Issues getting Port Forwarding set up

Right… You might be behind CG-NAT, meaning your ISP does not assign you a public IPv4, but you share one with others. In that case port forwarding generally does not work… They could have made that change in the mean time without you noticing… (my ISP did that at some point).

In that case you might be able to ask your ISP for a public address or better yet, access the port via IPv6…

1 Like

I didnt want to jump to the CG-NAT conclusion already but it sure does look like it. Dont often see devices handing out Class A schemes where thats not the case. The weird part is he believes it was working previously.

I’m in an apartment building.
The fiber device is a CTS hes-3106.

I have changed ISP since last time I got it working, so if everything else is correct then that sounds like a reasonable explanation to me…

Yep, it’s a big RIP. But something you can probably bypass by having your friends VPN into your network. You can easily setup hamachi, tailscale, or even a basic wireguard server.

https://vpn.net/

You could also pay for someone to host FoundryVTT by buying your own VPS or getting a SaaS solution. I know foundry has partnerships with some hosting services that provide a SaaS solution so you may be able to get a discount that way.

This will break down the different hosts: Hosting Options Guide | Foundry Virtual Tabletop a

I was going to suggest Tailscale, but @xyz beat me to it. @aegir_ebonblade Of all the suggestions, I would choose to host FoundryVTT with a hosted partner. You said networking isn’t your strong suit, and securing a server from internet attacks isn’t easy. Since you don’t understand networking, the odds of making a security mistake configuring your server using a Cloud Hosting server are pretty high.

My next suggestion is to set up a Tailscale VPN server to work around your ISP’s CGNAT issue. With Tailscale, you can configure the VPN server to allow access only to your FoundryVTT server, not your entire network. Additionally, Tailscale ensures that only your friend’s internet traffic passes through your network. Unlike cloud hosting or partner hosting, Tailscale reduces the risk of making a security mistake when setting up your server.

1 Like

Previously one of my friends hosted the Foundry on his NAS, but a “water accident” caused the NAS to malfunction, so until that gets sorted I was planning to just host it from my PC as a temporary solution. But with all the hurdles we might look at other temporary solutions…
I did connect with my ISP and they seemed willing to give me a public IP, so maybe that would solve the initial problem?!

That would resolve it. I would look into paying someone to host it if it becomes a big headache. From my experience foundrvtt is mostly secure, but when running such an instance on your PC and allowing remote connections to it you never know what can or will go wrong. I would honestly consider the FoundryVTT hosting solutions as @Shadowbane recommended.

If you would like help in securing it and making a decent backup system let me know and I can provide you walk through of what you can do.

1 Like

If your issue is caused by your ISP’s use of CGNAT for its networks, a public IP should solve your problem.
Your ISP must open all the ports FoundryVTT uses. If your ISP blocks these ports, a public IP won’t help. Most ISPs don’t block ports above 1000; they might block port 80, but they should open ports 3000 and 443.

@xyz I don’t know a lot about Tailscale, but the reason I chose Tailscale over Wireguard was Wireguard; as I understand it, you need to configure your router’s firewall to allow the Wireguard traffic in, while with Tailscale, you don’t need to change the default setting of the router’s firewall. When you have a correctly configured Tailscale VPN server, the VPN server acts like your router’s firewall doesn’t exist. In my opinion, since @aegir_ebonblade is a beginner with firewall rules and networking, Tailscale is a better fit for @aegir_ebonblade than Wireguard.

I always prefer self-hosted solutions over cloud-hosted services. With all the Cloud hosting servers I have used, you must configure and maintain your servers. The only service Cloud hosting is a VM, which you must create, configure, and maintain yourself. If you are familiar with networking and securing exposed servers to the internet, then Cloud hosting isn’t bad.

Worth noting on the point of security is that I don’t plan on running the Foundry server 24/7. It will only be online when I have it running myself, which is basically only during preparation and the actual sessions. So even if I understand that there are some risks connected to it, I think they are quite limited due to my use case…

I am pretty sure several Companies have had the same attitude as @aegir_ebonblade and have since regretted their decisions regarding the lack of security on their internet-exposed servers.

