did not select “Selbstständige Portfreigaben für dieses Gerät erlauben.” nor “Dieses Gerät komplett für den Internetzugriff über IPv4 freigeben (Exposed Host).” (but also tried selecting both)
but rather added a few “Freigaben”, namely HTTP-Server via TCP Port 80 and HTTPS-Server via TCP Port 443 (for both, IPv4 and IPv6).
But myname.dedyn.io remains unreachable. Any idea where I did go wrong?
DNS-Rebind on the other side will just ensure that IPv6 is working to connect to your NextBox, this is required sometimes depending on your internet-service-provider. Namely, if you get a true dual-stack (IPv4 + IPv6) connection from your ISP, then you should not even need IPv6. But if you’re on a DS-Lite connection, you might need IPv6 to access your NextBox. (see DNS Rebind Protection — Nitrokey Documentation )
It doesn’t become quite as clear in the respective docs, might be worth adding Daringer’s comment with the following bottomline: Sometimes, IPv4 is NOT enough for some folks, you may need to set up IPv6!
After I enabled IPv6 via DNS rebind whitelisting by whitelisting myname.dedyn.io, I can continue.
this very much looks like a firewall issue.
From your post at the top I have the impression you might have opened port forwarding for IPv4 only, can you please ensure that you open it for IPv6, or maybe even close it for IPv4 and just open IPv6.
I suppose you have a DS-Lite Connection, they behave really weird for incoming IPv4 connection requests.
The fact that reachability is working would also cover my impression as the reachability is tested by the NextBox, so the NextBox acquires the IPv6 for the domain and tries to connect to this domain, if this IPv6 points to your NextBox the traffic never has to go through your router (in contrast to IPv4, where the traffic will actually be forwarded from the router to your NextBox) …
Even if it’s called identical for ipv6 and ipv4, the former is actually just a firewall setting and the latter is actual “forwarding” …
Apologies for being unclear: I did open port forwarding for both, IPv4 and IPv6 initially. I edited my first post accordingly to have a clearer historical reference. (I also made it clearer that I made a DNS-Rebind Exception for myname.dedyn.io)
Following your advice, I closed port forwarding for IPv4. However, this did not change anything (even resolving the IPv4 still works, which should not be the case now?).
–
Could it be that I set up the domain wrongly? When setting it up and confirming my email address with deSEC, there were some options on how wants to use the domain on the “welcome you have your domain now”-page of deSEC with the ability to check stuff, which I basically ignored, since I received the token and went on to make a password for my deSEC account. No idea whether that might be it, just stating it.
–
(Also, in the Fritzbox at “Internet-Freigaben”, next to “Portfreigaben”, there is “DynDNS” which is described as " Über DynDNS können Anwendungen und Dienste, für die in der FRITZ!Box-Firewall Portfreigaben eingerichtet wurden, unter einem festen Domainnamen aus dem Internet erreicht werden, obwohl sich die öffentliche IP-Adresse der FRITZ!Box mit jeder Interneteinwahl ändert." - there, one can input DynDNS provider, domain name, account… Sounds like sth. I am trying to achieve? I know this is not mentioned at all in your guides, so it’s very likely not needed, just throwing stuff at you because I don’t know).
I am still pretty sure your NextBox is simply not reachable using IPv6, your could also try this tool: IPv6 test - web site reachability and put in your dedyn-domain.
My test setup is as yours now:
IPv6 “port-forwarding” set up
no IPv4 forwarding
guided-dns setup
fritzbox
Main difference is that I test on a dual-stack connection, means both ipv4 + ipv6 but this should not make any difference, as I closed ipv4 traffic for the nextbox. And obviously that it works for me
The fritz.box DynDNS setting essentially does the same as the guided-dns function inside your NextBox. So no need to use it and I would bet the current outcome is the same (the traffic is not forwarded to your nextbox). If you would like to use it, dedyn has docs about what to put into this view and then you could set up a static domain inside your nextbox matching this domain and the overall outcome would be the same, despite the fritzbox now being the entity updating your dynamic IP at dedyn.io (instead of the nextbox).
So from here we have to crosscheck some fritz.box settings for IPv6:
Please make sure these settings are set (Internet → Type of Connection):
Best-case it works after changing one or more of these… Please report any setting you changed, as this might be a bad default and an issue which would really need to be taken into the documentation.
edit: and you might want to reconnect ethernet (or even restarting the nextbox) after these settings (maybe). I’ve honestly no idea how reactive/proactive the fritz.box behaves after changing these settings.
The settings were different for me, in the following way:
The following are hidden in: “Home Network” → “Network” → Button: “IPv6 Configuration” inside the Section: “IP Addresses”:
Here, in your second picture, Only assign DNS Server was enabled in my FritzBox instead of Assign DNS server, prefix and IPv6 address. I changed and that, plugged out my NexBox from both, Ethernet and power, reconnected, and then it worked.
NOTE: I don’t have the first setting at all. “Internet - Settings” only shows me “AVM-Dienste”, nothing else (see here). I guess this is due to me choosing an IPS with an annoying philosophy… Anyway, this just means that I can’t feedback regarding those settings; they might still be important for others to check.
–
At the end of all this; THANKS a lot for your kind and fast support @daringer! I really think that, apart from cool products, you guys also give IT-related average people valuable first technical insights!
Hey there!
Maybe you can work your magic for me, too? I initially had exactly the same problems as described here. I’m also on a DS-Lite connection, I don’t have the “Type of Connection” settings, just as Tencel described. My nextbox was initially unreachable, but it can be reached after following the guide here. I also added it to the DNS Rebind Protection whitelist.
However, enabling HTTPS still doesn’t work. Connection to the nextbox is only possible over HTTP. Anything else I can do to change this?
I did all this, yes, and it didn’t work at first. I just tried it again after verifying the list, and now it works like a charm. Apparently, all that was needed was a little patience. Everything’s green now. Thanks for the support, and to everyone who has the same problem: Just wait a bit longer than I did
Hi daringer,
want to take this old thread for a similar question.
The dedyn update always receives a different IPv6 Adress. IPv4 is working fine.
I checked all the point on the list and the fritzbox is configured correctly.
When I set the expected IPv6 adress in the webgui of dedyn.io it works for IPv6 till the next update.
I have seen this has been taken as a bug. If I could assist with tests I am willing to do so.