Why are my attempts at port forwarding on a FRITZ!Box setup not working as expected?

Question

I am running a server on a Raspberry Pi which is connected to a FritzBox. From within the network, I can reach the server both via the local IP and via the registered URL. From the outside, it is however not working.

This is how I set up the Port Forwarding:

The 'HTTP and HTTPS server' items have TCP protocol, the other ones are with UDP. However, when checking my ports here, the port seems to be closed:

The Apache server on the Raspberry Pi is configured to allow at least everything on Port 80, as the file /etc/apache2/sites-enabled/000-default.conf has a block <VirtualHost *:80> ... <VirtualHost>.

Rather than getting the ultimate solution, I'd like to gather ideas on what else could potentially block requests from the outside? Is there a way to identify whether the request reaches the router, but not the raspberry, to narrow down the problem?

Answer 1

When setting up port forwarding for IPv4, the process is straightforward: You only have one public IP address, after all.

With IPv6, the FritzBox firewall works differently: There is no NAT involved, so traffic arrives bound for the device’s own IPv6 address. The firewall has to be set up to allow traffic to this specific address. That’s what the “IPv6 Interface-ID” in the FritzBox user interface is: The local part of your device’s IPv6 address.

Consider this example:

At the bottom you can see the actual IPv6 address and port that are allowed through the firewall.

For you, this IPv6 address and the actual device IPv6 address do not match. As such, traffic is blocked by the firewall.

If for whatever reason the permanent suffix (usually based on the MAC address) is not correctly picked up by the UI, you need to manually put in the correct one.

You may have to change the device’s IPv6 settings like disabling Privacy Extensions for it to actually have a predictable IPv6 address.

Answer 2

The Fritzbox in my case changes the ipv6 Interface-ID to suit itself. That means it does not match the one you enter which corresponds with your host.