”. If this button doesn’t show up, activate the “Advanced View” first https://avm.de/service/fritzbox/fritzbox-7390/wissensdatenbank/publication/show/1652_Erweiterte-Ansicht-der-Benutzeroberflaeche-aktivieren/
  5. Activate the option “assign Unique Local Addresses (ULA), unless there is no IPv6 Internet connection (recommended)”.
  6. Activate the option “Activate DHCPv6 for your local network” and “Only assign DNS Server”.
  7. Click “OK” to save your changes
  8. Wait a few minutes and check if your server received an IPv6 address (global scope). Be aware that for IPv6 your server can have multiple addresses. While every interface has a link local address fe80:***, you need the global address which looks something like 2001:abcd:1234:12de:34ab:56cd:78ef:009a (just an example how a global address could look like)
  9. If your server doesn’t receive a global IPv6 address:
    • restart your server and check again
    • make sure that ICMPv6 is not blocked by a local firewall on your server

Afterwards, you need to set up port forwarding for IPv6 (port forwarding is very different for IPv4 and IPv6). For IPv6 port forwarding only means, that the firewall on the fritzbox opens up for the defined ports. It is not a real “forwarding” in terms of NAT (which only exists for IPv4).

If your server received a global IPv6 address and your ports are opened for this server on your fritzbox, then you can try to access your server with your smartphone (wifi disabled) again. Just read your global IPv6 on your server(!) and enter this address in the browser of your smartphone. It is important that you access your server with the IPv6 address of your server and not the address of your fritzbox! IPv6 addresse are navigated to like this:
https://[2001:abcd:1234:12de:34ab:56cd:78ef:009a]

Please let me know if you need further explanation/ help.

5

you need to open and forward them to your raspi from within your fritzbox (internet - freigaben…)
plus you’d need an account with an free-dns-provider (ncp offers you some)… or you could even try doing that via myfritz.

good luck

6

Also make sure your Fritzbox assigns always the same IP to the Raspi.
As for HTTPS: I’d go the Myfritz route. The upcoming firmware will have LetsEncrypt support, which doesn’t work well with many DynDNS providers.

As for the GDPR: Why do you think you are compliant when you are hosting student data on your own machine?

7

Could you explain that, please? I don’t understand how SSL-Certs may affect DynDNS negatively.
In my understanding, the Let’s Encrypt support will only replace the self-signed cert of the FritzBox and will, therefore, avoid certificate warnings when accessing the web GUI. This shouldn’t have any impact on servers behind the FritzBox (via port forwarding) and also no impact on the process to publish the IP address to a DNS service.

@kittysuzuki
Like JimmyKater already mentioned, there are more tasks and steps to do of course, after you made the server publicly available.
To secure the data transport over the Internet, the transfer needs to be encrypted of course and therefore HTTPS is required. While you are already writing about port 443, you obviously took care about that already.
Let’s Encrypt certificates primarily help to get rid of the SSL certificate warnings and to gain more trust in your server. But you can secure your connection with a self-signed cert just as well. And you can access your server via IP address and DynDNS name if you already have one.
When it comes to SSL certs officially signed by a CA, you will definitely need a Domain, for which you can request the certificate.

To have that mentioned early enough: when you plan to use IPv4 and IPv6 and you also set up DynDNS, be aware that you have to provide:

  • the IPv4 address of your fritzbox
  • the IPv6 address of your server

to the DynDNS provider/ DNS server of your choice.

The problem with MyFritz here is, that it always provides IPv4 and IPv6 of your FritzBox to MyFritz and therefore your server will only be reachable via IPv4 then. Only when you use another DynDNS provider or a separate DNS provider (I use digital ocean).
As soon as you have your domain configured (also with regular IP address updates), you could start requesting an SSL cert from Let’s Encrypt.

Further server hardening of your SSL connection is recommended.
Good services to check your server with are:

Make sure you select “hide results” and “do not show results on the board”.

I hope these advices are somewhat complete now :slight_smile:
Feel free to ask for further details as needed.

8

Thank you for your reply!
I have opened the ports and I have also tried myfritz and other free-dns-providers. But no luck so far.

