It is some kind of CGNAT. You can verify that the wan IP of your modem router is not the same as the one you see in icanhazip.com
They opened up port 10232 to be forwarded to 8000 on your router. You can try to forward on your router port 8000 to dietpi port 80, then while connected to the internet open with your browser the ip they gave you with port 10232 and you should see the apache2 test page.
1 Like
but with this construct, you will never ne able to generate SSL certificates using certbot as this requires port 80. Means certificates would need to be generated on a different way 
Just get a ASUS router and bridge it , there is really nothing you cand do with your ISP modem , It depends on your budget and what you needed ? 1gb or 2.5gb wifi6/wifi7 , Currently i’m using Asus RT-AX92U AX6100 but only 1gb network i purchased 3years ago while amazon on sale , If you don’t need wifi 7 router then this one ASUS RT-AXE7800 with 2.5G port and wifi 6e .
Before i purchased this router my ISP told me they didn’t filter any ports but they lied to me , They just don’t want me to open ports 80/443 on their modem and then Someone in reddit ask me to get a router and bridge it , problem solved !
If they are doing CGNAT, it will be a waste of money. Verify it first.
1 Like
10.X.Y.Z IPs are private, so you are behind CGNAT.
something we are not able to solve from our end. You would need to check with your ISP how you can forward port 80/443 from internet to your local network
@trendy
What IPs are public?
Will bridge mode work in this case if I’m behind CGNAT?
The IPs which are not private, reserved, or special use.
Bridge mode won’t make any difference.
Your ISP is saving on the public IPs and allocates private IPs to end users.
You can either ask them to rent public IP, make a tunnel with some VPS which has public IP, use IPv6, or use another provider.
1 Like
I mean how do you know if the IP is private or public?
Is it costly for ISP to provide each customer with dedicated IP ?
If 10.X.Y.Z is private IP, why do i always get this IP (xx2.56.x.xx: ) whenever i surf the web? What exactly is that IP?
If you read the Wikipedia article you’ll see the chapter with the private IPs and all starting from 10 are private.
It is both costly and in certain cases impossible to give everyone a public IP.
Hence we are moving to IPv6.
When you need to reach a server in the public part of the Internet your ISP is translating your private address into a public, which is the one you see in various what-is-my-ip services. This address is shared among hundreds of customers.
I guess i need a static public IP to solve my certain case. So getting an real public IP is not enough, i’ve got to tunnel with another VPS?
If my iSP support Ipv6, do i still need static public IP?
I would recommend to connect your ISP and ask for possible solution. Maybe they have one, even if it is a billable one.
I don’t think the static is necessary, but you definitely need some public IP. Certbot will need to validate your IP that it is bound with the advertised FQDN, which can be done if you have already set that on a dynamic dns service.
For example if you register steven.dyndns.org and use the dietpi software to update the IP, then you can set certbot to check for this name, which will lookup the DNS entry and see that it matches your public IP.
IPv6 is usually static, if not you can still use dynamic dns.
If the public IP is too expensive from your provider, there are inexpensive VPS with public IPs.
How many IP do i need here? Does it tend to change overtime by ISP? So as long as i got my wan ip address matches my public ip which is assigned to any address , I’m good to go right?
Whenever i talked to my ISP, i felt like i have always got assisted by low-tier tech support person. At one point he didn’t even know what he was talking about ‘ open the port and everything will work just fine’. If that was true, it would have worked all along. Yes, i’m gonna call them again but at least i need to grasp the idea of how it works and what i really need before i talk to them again. Really appreciate for you guys assistance @Joulinar @trendy @greentea1.
Sorry for the confusion, one is enough.