# Router Port Forwarding Guide To make your home XMPP server accessible from the internet, you need to forward ports on your router. This guide covers common routers. --- ## What is Port Forwarding? **Normal setup:** Router blocks incoming connections (firewall) **Port forwarding:** Router allows specific ports through to your server You're telling your router: "When someone connects to port 5222, send that traffic to my server at 192.168.1.100:5222" --- ## Step 1: Find Your Server's Local IP On your home server (the laptop running NixOS): ```bash ip addr show | grep "inet " ``` Look for your local IP, probably something like: - `192.168.1.100` (common) - `192.168.0.100` - `10.0.0.100` **Write this down.** You'll need it for port forwarding. --- ## Step 2: Set Static IP (Important!) If your server gets a different IP after reboot, port forwarding breaks. ### **Option A: Static IP via Router (Recommended)** 1. Log in to your router (see Step 3) 2. Find **DHCP Reservations** or **Static IP** or **Address Reservation** 3. Add a reservation: - **Device:** Your server (find by MAC address or hostname) - **IP Address:** `192.168.1.100` (or whatever you chose) 4. Save ### **Option B: Static IP via NixOS** Add to your NixOS configuration: ```nix # In configuration.nix networking = { interfaces.eth0 = { # or wlp3s0 for WiFi - check with `ip addr` useDHCP = false; ipv4.addresses = [{ address = "192.168.1.100"; prefixLength = 24; }]; }; defaultGateway = "192.168.1.1"; # Your router's IP nameservers = [ "1.1.1.1" "8.8.8.8" ]; }; ``` Then: ```bash sudo nixos-rebuild switch ``` **Recommendation:** Use Option A (router-side) - easier to manage. --- ## Step 3: Access Your Router ### **Find Router IP:** ```bash ip route | grep default ``` Usually shows: `192.168.1.1` or `192.168.0.1` or `10.0.0.1` ### **Log In:** Open browser, go to: `http://192.168.1.1` (or whatever IP you found) **Common default logins:** | Router Brand | Default Username | Default Password | URL | |--------------|------------------|------------------|-----| | Netgear | admin | password | http://192.168.1.1 | | Linksys | admin | admin | http://192.168.1.1 | | TP-Link | admin | admin | http://192.168.0.1 | | ASUS | admin | admin | http://192.168.1.1 | | D-Link | admin | (blank) | http://192.168.0.1 | | Belkin | (blank) | (blank) | http://192.168.2.1 | | Xfinity/Comcast | admin | password | http://10.0.0.1 | | AT&T | (varies) | (on router sticker) | http://192.168.1.254 | | Verizon FIOS | admin | (on router sticker) | http://192.168.1.1 | **If default doesn't work:** - Check sticker on router - Google "[your router model] default password" - You may have changed it before --- ## Step 4: Find Port Forwarding Settings Every router brand has a different UI. Look for: - **Port Forwarding** - **Virtual Server** - **Port Mapping** - **NAT Forwarding** - **Applications & Gaming** (Linksys) - **Advanced → Port Forwarding** **Common locations:** - Netgear: **Advanced → Port Forwarding/Port Triggering** - Linksys: **Security → Apps & Gaming → Single Port Forwarding** - TP-Link: **Forwarding → Virtual Servers** - ASUS: **WAN → Virtual Server / Port Forwarding** - D-Link: **Advanced → Port Forwarding** --- ## Step 5: Add Port Forwarding Rules Add these rules (one rule per port): ### **Rule 1: SSH** - **Service Name:** SSH - **External Port:** 22 - **Internal Port:** 22 - **Internal IP:** `192.168.1.100` (your server) - **Protocol:** TCP - **Enabled:** Yes ### **Rule 2: HTTP (ACME challenges)** - **Service Name:** HTTP - **External Port:** 80 - **Internal Port:** 80 - **Internal IP:** `192.168.1.100` - **Protocol:** TCP - **Enabled:** Yes ### **Rule 3: HTTPS** - **Service Name:** HTTPS - **External Port:** 443 - **Internal Port:** 443 - **Internal IP:** `192.168.1.100` - **Protocol:** TCP - **Enabled:** Yes ### **Rule 4: XMPP Client (C2S)** - **Service Name:** XMPP-C2S - **External Port:** 5222 - **Internal Port:** 5222 - **Internal IP:** `192.168.1.100` - **Protocol:** TCP - **Enabled:** Yes ### **Rule 5: XMPP Server (S2S) - Optional** Only needed if you want to federate with other XMPP servers. - **Service Name:** XMPP-S2S - **External Port:** 5269 - **Internal Port:** 5269 - **Internal IP:** `192.168.1.100` - **Protocol:** TCP - **Enabled:** Yes ### **Rule 6: XMPP HTTPS (File Uploads)** - **Service Name:** XMPP-HTTPS - **External Port:** 5281 - **Internal Port:** 5281 - **Internal IP:** `192.168.1.100` - **Protocol:** TCP - **Enabled:** Yes --- ## Step 6: Save and Apply Click **Save** or **Apply** in your router interface. **Some routers require a reboot** - check if there's a "Reboot" button or just wait