Hello, I would like some help with port forwarding using CGNAT for Home Assistant access.
My ISP gave me 5 ports, but I can't access externally with IPV4, only with IPV6.
My IP is 168.xxx.xxx.x0 from https://whatismyipaddress.com/
My ISP gave me the IP 168.xxx.xxx.x5 for external access.
The ip that my router takes 100.xx.xx.xx4
The released ports are from 4415 to 4419 (not the real ports).
I tried creating rules using Traffic Rules and Port Forwards and had no luck.
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config rule
option src 'wan'
option dest 'lan'
option target 'ACCEPT'
option dest_port 'XXXX'
option family 'ipv6'
option name 'HomeAssistant'
config rule
option family 'ipv4'
option src 'wan'
option dest 'lan'
option target 'ACCEPT'
option src_port '4415'
option name 'HA IPV4'
list dest_ip '192.168.0.6'
option dest_port 'XXXX'
I don't know if the problem is with my ISP or some router configuration
Any suggestion?
First of all, these are rules and in IPv4 you need redirects (port forwards) not rules.
After you setup a redirect try to access it from the internet, not from your home network. For example switch your phone to mobile data only.
Then check with iptables-save -c -t nat | grep 4415 that there are hits on the firewall (the first numbers of the line). If you haven't hits, nothing reached the firewall. If there is something, then the packets were forwarded to the lan host.
Yes, and it was forwarded to the .0.6 host. You can run a packet capture on the router and the host to verify that the packets indeed leave the lan interface and reach the host, if there is no response from the application.
I think it will be easier to change HA port to 4415, if you really want both IPv4 and IPv6 bound to the same port and you don't want to mess with DNAT in IPv6.