nixos-dotfiles

nixos-dotfiles

https://git.tonybtw.com/nixos-dotfiles.git git://git.tonybtw.com/nixos-dotfiles.git
nixos-dotfiles / future-modules / router-portforward-guide.md
9,481 bytes raw

Router Port Forwarding Guide

To make your home XMPP server accessible from the internet, you need to forward ports on your router. This guide covers common routers.

What is Port Forwarding?

Normal setup: Router blocks incoming connections (firewall) Port forwarding: Router allows specific ports through to your server

You're telling your router: "When someone connects to port 5222, send that traffic to my server at 192.168.1.100:5222"

Step 1: Find Your Server's Local IP

On your home server (the laptop running NixOS):

ip addr show | grep "inet "

Look for your local IP, probably something like:

  • 192.168.1.100 (common)
  • 192.168.0.100
  • 10.0.0.100

Write this down. You'll need it for port forwarding.

Step 2: Set Static IP (Important!)

If your server gets a different IP after reboot, port forwarding breaks.

Option A: Static IP via Router (Recommended)

  1. Log in to your router (see Step 3)
  2. Find DHCP Reservations or Static IP or Address Reservation
  3. Add a reservation:
    • Device: Your server (find by MAC address or hostname)
    • IP Address: 192.168.1.100 (or whatever you chose)
  4. Save

Option B: Static IP via NixOS

Add to your NixOS configuration:

# In configuration.nix
networking = {
  interfaces.eth0 = {  # or wlp3s0 for WiFi - check with `ip addr`
    useDHCP = false;
    ipv4.addresses = [{
      address = "192.168.1.100";
      prefixLength = 24;
    }];
  };
  defaultGateway = "192.168.1.1";  # Your router's IP
  nameservers = [ "1.1.1.1" "8.8.8.8" ];
};

Then:

sudo nixos-rebuild switch

Recommendation: Use Option A (router-side) - easier to manage.

Step 3: Access Your Router

Find Router IP:

ip route | grep default

Usually shows: 192.168.1.1 or 192.168.0.1 or 10.0.0.1

Log In:

Open browser, go to: http://192.168.1.1 (or whatever IP you found)

Common default logins:

Router Brand Default Username Default Password URL
Netgear admin password http://192.168.1.1
Linksys admin admin http://192.168.1.1
TP-Link admin admin http://192.168.0.1
ASUS admin admin http://192.168.1.1
D-Link admin (blank) http://192.168.0.1
Belkin (blank) (blank) http://192.168.2.1
Xfinity/Comcast admin password http://10.0.0.1
AT&T (varies) (on router sticker) http://192.168.1.254
Verizon FIOS admin (on router sticker) http://192.168.1.1

If default doesn't work:

  • Check sticker on router
  • Google "[your router model] default password"
  • You may have changed it before

Step 4: Find Port Forwarding Settings

Every router brand has a different UI. Look for:

  • Port Forwarding
  • Virtual Server
  • Port Mapping
  • NAT Forwarding
  • Applications & Gaming (Linksys)
  • Advanced → Port Forwarding

Common locations:

  • Netgear: Advanced → Port Forwarding/Port Triggering
  • Linksys: Security → Apps & Gaming → Single Port Forwarding
  • TP-Link: Forwarding → Virtual Servers
  • ASUS: WAN → Virtual Server / Port Forwarding
  • D-Link: Advanced → Port Forwarding

Step 5: Add Port Forwarding Rules

Add these rules (one rule per port):

Rule 1: SSH

  • Service Name: SSH
  • External Port: 22
  • Internal Port: 22
  • Internal IP: 192.168.1.100 (your server)
  • Protocol: TCP
  • Enabled: Yes

Rule 2: HTTP (ACME challenges)

  • Service Name: HTTP
  • External Port: 80
  • Internal Port: 80
  • Internal IP: 192.168.1.100
  • Protocol: TCP
  • Enabled: Yes

Rule 3: HTTPS

  • Service Name: HTTPS
  • External Port: 443
  • Internal Port: 443
  • Internal IP: 192.168.1.100
  • Protocol: TCP
  • Enabled: Yes

Rule 4: XMPP Client (C2S)

  • Service Name: XMPP-C2S
  • External Port: 5222
  • Internal Port: 5222
  • Internal IP: 192.168.1.100
  • Protocol: TCP
  • Enabled: Yes

Rule 5: XMPP Server (S2S) - Optional

Only needed if you want to federate with other XMPP servers.

  • Service Name: XMPP-S2S
  • External Port: 5269
  • Internal Port: 5269
  • Internal IP: 192.168.1.100
  • Protocol: TCP
  • Enabled: Yes

Rule 6: XMPP HTTPS (File Uploads)

  • Service Name: XMPP-HTTPS
  • External Port: 5281
  • Internal Port: 5281
  • Internal IP: 192.168.1.100
  • Protocol: TCP
  • Enabled: Yes

Step 6: Save and Apply

Click Save or Apply in your router interface.

