[ydnaclementine]

> it’s no longer possible thanks to a cursed thing called CGNAT

as someone who does publicly expose services that have auth, why does CGNAT make exposing ports publicly bad?

[jjcob]

It makes it impossible, because your modem/router no longer has a public IP that you can connect to from the internet.

[jen729w]

FYI my ISP (Aussie Broadband) will put you on a non-CGNAT subnet if you call and ask.

Tailscale is a better idea.

[joshstrange]

My ISP (USA, Metronet) will give you a static IP (instead of their CGNAT) for $10/mo which I happily pay.

Tailscale is great but direct is always better IMHO.

[ThePowerOfFuet]

Not bad, impossible; it is NAT over which you have no control and thus cannot forward ports.

[tass]

Other replies explained the why, though cgnat wouldn’t be a problem if you also had ipv6.

Luckily for me I have a regular ip4 address but if that ever changed I’d be out of luck unless my isp (quantum fibre) implemented a proper ipv6 solution.

[aodin]

I have Quantum Fiber in Colorado and enabled IPv6 on the old CenturyLink C4000XG modem following these directions: https://www.centurylink.com/home/help/internet/modems-and-ro...

[tass]

That uses 6rd which is typically slow (since it basically proxies through an ipv4->6 bridge), and in my case it worked on their provided router but not with opnsense.

[SR2Z]

CGNAT isn't used with ipv6, right?

[tass]

I’m not an expert on this but I can’t imagine why it would be deployed that way given the complexity it adds.