Networking Continued

• 09 August 2025
• tinkering

As you may recall, I've been experimenting with setting up a home server, and several months ago had gotten stuck on an issue related to the structure of my network. Taylor hopped in and really helped me understand how everything ought to work.

But it's not working. And I'm again flummoxed.

Here's the setup:

1. I have my ISP's modem/router/gateway monstrosity (the BGW320) running in IP Passthrough mode, with the WAN IP address being passed to my gateway Eero.
2. I have my Eeros set to Automatic DHCP mode; the gateway Eero is successfully getting the WAN IP address and is handing out private IP addresses in the 192.168.4.X range.
3. I have a registered domain name (let's say example.net), and I have an A record at my DNS service pointing to my WAN IP address. I have also created a subdomain A record (service) pointing to the same IP address. DNS Checker gives me all green checks for both.
4. I have a mini server, running Proxmox.
5. I have installed Nginx Proxy Manager in a container on the Proxmox (an LXC), which is running and reachable at the static address 192.168.4.11.
6. I have installed the service I'm trying to expose in another LXC, which is running and reachable at the static address 192.168.4.12.
7. I have set up port forwarding on my Eero network for ports 80 and 443 to 198192.168.4.11.
8. I have created a proxy host in NPM, for which all the dots are green:
   • Domain Name: service.example.net
   • Scheme: http
   • Forward Hostname/IP: 192.168.4.12
   • Forward Port: port
   • Block Common Exploits and Websockets Support on
   • Access List: Publicly Accessible

But http://service.example.net:port refuses to connect, as does http://example.net, either from my local network or through my VPN. And traceroute to either example.net or service.example.net stalls out.

I've checked the Proxmox firewall and inbound 80 and 443 are both set to accept. I've checked to see whether my ISP's montrosity's firewall could be blocking those ports but... who's to say. The NAT/Gaming (sigh) panel of the admin interface isn't showing the gateway Eero as a device that could need anything in particular sent its way, so my assumption is that IP Passthrough passes inbound requests through for the Eero to sort out, too.

I've searched around, and the nearest thing I've found to what I'm trying to do and how I'm trying to do it is in this Reddit thread, but the problem in that case is back at the beginning with the A record, which is definitely not my issue, unless I spelled my domain name wrong at the DNS. (I didn't.) And that person was able to get to the NPM congratulations page; my connections get refused entirely.

If anybody sees anything that I should adjust, or take a look at adjusting, I'd be grateful to hear. I'm already this close to dumping my ISP anyhow due to some ongoing service issues, and getting rid of their annoying modem/router/gateway would be a bonus, but I'm not entirely certain that it's the problem, and I'd love to find a way through without taking that step.

• ← Previous
  Distinguished
• Next →
  Longevity and Sustainability

Webmentions

3 Replies

1. Kathleen Fitzpatrick 10 Aug 2025 - 16:00

   @woe2you It’s AT&T fiber, so there’s a chance, I suppose. (They do not communicate a lot of the under the hood details.)
2. Kathleen Fitzpatrick 10 Aug 2025 - 16:35

   @woe2you Yeah — still digging into this. There’s a mechanism in the AT&T gateway’s admin interface for testing ping/traceroute, and if I try to hit the IP address or the domain name there it resolves instantly. So maybe the weak link isn’t AT&T but the Eero the IP address is passed through to.
3. Kathleen Fitzpatrick 10 Aug 2025 - 16:39

   @doctator Thanks — makes total sense now! Still not working, of course — I think the problem may lie at the IP passthrough point.

3 Likes

1 Repost