Some routers require a reboot - check if there's a "Reboot" button or just wait a minute.

Step 7: Test Port Forwarding

From Outside Your Network:

Use your phone on mobile data (NOT WiFi), or ask a friend:

# Test if ports are open
nc -zv YOUR_HOME_IP 22
nc -zv YOUR_HOME_IP 5222

# Or use online tool:
# Visit: https://www.yougetsignal.com/tools/open-ports/
# Enter your home IP and port 5222

Expected result: "Connection successful" or "Port is open"

Find Your Home IP:

curl ifconfig.me

Or visit: https://whatismyipaddress.com

Common Issues

Issue 1: Ports Still Closed

Causes:

  1. Router hasn't applied changes (reboot router)
  2. ISP blocks ports (see below)
  3. Firewall on server blocks traffic (check NixOS firewall config)
  4. Double NAT (you have two routers)

Solutions:

  • Reboot router
  • Check ISP doesn't block ports (call them)
  • Verify NixOS firewall allows ports:
    sudo iptables -L -n -v | grep 5222

Issue 2: ISP Blocks Ports

Some ISPs block common server ports (especially residential plans).

Commonly blocked ports:

  • Port 25 (SMTP email) - almost always blocked
  • Port 80 (HTTP) - sometimes blocked
  • Port 443 (HTTPS) - rarely blocked
  • Port 5222 (XMPP) - rarely blocked

Workarounds:

  1. Use non-standard ports:
    • XMPP on 5222 → change to 52222
    • HTTP on 80 → change to 8080
    • Update NixOS config and DNS SRV records
  2. Call ISP and ask for "business class" or "static IP" (often removes blocks)
  3. Use VPN tunnel (Tailscale, WireGuard)

Issue 3: Double NAT

If you have:

  • ISP modem/router → Your router → Your server

You need to port forward on BOTH routers, or put your router in "bridge mode."

Check for double NAT:

# On your server:
ip route | grep default

# Note the router IP (e.g., 192.168.1.1)
# Then check what your router's "WAN IP" is in its admin panel
# If WAN IP is also 192.168.x.x or 10.x.x.x, you have double NAT

Fix: Put ISP modem in bridge mode, or port forward on both.

Security Considerations

Exposing SSH to Internet (Port 22)

Risk: Bots will try to brute-force your SSH.

Mitigations:

  1. Fail2ban is enabled (in your NixOS config) - auto-bans attackers
  2. Change SSH port to non-standard:
    services.openssh.ports = [ 2222 ];  # Instead of 22

    Then forward external port 2222 → internal port 2222

  3. SSH key-only (disable password auth):
    services.openssh.settings.PasswordAuthentication = false;

Exposing Your Home IP

Reality check:

  • Your IP is already visible when you browse the web
  • DNS records will show your IP publicly
  • Anyone pinging chat.tonybtw.com will see your home IP

If this bothers you:

  • Use Vultr instead (VPS hides home IP)
  • Use Tailscale (VPN mesh, no public exposure)

Router-Specific Guides

Netgear:

  1. Go to Advanced → Advanced Setup → Port Forwarding
  2. Click Add Custom Service
  3. Fill in service name, ports, IP
  4. Click Apply

Linksys:

  1. Go to Security → Apps & Gaming
  2. Click Single Port Forwarding tab
  3. Fill in application name, external/internal ports, IP
  4. Check Enabled box
  5. Click Save Settings

TP-Link:

  1. Go to Forwarding → Virtual Servers
  2. Click Add New
  3. Fill in service port, internal port, IP address
  4. Protocol: TCP
  5. Status: Enabled
  6. Click Save

ASUS:

  1. Go to WAN → Virtual Server / Port Forwarding
  2. Enable Port Forwarding
  3. Fill in service name, port range, local IP
  4. Protocol: TCP
  5. Click Add then Apply

Google WiFi / Nest WiFi:

  1. Open Google Home app
  2. Tap your Wi-Fi network
  3. Settings → Advanced Networking → Port Management
  4. Tap "+" to add port forwarding
  5. Select your server device, enter ports

Alternative: UPnP (Not Recommended)

Some routers support UPnP (Universal Plug and Play) which auto-forwards ports.

Don't use this:

  • Security risk (any device on your network can open ports)
  • Less reliable
  • Manual port forwarding is safer

Next Steps

Once port forwarding is working:

  1. Continue to home deployment guide
  2. Deploy NixOS configuration
  3. Test XMPP from outside your network

Troubleshooting Checklist

  • [ ] Server has static IP (via DHCP reservation)
  • [ ] Port forwarding rules are saved and applied
  • [ ] Router has been rebooted
  • [ ] Ports are open (tested with nc or online tool)
  • [ ] NixOS firewall allows ports (check iptables -L)
  • [ ] No double NAT (or both routers configured)
  • [ ] ISP doesn't block ports (test with online tools)

If all checked and still not working, your ISP might be the problem. Consider Tailscale or Vultr as alternatives.