My Battle with CGNAT

This battle started when I was configuring this website. It lasted for around 3 months, thanks to my laziness and impatience. I thought it would be a good idea to make it my first post and talk about the struggle I encountered.

Part 1: Setting up the domain name and make it public.

After finishing the configuration on my server, I noticed my website is not reachable, so I figured my network is behind the NAT from my ISP. Luckily, the router provides port forwarding, so I enabled port 80 and 443. However, the port forwarding didn't seem to work. After more research, I realized there is this thing called CGNAT. It's an NAT that is configured for several residential networks. The main purpose is to reduce the use of IPv4 address.

To bypass the CGNAT, I've tried these things:
1. ddns (Dynamic DNS) with my IPv6 address -> somehow it didn't seem to work
2. ngrok tunneling -> it works, but it won't be accessible through my domain name. It can only be accessed via the dynamically generated address
3. Using http://v4-frontend.netiter.com/ and add it to my A record -> didn't work
3. Adding AAAA record to my registrar
(One thing to pay attention to is there are 2 types of IPv6 address for the device, just like IPv4, I need to add the public one to the record)

The last method worked for me ! Although CGNAT blocks the access of IPv4, my devices still have IPv6 address, and my ISP doesn't have NAT for the IPv6 networks. That means my website is accessible on IPV6 !

However, I wish the battle had been this easy.

No matter how many times I tried with the public network, I always got the error DNS_PROBE_FINISHED_NXDOMAIN.
I figured it could still be the IPv6 problem - not all the clients or DNS resolver have the access to v6 networks. FML 😭

After digging into it more, I realized Cloudflare has a free service that provides a gateway between v6 and v4. All I have to do is switching my name server to Cloudflare. It took me a while to figure out how to migrate it though. I'm so thankful that I don't need to do this at work lol.
The entire migration took around 20 minutes to kick in.

This is still not the end of the story.

I noticed the error changed from DNS_PROBE_FINISHED_NXDOMAIN to ERR_TOO_MANY_REDIRECTS.
This is due to the SSL/TLS mode on Cloudflare. I'm not sure how this work, but my website is finally published after I changed the setting from "Flexible" to "Full/Full(strict)"

Part 2: HTTPS

This step is done while I was configuring the cursed IPv6 issue.
I use letsencrypt to generate the certificate. The way it works is to have a server with static IP and can be accessed publicly so that the certbot can send the requests to verify my host when generating the certificate.

I kept getting error when I tried to generate the certificate because of the stupid v6 problem.

How can I do it when my website is not accessible yet ?

Thankfully, there is a manual mode that allows us to verify by adding a TXT record. I just need to run the command

certbot -d mydomain.com --manual --preferred-challenges dns certonly

then copy paste the result to my TXT record.

Finally I got my sweet sweet certificate 🤗