9

strange, kitty… since you’re running ncp - which really makes everything pretty easy to set up with it’s assistances.
where’s the problem? exactly, i mean…

  • you have applied for a dyndns-account? where? is the account active
  • you have opened and forwareded your ports correctly?
  • you have entered your new dyn-dns-domain as a trusted domain?
  • you have applied for a letsencypt certificate?
  • you have full access to your pi?
10

Thank you so much for putting so much effort into your reply!
I had enabled IPv6 in my Fritzbox already. (Thank you for translating the guide! I’m German :wink: ) However now that you say port forwarding is much different for IPv6 does that mean that I have to do something else than opening the ports in Internet > Freigaben ?
My pi has its own IPv6 according to ifconfig but I cannot reach it from other devices. I used the [] but it doesn’t work within my network and if I tried to reach it from my mobile it says that I’m not connected to the internet although I am and can access other websites without any trouble. The only way my other devices get access to the nextcloud is by using its IP (which I have made static) or using nextcloudpi.local.

11

Exactly, it was super easy to set it up by using nextcloudpi!
I have tried multiple dyndns-accounts that were recommended by the ncp wizard.
I believe I have opened and forwarded the ports correctly. I have basically done what I can on the router interface on which you select the device within your network and choose the respective ports.
I am not sure about entering the dyn-dns-domain as a trusted domain. How do I do that exactly?
Letsencrypt doesn’t run through in the wizard.
I believe I have full access to my pi. It is connected to my router via ethernet cable and I can run commands via ssh from my Macbook’s terminal.

I have the suspicion that my router (Fritzbox) claims to have opened the ports but blocks access anyway. It is not my own router and although you can do almost anything on it I don’t have full access (my provider forces updates which I cannot prevent and that caused some trouble in the past with all of my apple devices for example). But I want to be sure that I haven’t made any silly mistakes while setting up nextcloud.

12

awww. you said that you’re running ds-lite on VF (GER)… have you tried calling technical assistance and apply (for free) for a dual stack?

13

You’re very welcome :slight_smile:
Being one community we help each other :wink:

I can’t check the FritzBox web GUI right now so I can’t tell the correct name: right next to “Port Forwarding” there is something like “IPv6 forwarding” and there you have to enable the “forwarding” for IPv6 as well. If you don’t see such a tab, you need to enable the advanced view in the GUI.

Can you write me a PN with the full output of ifconfig from your server? I would like to check that you really have a global IPv6 address.
One additional question: can you access your server locally with the IPv6 address (from your desktop computer)?

14

@Schmu

ipv6 is a bit more complicated than ipv4… i think. maybe we could try getting the thing running with ipv4 first? and then upgrade to ipv6, if neccessary? :wink:

15

I have tried it with myfritz but I only ever end up on my fritzbox interface (if this is enabled within the settings) or I end up on the interface that let’s me choose my fritzbox and then it goes to the website on which you could access the Fritzbox’s own NAS or any smart home devices etc.

Regarding GDPR: Data related to students shouldn’t be on servers outside of the EU. If I have it at home this should apply shouldn’t it? What else am I not aware of (please be gentle… :grimacing:)? We’re all a bit overwhelmed by the GDPR as we’re teachers, not lawyers. :sweat:

16

I totally agree! IPv4 and real Dual Stack (DS) and not DS-Lite should be the focus.
@kittysuzuki You should ask your Internet Service Provider for Dual Stack first and then continue.

Please make sure you change the port on which the FritzBox web interface is available. By default this is port 443. Therefore you will always end up on the FritzBox when accessing your external IPv4 on port 443 (HTTPS).
Changed that port in the network settings for for FritzBox and it might work already with MyFritz.

17

giggle who IS a lawyer? and even if you are one… do you know that there are 3 different opinions whenever just 2 laywers would meet? :wink:

1 Like
18

No I cannot access the IPv6 address locally. That’s bad, right?
I’m quite positive that I have enabled forwarding for IPv6 as well. It is mentioned with several options when I choose the pi as the device for the forwarding of ports.

I will PN you the results for ifconfig.

19

we wish you would do it here in the forum…

20

Well, the IPv6 global address would be a sensitive information. As soon as the ports are open and somebody reads the address here, he could start attacking. That’s why I asked for a PN :wink: