Hello FreedomBox community,

I’m Tristano, a new member to this community and this is my second post here on the forums.

About two weeks ago I purchased a Pioneer FreedomBox (the A20-OLinuXino-LIME2) running on Debian 11 (bullseye) and FreedomBox version 23.4.

During these two weeks I’ve been trying to setup my FBox and consulting these forums to overcome any technical issues I’ve encountered — but right now I’ve run out of options and decided that I need to ask for direct support.

The FBox has been working within my Intranet from day one, that’s not the issue. The problem is trying to render my FBox visible on the Internet and enable Let’s Encrypt certificates — which is failing, and thus preventing me from using Matrix Synapse and other services.

As I’ve mentioned in another thread, initially I connected my FBox to the local network via a NetGear PL1000v2 powerline adapter (Ethernet over electric powerline) but Plinth interface performance was terribly slow. Having read elsewhere on this forum that some Ethernet devices in the past resulted in slow connections (e.g. some Gigabit Ethernet devices) I decided to by a Lan splitter and a long cable in order to create a direct connection to the router, and that solved the initial speed problem.

Then, with the FBox working within my home Intranet, I’ve set out to configure DynamicDNS via the ddns.freedombox.org service. Having bumped against problems, I’ve found a thread about Let’s Encrypt on this forum which made me realize that my router was behind Carrier-Grade NAT.

So my next step was to ask my ISP for a static public IP, which I’ve managed to obtain after a few days. So, now I have a static IP, but trying to obtain Let’s Encrypt certificates is still failing.

I’ve explored these forums for possible solutions, and the only thing I’ve come across as a possible reason for the problem is that my router doesn’t support NAT hair-pinning (aka NAT loopback) — but I’m not entirely convinced of this, since even when trying to connect to my DDNS address via my mobile phone (i.e. another Internet connection) I still get a time-out in the browser, instead of reaching my FBox landing page.

So, the current situation is this:

• I have a static IP (I’ll refer to it as 2.23x.yyy.zz here, for privacy reasons).
• I have a registered DDNS domain (https://xyz.fbx.one, for privacy) which is correctly detecting my public IP.
• In the Configure menu I’ve set as Domain Name my DDNS xyz.fbx.one.
• In my router I’ve ensure that:
  • my FBox is always given the same internal IP via DHCP reservation (192.168.1.xx)
  • the DMZ is set to my FBox IP (192.168.1.xx) — tried also via manual port-mapping, but didn’t fix the problem, and since the router interface is very limited DMZ seems the best option.
• After my ISP assigned me a static IP I’ve waited over 72 hours to ensure DNS updates, so it doesn’t seem a caching problem.
• I’ve flushed my PC DNS cache.
• I’ve tried tracert on my public IP, and it’s reachable via a single hop now.

Yet, while everything above seems fine, I’m unable to access my FBox via the DDNS URL (from my PC and via mobile phone).

Also, besides not having Let’s Encrypt certificates yet, Matrix Synapse configuration page complaints that:

Your FreedomBox is behind a router and you are not using the DMZ feature. You will need to set up port forwarding on your router. You should forward the following ports for Matrix Synapse:

But my router is using the DMZ feature. Is the above message based on the FBox connection settings, or is it the result of actual port tests that detected that port TCP 8448 is effectively closed?

Currently, I’m unable to benefit from any FBox decentralized services (matrix, chats, etc.) since I lack self-signed certificates and I’m unreachable from the Internet.

Does anyone have any suggestions on further tests I can run to detect what the problem is? or an idea of what the problem might be?

If I’ve understood correctly, I should be expecting that by typing my DDNS URL in the browser (https://xyz.fbx.one) I should land on my FBox Plinth login page, is that correct? But I’ve just getting a timeout error so far.

Thank you in advance for your support.

Ports 80 and 443 Not-Forwardable

I’ve been carrying out some further research to see if other people with my same ISP experienced similar problems. As it turns out, the routers provided by my ISP are all customized to prevent forwarding TCP ports 80 and 443 (some say also 22) which they reserve for their own use.

I’ve done this test:

1. I’ve configured my router to forward traffic on port 8080 to port 80 of my FBox internal IP.
2. After that, if I try to connect via Internet to my FBox via my static IP followed by :8080 I do get redirected to the /plinth/ subfolder, but the connection fails due to ERR_SSL_PROTOCOL_ERROR (the same if I use my DDNS followed by :8080)

Others in my same situation have switched the ISP default router with a custom router — an operation which is far from simple, since I have optic fiber connection and need to ask the ISP for an ONT adapter. Legally, the ISP is obliged by (a recent law that came out) to allow me to change router, but in practice they have the legal right to approve the router I choose, which has to meet their standards.

If I could fix this problem without changing the router it would be spare me a lot of bureaucracy, fiddling with settings, extra expenses, and further time delays.

I’ve tried tweaking my GnuDIP configuration on ddns.freedombox.org, by adding :8080 after my static IP, but that’s rejected.

My current goals are to be able to use Matrix Synapse (hence, need Let’s Crypt certificates) and to grant to some friends access to my FBox (doesn’t necessary have to via DDNS, could be through my IP address directly too).

Any ideas on how I could proceed?

That’s outrageous, have you contacted them to explain that you need these ports open because you want to self-host a website? It seems odd that they would agree to give you a static IP address, but then not allow 80 and 443 to be opened. I would at least ask.

To confirm that is the issue:

• Is your website resolving correctly? Run dig xyz.fbx.one from the terminal to double-check it is resolving to your IP address
• Check if the ports are externally accessible with this site: https://canyouseeme.org

To use Let’s Encrypt the “normal” way (for example, the automated service that is built in to Freedombox), you need to have both 80 and 443 open. I don’t believe there is any way around that. As an alternative to the automated service, they do mention there are other ways to get the certificate on this page: Best Practice - Keep Port 80 Open - Let's Encrypt

Unfortunately, you might not have control over whether port 80 is blocked for your site. Some (mostly residential) ISPs block port 80 for various reasons. If your ISP does this but you’d still like to get certificates from Let’s Encrypt, you have two options: You can use DNS-01 challenges or you can use one of the clients that supports TLS-ALPN-01 challenges (on port 443).

DNS-01 challenges seem like they complicated to set up, and would depend on your DNS service offering an API but if you want to look into it they describe it here:

Like I said though, before you get too deep in the weeds I would reach out and explain that you are trying to self-host a website and you need the ports open, and see what they say.

That’s outrageous, have you contacted them to explain that you need these ports open because you want to self-host a website? It seems odd that they would agree to give you a static IP address, but then not allow 80 and 443 to be opened.

The only reason they are allowing customers to get a static IP on demand is because they were starting to loose customers in bulk due to their restricted policies; and the only reason they are allowing customers to use their own routers is because a new law passed that forces them to do so.

My ISP is Fastweb, one of the major providers in Italy, and the first one to deliver optic fiber to households. Most Fastweb users complaint about the same problems, and ports 80 and 443 being locked is one of them. Ex-employees of the company have confirmed that the ISP uses these ports to access customers routers, although it’s not entirely clear for which purposes (allegedly, for remote maintenance).

Is your website resolving correctly? Run dig xyz.fbx.one from the terminal to double-check it is resolving to your IP address

It does. Here’s the (IP/domains redacted) final part of dig output:

;; ANSWER SECTION:
XWYZZY.fbx.one.        60      IN      A       2.xxx.yyy.zz

;; Query time: 20 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Wed Mar 08 08:35:49 CET 2023
;; MSG SIZE  rcvd: 88

Is the line SERVER: 192.168.1.254#5 OK?

Check if the ports are externally accessible with this site: https://canyouseeme.org

I’ve checked all the ports that my FB firewall mentions being open, and ports 80, 443 and 22 are reported as closed, while ports 8448 (Matrix Synapse), 5222, 5269 and 5280 (ejabbered) are open, which seems to confirm my suspicion that ports 80 and 443 are being blocked by the IPS — either via the router tweaked firmware, or somewhere upstream (I hope it’s the former, so that a new router can fix it).

To use Let’s Encrypt […] you need to have both 80 and 443 open. […] As an alternative to the automated service, they do mention there are other ways to get the certificate on this page: Best Practice - Keep Port 80 Open - Let’s Encrypt

Thanks for the tip, I’ll look into the DNS-01 challenges and the clients that supports TLS-ALPN-01 challenges (although the latter requires port 443, which is also blocked).

Like I said though, before you get too deep in the weeds I would reach out and explain that you are trying to self-host a website and you need the ports open, and see what they say.

Indeed, that’s my plan. I was just waiting to get a reply on the forum, just in case I was missing something out, but so far I’m getting confirmation that I need to replace the ISP router with my own.

I’ll try and ask them to unlock ports 80 and 443, but from what I’ve read on Italian forums so far, by customers of this ISP, this in unlikely to happen. Most users report that after switching to a custom router the problem was solved, which hints that its the customized software in the ISP router which is preventing opening those ports (if this is the case, then they can’t open them via customer support, since it requires flashing the firmware).

In any case, the ISP router is really crappy in terms of interface and options, and I wanted to chance it since day one, and now that the new laws passed allowing Italians to use their own routers I can finally do it. I’ve also read some reviews by hackers who studied the source code of the ISP modified routers, and they uncovered the presence of many bugs that were introduced during their firmware refactoring (including a bug which resulted in circa 25.000 routers having a specific port constantly open over the Internet, as demonstrated via Shodan searches).

Hopefully switching to a custom router will solve the problem, and if it doesn’t I’ll switch ISP because I’m fed up of paying for a service which limits my Internet freedom — so the new router purchase won’t be wasted, even if I switch ISP.

The only thing is that it will take a while, since I have to first negotiate with them over the phone which router I can use — even if the new law forces them to let me use my own router, they were granted the right to deny the service is they don’t like the router. Their website provides a list of the minimum requirement for this router (which include some settings only found on high end routers), but they don’t provide a list of approved routers, so I’ll have to wrestle with them on the phone until I can come up with a router that’s OK to both parties.

Ok then, once I’ve managed to change router I’ll update you on whether I’ve solved the problem or not. In the meantime, thank you for you valuable support!

That’s a local IP addrress, most likely it is the IP address of your gateway and the domain name is in your DNS cache (an external DNS server was never queried).

You can specify a DNS server you want to resolve the query by adding an @ argument, for example to request the query be resolved by the OpenDNS server at 208.67.222.222 you run the command like so:

dig @208.67.222.222 xyz.fbx.one

I think you should clarify this when you speak to them. Let them know you need to be able to host services on your network, and if they can’t support that you will switch to another provider. Holding down 80 and 443 is a major overreach in my opinion–shame on them!

If you can, I’d suggest using a routeur supported by openWRT, so that you gain large flexibility with your new routeur.

I am happy with the refurbished WNDR3800 that I bought from https://store.vikings.net (the site seems down right now, hope it will come back soon) pre-installed with libreCMC, which is derived from openWRT but restricted to free firmware only.

I wish the law to choose your routeur would be passed in France, now I can only have my routeur after the one from my ISP.

If you can, I’d suggest using a routeur supported by openWRT, so that you gain large flexibility with your new routeur.

Yes, I had that thought too, the problem is finding a router that meets the ISP tech specs and supports OpenWRT.

I am happy with the refurbished WNDR3800 that I bought from https://store.vikings.net (the site seems down right now, hope it will come back soon) pre-installed with libreCMC, which is derived from openWRT but restricted to free firmware only.

I can access the website alright. Very cool stuff they have, thanks for the link! I’ve been looking at the WNDR3800, but it doesn’t seems to support the VoIP standards required by my ISP (I can’t see any VoIP support in the router wiki page). Unfortunately this seems the only router they currently supply.

I wish the law to choose your routeur would be passed in France, now I can only have my routeur after the one from my ISP.

Really? How strange. I lived and worked in France in the past, and from what I remember there’s less bureaucracy in France than in Italy, and in general there’s also a higher degree of freedom for citizens. But it’s also true that the French government is stricter when it comes to cyber security, and has strong views of how these might pose a threat to national security.

I’ve contacted my ISP, and they confirmed that the blocking of ports 80 and 443 is due to their routers. From what I understand, it’s because of a proprietary service/protocol they install on their routers, something to do with sharing WiFi bandwidth with all mobile phones from their company. Basically, if someone has a mobile phone with their contract, and he/she is near my router, he will gain free access to the Internet via WiFi, transparently (I won’t detect it) thanks to the ISP custom software installed on my router. It’s supposed to be an allocated fixed share, which in theory doesn’t affect my navigation speed, but customers who have switched to a custom router have reported gained speed on Ethernet connection.

I think it would be nice if here at the FreedomBox forums we could dedicate some threads (or elsewhere, in the Wiki maybe) providing some tips for people who’d like to venture into FB, in order to help them establish if they have the correct router, access to the required ports, etc. In many cases, it boils down to a limited number of ISP providers, by country, so it should be possible to treasure feedback from people who (like me) have bumped into similar obstacles, and provide some documentation were newbies can find answers to their questions.