So I have mine behind a reverse proxy server/gateway. Which is what I think Tailscale is doing for you(Plus some other stuff as well). Here is a good docker someone has made for an example setup with wireguard: GitHub - hintjen/selfhosted-gateway: Self-hosted Docker native tunneling to localhost. Expose local docker containers to the public Internet via a simple docker compose interface.
I would not use the above docker. It’s meant to be an example. Overall I’d argue the wireguard port being forwarded has minimal risk as long as the wireguard config file or Username/PW hasn’t been pwnd. Someone could monitor the traffic going in and out of that port, but they can do that for any other port going in and out of your network and I’m 99% sure they can even isolate even if it were over an HTTPS port. But I will give the overall caveat I’m not a network engineer or security specialist. So could be wrong here.

@aegir_ebonblade I will agree with @Shadowbane tailscale or hamachi would be a good fit for you if all you want is to setup with minimal headache. If you want to tinker/learn later on I can recommend wireguard as it’s simpler than OpenVPN and in my opinion more stable/user friendly.

If you do just want to run it as is. I would highly recommend putting it within a VM at least. Should mitigate most risks with a hack and make backing up your foundry server very easy. It’ll also reduce risks for dependency conflicts in the future. This is due to foundry using Node.JS and if you, for whatever reason, have to install something with a different version that foundry does not support it will keep from dealing with major headaches.

1 Like

Thank you for the help @quilt, @Adubs, @xyz & @Shadowbane! :pray:
I will look over my options and try to work out what the best solution for my situation is!

2 Likes

It’s no problem and glad to help a fellow D&D nerd out. If you would like a sanity check feel free to reply or @me here and I’ll do my best to help or send you in the right direction.

I suggest @aegir_ebonblade follow @xyz’s advice about virtual machines if he wants to be lax about security. I would also add that all clients connecting to the Foundry Server will be virtual machines on a separate subnet from the host machines.

@aegir_ebonblade Of all the options listed in this thread, creating a Tailscale VPN Server is the easiest way to solve your problem. Here is why: by setting up a Tailscale VPN Server, you will bypass the Foundry Server’s need for a public-facing IP address from your ISP. Tailscal relay servers will handle all internet traffic for the Foundry server. What this means is the Tailscale relay servers provide the public-facing IP address. The only thing @aegir_ebonblade would need to do would be to create the Tailscale VPN Server, configure the clients to use the Tailscale Server, and port forward the Foundry server’s internet traffic to the TailScale relay server. Please let us know which option you chose.

1 Like

@Shadowbane Clients connecting to the server via VM would be… inefficient/impractical. FoundryVTT is accessed via web browser for clients. There is a “thickclient” that can be used, but it’s just for the GM/Host.

I agree with just deploying a VPN. I would probably still do a VM for the host side as well. Just for quality of life purposes and a good way to containerize VPN and Foundry host.

Creating virtual machines would make accessing the Foundry server somewhat inefficient. Still, the risk of a compromised virtual machine infecting other subnets besides the one you are on is too significant. I learned The Hard Way to isolate my virtual machines from each other and the host network. People seem to forget that the Internet is like the Wild West, which is very dangerous if you are not overly cautious.

Of course, from a security standpoint, locking down your internet-facing server as much as possible and still being helpful is the best situation.

@aegir_ebonblade, I forgot in my last post that if you decide to create a VPN server, you must create a virtual machine to host your Foundtry server and VPN server or have a small device like a PI to host both.

@aegir_ebonblade said his IPS was willing to give him a public-facing IP address. I am promoting the creation of a Tailscale Server because the public-facing IP address the ISP would provide @aegir_ebonblade would probably be an IP version 6 address. Ensuring your IP version 6 network is as secure as possible is challenging; even experts can’t seem to get it right.

1 Like

It might make sense to just rent a cheap VPS for this application.

I’m not sure what the requirements are for the server but I dont imagine its a lot. Sometimes you can pay only when the server is running. There may even be free options that have enough resources to allow a VPN back to your machine bypassing the NAT issue.