DuckDNS wont work outside of network

dudester · June 6, 2019, 11:37am

Hi,

After a recent accidental deletion of my virtual machines disk image! I am reinstalling hassio…

I am going out of my mind trying to get Duck DNS working, this did work before but I cant remember all the settings, I just cant get it to work now.

Sub domain is setup on duckdns.org

Installed DuckDNS on Hassio 93.2

“lets_encrypt”: {
“accept_terms”: true,
“certfile”: “fullchain.pem”,
“keyfile”: “privkey.pem”
},
“token”: “bff2126f-5fcb-4227-88f2-c9bc275a19c6”,
“domains”: [
“philwashere.duckdns.org”
],
“seconds”: 300
}

Added to configuration.yaml
base_url: http://philwashere.duckdns.org

Port Forwarding setup on 8123 to 8123

Just want to get it work on http then will try https

When on internal network http://philwashere.duckdns.org works but cant reach it outside my network…?
I have reset modem and restarted hassio

What further diagnostics can I do?
Thanks

petro · June 6, 2019, 11:51am

port forwarding should be 443 outside to 8123 inside.

dudester · June 6, 2019, 12:14pm

I know but thats for https, Im just trying to get http working first…

petro · June 6, 2019, 12:20pm

Then you need to specify the port. Everything from outside uses port 443 unless specified. And that’s not for https, its for outside to inside for HA.

dudester · June 6, 2019, 12:45pm

OK, I added port forwarding on 443 to 8123
But same problem, internally https://philwashere.duckdns.org works
But externally it does not, adding :8123 makes no difference

petro · June 6, 2019, 2:56pm

if you port forward, you don’t want to add 8123. You want to leave it be. How are you port forwarding? Are you sure the port forward is sticking in the router?

flamingm0e · June 6, 2019, 7:58pm

To go even further, does the OP know if they are on a CGNAT or not?

dudester · June 6, 2019, 10:58pm

Below are my router forwarding settings
Is there a way i can test port forwarding?

dudester · June 6, 2019, 10:59pm

???
Sorry, no idea what that even is…

petro · June 6, 2019, 11:57pm

you can’t have 8123 - 8123 and 443 to 8123 active at the same time.

dudester · June 7, 2019, 12:18am

OK, I have removed the 8123-8123 and its still the same…

tom_l · June 7, 2019, 12:25am

Also double check the internal IP address for the port forwarding rule. It should be your hassio host’s network IP address.

Carrier grade network address translation (CGNAT) is a method for dealing with the limited number of IPv4 IP addresses available.

You and a bunch of your ISP’s other customers are assigned an IP address from the non-routable private range. This is then translated to a single routable IPv4 address on their internet connection side. They keep track of connections and ‘translate’ packets to and from this single address to many customers.

It works the same way as using a private network in your home with many devices on the private range all translated to the one public IP address assigned to your router by your ISP.

The easiest way to check if your IPS is using CGNAT is to look at your router’s public (WAN) IP address in its internet connection settings/monitor and compare that with the address reported by your DuckDNS setup page. They should be the same. If they are not, your ISP uses CGNAT and you should request that they turn it off. For some ISPs this request is free.

The other problem is that some ISPs block some common incoming ports. You should check with your ISP about this. I had to request port 443 be opened and it was free.

DavidFW1960 · June 7, 2019, 12:29am

he’s not on CGNAT if the IP address his domain is resolving to is correct.
It could be port block as Tom says or you have not forwarded 443 to the correct device.

dudester · June 7, 2019, 1:46am

Thanks for the explanation and thank you to everyone for help so far…

I checked router ip and it matches that which DuckDNS is using so no CGNAT

Double checked router settings and correct device is set.

The thing that is really doing my head in is, this all used to work! I had it working internally and externally before I nuc’ed the virtual disk image so there shouldnt be an issue with ISP blocking ports.

tom_l · June 7, 2019, 2:06am

Might want to edit those images to hide your public IP address.

Not sure if you are using Dodo or just their modem but if you are, be aware that they do block incomming port 80. https://forums.whirlpool.net.au/archive/2336653

Which I think is required for LetsEncrypt SSL certificate renewal. Though this does not explain why you can’t use http, so possibly a red-herring.

DavidFW1960 · June 7, 2019, 2:26am

The duckdns addon uses dns validation not http so port 80 isn’t needed.

flamingm0e · June 7, 2019, 2:27am

Is it a new IP address internally?

dudester · June 7, 2019, 2:41am

It is on a new internal ip, yes but i have changed the connection to the new ip in the port settings.

simplexion · June 7, 2019, 2:41am

Hi @dudester
Dodo is a Vocus company and they generally don’t do CGNAT or port blocking for DSL customers. The issue will most likely be on your end. It looks like you have configured everything on your modem router correctly.

What IP address shows when you ping philwashere.duckdns.org internally?
Go to whatismyip.akamai.com and make sure the ip matches.

I would recommend that you modify your previous comments to hide some of the information.

dudester · June 7, 2019, 2:55am

OK, thanks for the tip have removed the images.
Within network PING returns same ip as whatismyip lookup.
Outside of network the same PING says name not found…?

Its as if duckdns is not forwarding…?