I think that finding the right router is going to take me longer than I thought, since the list of required specs is very long, and I need to download the facts-sheet of each router which I consider, to ensure that it supports the requirements. E.g. the router has to be fully configured for VoIP, even though in 20 years I’ve never connected a phone to my router and I’m not thinking of doing so (I don’t want to receive SPAM calls from sellers, which are common practice here in Italy, at all hours of the day).

Also, I’m not really an expert on routers and protocols, so I’m learning my way as I go along — which is good, but it’s also a huge burden unleashed on me all at once, with the pressure that if I get the wrong router it will be rejected by the ISP (something I’d rather avoid).

Although I think it’s a worthwhile effort, since it’s about regaining control over our Internet connection and devices, it can feel like a challenging task.

i don’t know the details of DDNS and how it works with Lets.

LetsEncrypt looks for your site’s Nameserver information to ensure/validate you are who you claim to be.

The script looks to validate both A - IPv4 address, and IPv6 AAAA , via Primary Nameservers.

Nutshell: if your network can’t supply both versions of address via a Primary Nameserver, I tend to think that’s why you’re not getting a cert.

Pick your favorite Search Engine and search ‘ipv4 conversion `to ipv6’

I only get an IPv4 static IP, there’s no IPv6 assigned (and there’s nothing I can do about this).

Solved!

Finally, after a rather long waiting time the problem is solved. The mail delivery of the new router took over a week (but was worth it because of the discounted price), and then when I requested the ISP tech support to come and install the ONT converter I had to wait a few more days (let’s say they’ve made it as hard as possible on my side, hoping I would desist).

Anyhow, once the new router was installed, I could immediately see my FBox over the Internet, and when I clicked on Let’s Encrypt generate certificates it worked without problems.

@Strange_Fluid: if your network can’t supply both versions of address via a Primary Nameserver, I tend to think that’s why you’re not getting a cert.

Fortunately it worked even though my static IP is only available as IPv4. I double checked, and can confirm that there’s no IPv6 translation for my static IP. So, it’s good to know that even with IPv4 only Let’s Encrypt certificates generation works out of the box.

So, the lesson learned for Italian Internet users is …

Using FreedomBox with Fastweb ISP

If (like me) you are a Fastweb client with FTTH (Fiber To The Home) connection, and want to share your FreedomBox over the Internet:

• Obtaining a static IP is not enough, because the ISP router (FastGate) blocks ports 80 and 443 via its modified firmware, so you won’t be able to:
  • Be visible on the Internet via DDNS.
  • Enable services that depend on Let’s Encrypt certificates (Matrix, etc.)
• You’ll need to ask Fastweb to let you use your own router, which means:
  • Fastweb will install in your home an ONT device to which you’ll be able to connect your own router (via Ethernet cable).
  • You’ll loose IPv6 support (over the Internet).
  • Your bandwidth will be reduced from 2.5 Gbit to 1 Gbit (but you’ll gain almost +50% speed, since you won’t be sharing bandwidth with mobile phones).
  • You’ll be denied various Fastweb services that were previously available to you.

So, the question is whether it’s worth going through all the trouble. Personally, it was years that I wanted to run my own home server as a personal experiment; and having already purchased a Pioneer FreedomBox I realized that without the above steps I wouldn’t be able to benefit much from it (except Intranet usage of those apps that don’t require self-signed certificates).

In any case, be aware that the above procedures with Fastweb are not exactly painless — they’ll try to discourage you, make it seem harder than it is, create unnecessary delays, and offer you zero support in terms of settings (you’re basically on your own). Other than that, you’ll have to consider the cost of a new router — technically speaking, Fastweb expects you to purchase a router that meets certain criteria, which are only found on high end routers (not exactly cheap), although in reality when they came to install the ONT they didn’t even try to connect the router to the network, they just wanted to check that I actually had one, so it could have been any router that was up to the job really.

For more info on these topics for Fastweb users, read the following articles:

• Fastweb » Modem alternativi e Fastweb: tutto quello che hai bisogno di sapere
• Fastweb » Compatibilità tecniche del modem di proprietà del cliente
• ONT per Fibra FTTH: cos’è e perché non si potrà scegliere liberamente

I hope that this info and links might save precious time and headaches to other users who find themselves in my same situation, since it took me hours of Internet searching to find all this info in the midst of the confusion that surrounds this ISP.

Glad to hear you worked it out.