Pi to WordPress – Part 3: Public IP and NAT

This is part 3 of a series, documenting the setup of an out-of-the-box Raspberry Pi to a self-hosted SSL WordPress site.

On paper, the steps we need to achieve public internet access to our Pi/WordPress site are simple:

  1. Have a permanent public IP address assigned to us.
  2. Configure our router to redirect any web page requests that come to our public address towards the internal address of our Pi.

Easy! Unfortunately, as a home user, you will come across a number of issues that will add complexity to the above. To further complicate things, it’s difficult on my part to write a general guide that will cover all potential issues and devices. As such, this guide makes a few assumptions:

  1. That you are comfortable (for now) with having your Raspberry Pi exposed to the internet via open HTTP/HTTPS ports on your home router.
  2. That the public address assigned to you by your Internet Service Provider (ISP) is relatively persistent.
  3. That your ISP won’t have issue with you hosting a web server.
  4. That you have access to your home router and it has the ability to perform Network Address Translation (NAT) / Port Address Translation (PAT).

More on each of the above as we go.

So first off, let’s look at your ISP assigned IP address.

You can view this by simply typing into Google “What is my IP” from a device connected to your home router. A more precise method is to log into your router and find your “WAN IP Address” or similar. You will also see some other information that might interest you, but is otherwise not relevant to this guide.

A quick word on public and private IP addresses; in short, a public address is an IP address that is allowed to route across the internet, and assigned by regional ISPs. A private address is a range of IPs that are free to be used by anybody, but which are not routable on the internet without first being translated to a public address. The range of private addresses are below, which home and business users alike are free to use on their internal networks. For the sake of brevity you can assume all other addresses are public addresses.

Your ISP has most likely assigned your home router a dynamic public IP address, whether that IP is IPv4 or IPv6. It is possible, though I have yet to see it myself, that they will assign you a private address that is behind a NAT router further upstream, which you will not have access to.

If this is the case, I don’t believe it will be possible to make any devices on your internal network available externally, at least via traditional translation methods. However, I do believe this scenario is rare.

Note too that your ISP assigned address is most likely dynamic. Just like DHCP on your LAN, this address can and most likely will change eventually. We won’t worry about this for now, but an upcoming part on public DNS will address ways we can overcome this.

Now that we know our public IP address, we can set about translating requests to this address towards our Pi.

NAT (or more accurately in our case PAT/Port Forwarding) works by maintaining a table of IP-to-IP and port-to-IP address translations on your router. As a TCP request comes into your router, it will consult the NAT table to see if that particular port should be forwarded to a specific IP address. This is exactly what we want for all requests on TCP port 80 (HTTP) and 443 (HTTPS).

As all router models differ, you will have to consult your router documentation to find out exactly how to configure a NAT rule. For my TP-Link router, it was a case of entering the Advanced Setup section, selecting NAT, and defining a new rule. The section may be referenced as PAT, Port Address Translation, Port Forwarding etc. In general you will need to specify:

  • A rule name
  • The interface (the physical interface that will be receiving the traffic)
  • The protocol (TCP or UDP)
  • The external port number (the port number the external client will be connecting on)
  • The internal port number (the port number our internal server will be listening on)
  • The destination IP address (the IP of our internal server, in this case our Pi)

So for our purposes, we will be creating the below rules:

In plain English, this is saying “Any HTTP(S) requests received on our WAN interface, redirect them to (my Pi address), and leave the port number unchanged”.

Once this rule is in place, you should now be able to browse to http://your_public_ip/ and reach your WordPress site.

Before we move on to the next part, a quick word (and warning) about security.

Firstly, it is generally a very bad idea to advertise your public IP address on the web, but that is practically unavoidable when you are self-hosting a website that you want to be publicly visible, since your IP address will be directly linked to the domain name you choose for your site.

Second, we are increasing risk by allowing traffic over TCP 80 and 443 to connect directly with a device on our internal home network. If your Pi is open to exploits on these ports and is compromised, the attacker will be on your home network with open access to everything connected. I would strongly recommend that you look to place your Pi on a separate subnet that has a physical firewall between it and your home network as soon as possible.

Leave a Reply

Your email address will not be published. Required fields are marked *