Firewall settings for nextbox

I am having problems to enable an internet connection on my nextbox, I did setup a deSEC domain, I have a few more doubts but in the moment I am stucked with my router config of how to properly setup the ports on the firewall, here my router firewall config menu:

I don’t know if I should open the 443 and 80 doors on “port forwards” or “open ports on router”. Also should I set the external and internal ports like on the example of the router page? 443 both on external and internal, and another policy with 80 on external and internal?

On “port forwards” I can choose to open the doors on my nextbox IP address, but I have the options of using protocols TCP or UPD or both at the same time. What should I choose?

from what I see from the docs I would say the settings should be:

  • “port forwarding” ports 80 + 443 to the nextbox-ip tcp is enough
  • no “open ports on router” (this denotes the router’s own services as far as I understand) these shall all be off, if here one port is the same as the port forwarding this will disable traffic to the nextbox (this is what I understand from the single line description: “The router’s services, such as web, FTP and so on, require their respective ports to be opened on the router in order to be publicly reachable.” … This could be a misconception, if the NextBox is not working this might be something to look into.

So it should look like this?

jup this “should” work, but I haven’t seen this router (frontend) yet so I cannot guarantee that’s correct… best test is to see if the nextbox is available using the mobile network (not WiFi) from your smartphone…

it’s not working, I can’t even connect my phone and laptop. I am getting two errors mainly one when try a connection with the proxy of nitrokey as the image bellow:

and another when I try to setup a dynamic dns, it outputs:
“Failed reachability for: x.x.x.x,
" HTTPS / TLS is not activated "

This router I am using, it has a forked version of openWRT, if there’s more documentation to do it with an openWRT router, I can change my firmware to it.

generally the proxy and dynamic dns are independent of each other, the error you see for the proxy is ok, Nextcloud complains even though the headers are set properly, and the permission issue is explained here: Nextcloud FAQ — Nitrokey Documentation

But let’s focus on the dynamic dns issue: Obviously your NextBox is not reachable from the internet, this is an issue without this it won’t be possible to acquire a TLS certificate (enable TLS)…

  • are you sure that your ISP is assigning a true IPv4 address to you ? so it is not a “private IPv4”, “cNAT” or “DS-Lite” connection ? (to verify this you could open ports 80 + 443 in “open ports on router” and then try to navigate to your IP using a smartphone in the mobile network, if still nothing appears you likely have no proper IPv4 address)
  • did you try getting it all to work with IPv6 ?

My ISP does not provide public ipv4 and no ivp6. i just tested it according to my router documentation.
Is there a workaround for it?

Ok, this is a tough case, but I am afraid to say that no public IPv4 and no IPv6 at all means that you cannot access any device from the internet using a direct connection.
But the workaround is the backwards proxy you already set up, means this is the way to got for you as long as you cannot acquire a public IPv4 or IPv6 (honestly, no IPv6 in 2021 is a pretty bold move by an ISP)

Mobile 4G router…maybe I should get a fiber ISP

I would always choose the latter, but I’m a nerd, thus sometimes weird priorities :smiley:

1 Like

Having no public ipv4 and putting a VPN on my router will allow me to have ipv4 public?

strongly depends on the VPN service, if this is your very private VPN and you have an entrypoint with a public IPv4 address, then yes, otherwise no

Thanks for the info