In this article I want to remind you of an effect that we sometimes tend to forget. I am talking about the limited publicly available IPv4 addresses.

If you want to privately host a service like VPN, or have a customer that only has a consumer line, you should be aware of this fact. To handle the problem of having more end-users then public IPs the Internet Service Providers are using a technique called NAT. When an ISP is “natting” their users, it is called Carrier Grade NAT. This means that the large pool of internal IP (v4 or v6) addresses is being translated to a smaller pool of public addresses before being transmitted.

This results in multiple end-users using the same public IP at the same time. The ISP only has to remember what open port belongs to what session e.g. internal IP. NAT in a nutshell. (pun not intended)

In addition to that most of the consumer lines today only use IPv6. In order to make IPv4 services available to hier customers the ISPs are using what is called a DS (Dual Stack) Lite Tunnel. This is resulting in the private IPv6 address facing one of the public IPv4 addresses of the ISP. The IPv4 packets get encapsulated in IPv6 and then forwarded to the ISP sending it out as IPv4. The other way around the IPv4 response is then again encapsulated by the ISP and forwarded to the customer.

So much for the background of whats going on. Lets say I am checking what IPv4 address i am currently surfing on and try to connect to it using port 8080. My ISP is not expecting anyone to contact him on that IP on port 8080 (since he is most likely not holding a session there) and cannot tell wich one of the end-users I want to contact. The packets get dropped or rejected.

You will have to tell your ISP that you want to provide services over the internet and ask him to deactivate or rather change the Carrier Grade NAT for you. Consumer hotlines usually know this as “changing / disabling the DS Lite Tunnel” or simply “enable port forwarding”.

If the ISP is going to do that for you depends on the number of public IPs that the provider has available. As far as I know you have no right to claim, that the your carrier deactivates the NAT for you. Since hardly any of the end-users are asking for this however, ISPs normally have no problems enableing this 1:1 NAT for you.

Once this has been setup, the request to 8080 (or any other) can be directly associated to your internal IP and gets forwarded.

Please remember that will also have to enable port forwarding in your router behind the consumer line, as this one is also using NAT to masquerade your internal IP Addresses. Also on some consumer devices there are settings like “filters” or “parenting controls” that limit fiddle with your portforwardings. It’s actually quite a s**t-show to properly configure some of these end-user routers.

Also your public IP most likely rotates, just saying.

Cheers, Ori