Isp static ip = wan access?

sumrando · March 30, 2025, 5:16pm

my isp offers a static ip for an extra fee. when I set it up, I kept asking the sales rep if having a static ip will make my router accessible from the wan. ultimately I want to open my router so I can access my computer remotely. I got the static service but so far, i've been unable to access my IP address externally. initially my ip was dynamic. I figured that's why I couldn't access it.

my isp gave me my IP address, gateway address and subnet mask. is it possible to reach my router now with a route? i don't know exactly how routes are opened up by the isp.

i'd appreciate some clarity.
thanks

psherman · March 30, 2025, 5:20pm

What are the first two octets of your IP address? (post only the part in bold: AAA.bbb.ccc.ddd)

Not necessarily. Dynamic IP addresses from an ISP can still be public IP addresses, and thus shouldn't directly prevent remote access (although your ISP could block ports).

The ISP isn't really involved here (as long as they don't block anything).

It is your router that is responsible for opening ports. Have you done that yet? Let's take a look at your config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

sumrando · March 30, 2025, 6:03pm

unfortunately openwrt is run on a rpi4 as a router inside the isp modem/router. it's a Hitron modem. first two octets are 67.63. in the modem I have setup for basic residential gateway. when I choose that there are no options to change. when I disable the residential gateway function, it pretty much goes offline. but I think I can set it up without that.

psherman · March 30, 2025, 6:10pm

Then it sounds like your problem is not the static IP or even OpenWrt... let's verify:

From the Pi4, what is the output of this:

ifstatus wan | grep address

^^^ does this show 67.63.x.x (your static IP), or does it show something like 192.168.x.x or 10.x.x.x or 172.16.x.x - 172.31.x.x?

sumrando · March 30, 2025, 6:18pm

no, no problems with openwrt. in fact, this is not really related to openwrt but I didn't really know where else to post it.

rpi is on 192.168.8.0/0 network. rpi is behind isp modem (192.168.0.1/0). I'm just trying to open up the pipeline between the world and my modem so I can access an app I'm building when i'm gone from home.

and just to note, rpi openwrt all outbound traffic routes through wireguard vpn. so ifstatus wan | grep address is going to show the router ip address below modem.

psherman · March 30, 2025, 6:32pm

Well, this forum focuses on OpenWrt... we can't help you with issues that stem from your ISP or your ISP's modem/router.

You need to ask your ISP for help with their modem/router device. These are your options:

Change the modem/router into a bridge-mode (i.e. modem only) device such that the public IP is sent directly to your OpenWrt wan.
Enable "DMZ mode" (this is essentially "forward all ports") on the ISP device, with the DMZ host pointing to your OpenWrt router (and from there you can use the standard port forwarding and firewall config to handle the rest)
Enable port forwarding on your ISP device (this would equate to forwarding only specified ports) to the OpenWrt device, and then using port forwarding on OpenWrt to point to the host in question.
Remove your ISP modem/router device entirely. If you need a modem, maybe you can buy your own that is just bridge mode device.

Failing those, you can use Tailscale or Zerotier as VPNs that don't require you to open any ports (but it also doesn't require a static or even a public IP address to function). This would allow you to gain remote access via VPN (not port forwarding, though)... this means it better from a security standpoint than just simply port forwarding, but is not 'general access' (i.e. if you wanted to have services available to anyone on the internet).

sumrando · March 31, 2025, 5:33am

i think that's the answer, bridge mode. it's in residential mode right now. thanks, i'll give that a try. every time I disable residential mode it goes offline everywhere. but now that I have the details I need to set it up, I think I can figure it out.

i've tried dmz and port forwarding. i've even turned the modem to enable ping from WAN and still no reply from the outside. thanks

Lynx · April 3, 2025, 7:12am

I’m curious about how you got on.

Geffers · April 3, 2025, 7:42am

Most routers nowadays are set to not allow access from internet (security). If a user had an easy password then if router was accessed by a hacker they could play havoc with your system. You can allow it but it has to be enabled. The router itself can open ports to individual devices on your home network, the ports will direct incoming traffic to a specific local IP address or MAC address.

Best way to access router from internet is to access a specific machine on network via ssh or VPN and then that 'can' open your router in a safer manner.

Geoff

system · April 13, 2025, 7:42am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.