Sometimes, when getting a internet connection at a site or even at home, you are thinking about setting up your own router, giving you more control and additional features for managing your network and traffic. Also access it over the internet to make changes on it.
You contact your ISP, get an internet connection, and try to set up your router access over internet, only to realize it doesn’t work as expected. In this post, we’ll explore the challenges you might face when try to allow public access to your router on your internet connection.
Note: there are a few things to make it clear before we proceed.
- We are not talking about enterprise internet or leased line here, this is purely internet connection that you get for your small businesses or home network.
- Also, each ISP around the world would use different methods to provide the internet access and there would be some restrictions around it, so allowing any inbound traffic configuration such as this or hosting some services, it is best to clarify if you are allowed to do so.
- In this article, we would be constantly using the word ‘ISP router’ which means router provided by the ISP and ‘Your router’ which is exactly what it says, your own router.
In almost all the situations ISP would themselves provide their own router with internet, that would mostly a basic router, with the public IP configured on the ISP router itself, as a result you can’t really move the public IP directly on your router so you have to somehow find out a way to configure the public IP directly or enable the network access on your router that way you could access your router/network service in your LAN publicly.
However, there are some nice ISPs who would ask the customer, whether you want to configure your own router or not, and if they help in configuration even better, else you are your own as you have to figure things out by yourself.
When I was back in my hometown, I got a static IP but the ISP configured it on their router, so when I asked for their help to move the public IP to my own beefy router, they said they can’t really help, so I had to really figure things out and put the public IP on my dlink router.
So let’s see how we can overcome the challenges that we may face to access your router / LAN network services publicly over the internet.
1. Ensure your ISP isn’t using Career Grade Natting.
Most of the consumer ISPs out there, don’t really provide the public IP directly on the router’s wan side because the ipv4 public IP is limited in number, so they can’t really afford to use a single public IP for a single customer. Instead they do something called CGNAT (Carrier Grade Nat) or dual nat. So they basically use the address between 100.64.0.0 to 100.127.255.255 for their consumer network which is shared address space which cannot be routed to internet like RFC 1918, and when the ISP peers with the internet or before exiting the internet then they nat whole network with public IP or pool of public IPs.
And the network looks like below.
So check your wan network IP, if you are getting something from the CGNAT ip range, then you should proceed with the step 3, which is getting your own static IP.
2. Decide whether to use dynamic or static IP.
Let’s say you are lucky and your ISP isn’t using career grade nating, so you most likely are getting dynamic public IPv4 on your router. but with dynamic IP, it would change every time when you reboot the router depending on how ISP configured their DHCP service.
If you have an IP today, after a day or a week, the IP would change, so you are sitting somewhere remote trying to access your router or service over public internet, it will not work. So how to tackle the situation when you have an ISP router with dynamic IP ?
The answer is dyndns.
2a. Access router with dynamic IP using dyndns.
There are 3rd party dyndns providers out there, which would help you map your dynamic public IPv4 with the custom domain name they provide. And it is important that your router should support dyndns functionality.
Interestingly, some devices such as fortigate(ofcourse its enterprise grade), and mikrotik do provide built in dyndns functionality with which you could enable dyndns without paying for 3rd party site.
When you have dyndns figured out and setup, you can then move on to step 3.
2b. Get Static public IPv4 from the ISP, configure the IP directly on the router.
Most consumer internet providers do use PPPoE or DHCP that is terminated on their router itself. So when we ask them to configure directly on our router they may not agree to do so, but some ISP do, but some of them wont.
So what do you do in this situation, the only option like I did in the past, is that you would have to figure out a way that you could convert the ISP router as a bridge and then configure PPPoE or DHCP directly on our router.
Now lets say, you have got the static IP from your ISP, but you cannot really figure out a way to configure it on your router nor convert the ISP router as a bridge.
So what would you do ?
There is a neat little trick in the ISP router you could do, which would allow you to forward any traffic destined to your ISP router public IP to your own router wan interface.
Let’s discuss that next.
3. Configure DMZ or port forwarding.
You have two routers here, one is the ISP router, and the second device is Your router.
ISP router DMZ configuration.
Majority of the ISP routers has a function called DMZ, which would allow you to create one to one mapping from your public Ip configured at the wan side of the ISP router to the private IP configured at the WAN side of your router.
Let’s assume that 1.1.1.1 configured on the ISP WAN router side and your router WAN has 192.168.1.10, and you could enable the DMZ option and select your router internet service and its public IP, and select the private IP of your router and click on apply.
That way any traffic destined to 1.1.1.1 will then forward to your router.
ISP router port forwarding.
In case if you don’t have DMZ option in the ISP router then the next option is to enable the port forwarding, which is again supported by most of the ISPs.
While the DMZ would create a one to one mapping between the public to the private IP, like static nat, the port forwarding will enable you to forward port from ISP router wan public IP to the port in private IP on the LAN side, which is your router’s WAN interface/internet port.
For example, your isp router has the IP 1.1.1.1, if you are plan to use IPsec connectivity you would have to enable port forwarding in such a way that any traffic destined for 1.1.1.1 on port 4500 (IPsec port when the device is behind nat, else it is 500)should forward to your router ip 192.168.1.10 on port 4500.
Similarly, if you have hosted a web server at your home that is listening on port 80 and 443, you could enable port forwarding such a way that anyone try to access 1.1.1.1:80 or 1.1.1.1:443, should forward the traffic to 192.168.1.10 (your router), and your router then should forward to your internal web server.
I have created a step by step guide on how to do port forwarding on the Dlink router provided by ISP here.
Also created some articles regarding the port forwarding as shown below, so go through the articles so you will get some idea.
I also have an article that covers what to do when the port forwarding doesn’t work, you may check out the article here.
4. Ensure your ISP isn’t blocking common port numbers.
The other challenge that some of you may face is that you did everything perfectly such as dmz or port forwarding, however you are still unable to access the services.
I have had a situation long back, where I was trying to reach the router wan IP on port 80 and no matter whatever I do the ping always works, however the http connection would never make it to my router.
So after checking with the ISP I realised that some of the ISPs do block common ports numbers especially 80, so eventually changed the port to something else which is not so common, and then I was able to access it.
so it’s always better to check with ISP beforehand, and most of the time they would simply say they are not blocking it, but you better get this clarified from some senior folks at the ISP side.
5. Allow the access from your own router.
And finally you allow the access on your router.
This is one of the common mistakes that I have seen people make, they do everything until step4, and they simply cannot access their router or the services.
It’s because you have not configured the policy on your router, because most of the routers that you buy are blocking incoming/inbound connections by default due to security, so don’t assume that things will work just fine by just doing the DMZ or port forwarding on the ISP router.
Also very important step, dont ever allow https or ssh access to any IPs on the internet, before you know someone else on the internet might be able to get access your router, so only allow the access to IPs that you trust, or create some client vpn such as open vpn or wireguard depending on the device.
I have a guide on how to configure openvpn on pfsense, you may check it out if you are interested.
I hope this guide was helpful in troubleshooting any issues you may encounter when allowing router public access to the internet. There are many types of routers, and it’s impossible to cover each configuration. Use this guide as a general reference to resolve any issues you may face.