a minute. --- ## Step 7: Test Port Forwarding ### **From Outside Your Network:** Use your phone on mobile data (NOT WiFi), or ask a friend: ```bash # Test if ports are open nc -zv YOUR_HOME_IP 22 nc -zv YOUR_HOME_IP 5222 # Or use online tool: # Visit: https://www.yougetsignal.com/tools/open-ports/ # Enter your home IP and port 5222 ``` **Expected result:** "Connection successful" or "Port is open" ### **Find Your Home IP:** ```bash curl ifconfig.me ``` Or visit: https://whatismyipaddress.com --- ## Common Issues ### **Issue 1: Ports Still Closed** **Causes:** 1. Router hasn't applied changes (reboot router) 2. ISP blocks ports (see below) 3. Firewall on server blocks traffic (check NixOS firewall config) 4. Double NAT (you have two routers) **Solutions:** - Reboot router - Check ISP doesn't block ports (call them) - Verify NixOS firewall allows ports: ```bash sudo iptables -L -n -v | grep 5222 ``` ### **Issue 2: ISP Blocks Ports** Some ISPs block common server ports (especially residential plans). **Commonly blocked ports:** - Port 25 (SMTP email) - almost always blocked - Port 80 (HTTP) - sometimes blocked - Port 443 (HTTPS) - rarely blocked - Port 5222 (XMPP) - rarely blocked **Workarounds:** 1. **Use non-standard ports:** - XMPP on 5222 → change to 52222 - HTTP on 80 → change to 8080 - Update NixOS config and DNS SRV records 2. **Call ISP and ask for "business class" or "static IP"** (often removes blocks) 3. **Use VPN tunnel** (Tailscale, WireGuard) ### **Issue 3: Double NAT** If you have: - ISP modem/router → Your router → Your server You need to port forward on BOTH routers, or put your router in "bridge mode." **Check for double NAT:** ```bash # On your server: ip route | grep default # Note the router IP (e.g., 192.168.1.1) # Then check what your router's "WAN IP" is in its admin panel # If WAN IP is also 192.168.x.x or 10.x.x.x, you have double NAT ``` **Fix:** Put ISP modem in bridge mode, or port forward on both. --- ## Security Considerations ### **Exposing SSH to Internet (Port 22)** **Risk:** Bots will try to brute-force your SSH. **Mitigations:** 1. **Fail2ban is enabled** (in your NixOS config) - auto-bans attackers 2. **Change SSH port to non-standard:** ```nix services.openssh.ports = [ 2222 ]; # Instead of 22 ``` Then forward external port 2222 → internal port 2222 3. **SSH key-only** (disable password auth): ```nix services.openssh.settings.PasswordAuthentication = false; ``` ### **Exposing Your Home IP** **Reality check:** - Your IP is already visible when you browse the web - DNS records will show your IP publicly - Anyone pinging `chat.tonybtw.com` will see your home IP **If this bothers you:** - Use Vultr instead (VPS hides home IP) - Use Tailscale (VPN mesh, no public exposure) --- ## Router-Specific Guides ### **Netgear:** 1. Go to **Advanced → Advanced Setup → Port Forwarding** 2. Click **Add Custom Service** 3. Fill in service name, ports, IP 4. Click **Apply** ### **Linksys:** 1. Go to **Security → Apps & Gaming** 2. Click **Single Port Forwarding** tab 3. Fill in application name, external/internal ports, IP 4. Check **Enabled** box 5. Click **Save Settings** ### **TP-Link:** 1. Go to **Forwarding → Virtual Servers** 2. Click **Add New** 3. Fill in service port, internal port, IP address 4. Protocol: TCP 5. Status: Enabled 6. Click **Save** ### **ASUS:** 1. Go to **WAN → Virtual Server / Port Forwarding** 2. Enable **Port Forwarding** 3. Fill in service name, port range, local IP 4. Protocol: TCP 5. Click **Add** then **Apply** ### **Google WiFi / Nest WiFi:** 1. Open Google Home app 2. Tap your Wi-Fi network 3. Settings → Advanced Networking → Port Management 4. Tap "+" to add port forwarding 5. Select your server device, enter ports --- ## Alternative: UPnP (Not Recommended) Some routers support UPnP (Universal Plug and Play) which auto-forwards ports. **Don't use this:** - Security risk (any device on your network can open ports) - Less reliable - Manual port forwarding is safer --- ## Next Steps Once port forwarding is working: 1. Continue to home deployment guide 2. Deploy NixOS configuration 3. Test XMPP from outside your network --- ## Troubleshooting Checklist - [ ] Server has static IP (via DHCP reservation) - [ ] Port forwarding rules are saved and applied - [ ] Router has been rebooted - [ ] Ports are open (tested with nc or online tool) - [ ] NixOS firewall allows ports (check `iptables -L`) - [ ] No double NAT (or both routers configured) - [ ] ISP doesn't block ports (test with online tools) If all checked and still not working, your ISP might be the problem. Consider Tailscale or Vultr as alternatives.