Cannot open ports to external addresses

Question

I'm trying to set up remote ssh connections to my computer.

My configuration is:

Nokia modem G-010G-Q (optical fiber modem) -> TP-Link AX1500 router.

In the NAT Forwarding -> Port Forwarding I have added the rule:

<My Internal IP Address> Internal Port: 22, external port 22 and protocol all

I have also tried adding port-forwarding to another external port (41234).

I'm using Fedora 40, so I have added port 22 to firewalld to allow traffic.

I have contacted my ISP, and the port isn't blocked on their side, however, the router and modem are mine (not supported by the ISP).

I have no idea if the modem can close ports on its own, or how I can change it if the ports are closed on the modem level.

After all of the above, I still can't get the port to be visible outside of my network. I can ssh inside the network, so the ssh server is running correctly.

I would appreciate any help since I need to work on my PC remotely.

Running ip address yields: (removing the loop-back device)

2: enp0s31f6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 1c:1b:0d:e9:0c:6d brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.137/24 brd 192.168.0.255 scope global dynamic noprefixroute enp0s31f6
       valid_lft 4630sec preferred_lft 4630sec
    inet6 fe80::f53:4705:872a:7bfe/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

or in ifconfig:

enp0s31f6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.137  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::f53:4705:872a:7bfe  prefixlen 64  scopeid 0x20<link>
        ether 1c:1b:0d:e9:0c:6d  txqueuelen 1000  (Ethernet)
        RX packets 550983  bytes 602476145 (574.5 MiB)
        RX errors 0  dropped 4  overruns 0  frame 0
        TX packets 228189  bytes 42019347 (40.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16  memory 0xf7200000-f7220000 

route -n prints:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 enp0s31f6
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 enp0s31f6

and ip r:

default via 192.168.0.1 dev enp0s31f6 proto dhcp src 192.168.0.137 metric 100 
192.168.0.0/24 dev enp0s31f6 proto kernel scope link src 192.168.0.137 metric 100 

Answer 1

The IP that I can see on my router is of different form than my IP when I look it as a site such as whatismyipaddress

This generally means there's another layer of NAT ("port forwarding") in-between your router and the Internet. It could be the modem – many GPON ONTs have the ability to act as routers – but more commonly it's the ISP doing it.

The default gateway is 100.78.255.254, and the IP address is 100.78.236.148

Those are private IP addresses, and the 100.64/10 address range is a sure indication of CGNAT, i.e. ISP-level NAT. (The addresses being private is why websites will not show them; in the same way as they won't show your LAN's private IP addresses – they necessarily have to be NATed to a public address before going to the Internet.)

Unfortunately CGNAT almost always goes together with the inability to receive any new incoming connections, as it means "your" public IP address is assigned very temporarily from a NAT pool, and (depending on ISP) possibly even shared between customers, just like your own router uses NAT to share its own "public" address between devices).

Google results suggest that your ISP started using CGNAT many years ago; there are forum posts from 2017 having the same problem.

You cannot fix this through your router's configuration; you have to get a dedicated IP address from your ISP first – or tunnel from another provider. See e.g. similar thread two days ago.