ISP's router blocks incoming connections

[user_name_88]

I've been trying to get a computer to accept incoming connections from the internet, so that I can host servers and connect remotely when I'm on an untrustworthy public connection. I tried many combinations of port forwarding, router settings, ping tests, different computers etc, but nothing worked. Some people more knowledgable about networking told me the culprit was my ISP's router: when my own router is connected to the wall port (I have no modem), it says its IP is 172.17.*.*, the same IP I get from ipconfig when I plug the computer directly into the wall - I'm told there's nothing I can possibly do from here without access to the upstream device. (Would a normal residential customer see their public IP here instead, the same one they would see if they went to a site like ipchicken.com?)

... Your ISP may work in a somewhat different way; it has a big NAT router with many customers behind it. Possibly (not necessarily), having an IP in the range 172.16.x.x and 172.31.x.x is a hint for this situation. If this is the case, then you are very unlucky, since you can't configure the ISP's router.

If everything on my end is set up correctly, is this correct, that proper configuration of the upstream router is essential for incoming connections to be redirected properly? (I'm preparing to call my ISP but I want to be sure that the problem is on their end first)

On the ISP's side, what could solve it? I suppose could ask them to set up a static internal IP address for my connection, as well as port forwarding for the ports I want to use, but I don't know if they would be willing to do something like that. Might they be able to get it working just by pressing a checkbox or something from headquarters? I don't want to need someone to come in person (and probably charge me for service time) if at all possible.

I want to understand what sort of options they have so I can make a reasonable request, hopefully without being charged a lot. (Probably not relevant, but my ISP is TWC, but my apartment's internet is being managed through a different company)

I'm pretty new to this sort of thing so if I've made a bad assumption or illogical statement somewhere feel free to point it out. Thanks.

 

[Elixer]

Normally, you need a "business" account to host servers.
You can bypass that if you change ports from the normal ones.
Whoops, didn't notice that they issue you a private address.

 

[azazel1024]

Normally, you need a "business" account to host servers.
You can bypass that if you change ports from the normal ones.

Since you are behind ISP NAT, probably nothing that can be done. To top that, almost all residential ISPs prohibit servers under their ToS...so asking them to open ports on the upstream router is likely to get you no where. I mean, it wouldn't HURT to ask them, but I very much doubt it'll be a waste of time.

 

[Gryz]

Try running your service on a port higher than 1024. Some ISPs only block incoming ports 1-1023.

 

[user_name_88]

Since you are behind ISP NAT, probably nothing that can be done. To top that, almost all residential ISPs prohibit servers under their ToS...so asking them to open ports on the upstream router is likely to get you no where. I mean, it wouldn't HURT to ask them, but I very much doubt it'll be a waste of time.

I'm hoping they would be willing to consider it if it's not bandwidth-intensive, such as when connecting only when I don't trust a wireless network I'm on.

Try running your service on a port higher than 1024. Some ISPs only block incoming ports 1-1023.

I've tried lots of ports... 80, 6060, and a big handful of random 5-digit ones I don't remember. Maybe I've just been getting really unlucky, but I doubt it, especially since I'm pretty sure that the router's listed IP address needs to be a public IP for the port forwarding/personal router configuration to be enough.

I'll call the company that manages the internet and see what can be done. Maybe I'll upgrade to business class for a month or something if they say it's necessary for incoming connections, and if it isn't too expensive. It'll be worth it if it lets me pinpoint exactly where the problem is, so I'll know what to do in the future if this comes up.

 

[XavierMace]

I'm hoping they would be willing to consider it if it's not bandwidth-intensive, such as when connecting only when I don't trust a wireless network I'm on.

I've tried lots of ports... 80, 6060, and a big handful of random 5-digit ones I don't remember. Maybe I've just been getting really unlucky, but I doubt it, especially since I'm pretty sure that the router's listed IP address needs to be a public IP for the port forwarding/personal router configuration to be enough.

I'll call the company that manages the internet and see what can be done. Maybe I'll upgrade to business class for a month or something if they say it's necessary for incoming connections, and if it isn't too expensive. It'll be worth it if it lets me pinpoint exactly where the problem is, so I'll know what to do in the future if this comes up.

Unlikely. They don't want to have to start reviewing every Joe's request to be allowed to host content on their residential connection. That's why they offer business connections.

 

[VirtualLarry]

I haven't heard that TWC has switched to CG-NAT, so I would contact the company providing your apt's internet connection.

 

[kommisar]

...Some people more knowledgable about networking told me the culprit was my ISP's router: when my own router is connected to the wall port (I have no modem), it says its IP is 172.17.*.*, the same IP I get from ipconfig when I plug the computer directly into the wall - I'm told there's nothing I can possibly do from here without access to the upstream device. (Would a normal residential customer see their public IP here instead, the same one they would see if they went to a site like ipchicken.com?)

The IP address you are getting from you ISP is in the class B private network range. See here: http://en.wikipedia.org/wiki/Private_network

The significance for you is: "These addresses are characterized as private because they are not globally delegated, meaning that they are not allocated to any specific organization, and IP packets addressed with them cannot be transmitted through the public Internet"

So yeah you won't be able to connect to 172.17.x.x from anywhere external to your LAN.

You need to get a non private address from you ISP. They will probably charge you more for this functionality

 

[user_name_88]

I called the company responsible and they gave me a public IP address for free. Evidently all it required was putting my router's MAC address into their network settings. It was much easier (and cheaper) than I expected.

The IP is public, but not necessarily static. I was told that the property has only a small number of public IPs available, but that since no one else had need of one, I can use one. If more people in the apartment request one and they run out, I think there's a good chance they'll start charging for them.

I got lucky.

I haven't heard that TWC has switched to CG-NAT, so I would contact the company providing your apt's internet connection.

From the wiki article on it, CG-NAT sounds like a smart temporary solution to the IPv4 problem, and has results like I'm experiencing, so perhaps TWC or the managing company have implemented it here. Thanks for that, I'd never heard about it before.