preface: I am not a network wizard
I have been wasting a lot of time trying to do some port forwarding (in a slightly more complex environment as the ones I have done in the past, as the app that needs PF is on a VM).
Until it hits me that I am not able to port forward on my main host pc, which I was able to a few years back.
After a bit of research I have realised that my new fibre provider is on a CGNAT and therefore it is not possible to achieve port forwarding (I am just regurgitating what I read without fulling understanding)
Reading here
https://www.reddit.com/r/HomeNetworking/comments/zefgyw/cgnat_static_ip_vs_dynamic_ip/
they are talking about how another viable option is to rent a VPS to create your own VPN.
What I fail to understand, will the above solution enable me to port forward?
Or the only pay to achieve port forwarding is to pay the ISP the monthly fee they demand?
Assuming I can port forward both via staticIP and VPS+VPN, what other advantages I would get if I went down the route of VPS+VPN?
I am maybe specifically thinking here whether the latter would be a benefit if in the future I get a NAS for storage (which would also be used for photo backup).
Thanks!
In the EU most if not all the ISPs is remove you behind the CGNAT and give you a free dinamic IP if you ask it.
Check out cloudflare zero trust, it does what you want and more and is easy af to deploy, also free so long as you aren’t a company with 50+ employees/devices.
It’s also a way more secure way to do what you want. Exposing ports directly to the internet is a recipe for malware up in your business.
If your home connection is behind CGNAT & your ISP refuses to allocate you a static IP in public range, a VPS & VPN is pretty much your only option other than getting a new ISP.
Advantages: Ability to port forward (insert your use case for that here)
Disadvantages: Cost / Complexity / slightly increased latency
Go back to looking at what you actually need. Is this a correct statement? “I need to access a particular port on an internal machine while I’m sitting anywhere in the world.” I only ask this to get away from the port forwarding idea, because it sounds like that’s a poor choice for you now.
Assuming that the above is true, then look into Tailscale. It leverages WireGuard which is a great opensource VPN (which, yes, would need to accept inbound connections just like your Internal Machine), however tailscale puts the point that’s receiving the connections out on the Internet. Thus, you’ll connect to a point out on the Internet, and your internal Tailscale implementation will connect out to that same point. It’s acting as a broker for your traffic.
It’s the approach that I’d take.
Asssuming you’re only interested in IPv4 for now. The VPS has a public IPv4 address. From your home network you connect to the VPS over a VPN or L2TP.
internet -> VPS <- VPN encapsulation -> internet <- VPN encapsulation-> home network
The downside of VPS approach is increased latency, slight throughput hit and possibly bandwidth costs.
The latency is because the packets have additional hops to get to you, this could be pertinent if you have gaming use case.
The throughput hit depends on the encapsulation protocol used. Not all CGNATs are equal big handwavy generalisations disclaimers TCP VPNs tend to traverse NATs more robustly than UDPs VPNs, but throughput is problematic.
The cost aspect depends on your provider, IPv4 is becoming increasingly expensive and some providers (e.g. AWS) are trying to cost nudge customers to IPv6.
YouFibre has some IPv6 capability to some residental customers, could this work for you?
The static IPv4 means the packets have a more direct route to your network, so typically lower latency through fewer hops. The bandwidth cost is more transparent, i.e. ISP T&Cs.
I wouldn’t conflate the NAS use case with this one.
Yes, a VPS+VPN combo will allow you to port forward from the Internet to whichever device you’re running your local VPN endpoint on. Depending on your setup, you might need to enable additional forwards from the VPN endpoint to the “end device” you want to forward to.
In short, what happens when you set up a VPN is that you create a tunnel between the two (or more) VPN endpoints. You can tell the VPS to listen to whichever port you need forwarded, e.g., port 443, and configure it in such a way that it will forward all traffic hitting the VPS on port 443 through the tunnel to the other peer in your VPN. Since there is a “direct link” between the VPS and your home network, the traffic can go right through that link, and CGNAT will not bother you.
Keep in mind that you’re still effectively exposing a device/service in your home network to the Internet, so don’t forget to take appropriate security precautions (reverse proxy, IDS/IPS, MFA, etc.).
Put in a request to your isp for enabling ipv6
UK, so I guess not EU 
I can ask them and they will oblige, but they require monthly deposits of hard earned cash for their bother
thanks for the suggestion.
A quick research is showing me that proxying Plex through Cloudflare is against their ToS.
thanks though!
Not entirely true. They could use Tailscale, free and provides access if you’re behind a CGNAT.
to comment on this: ISP is not refusing on giving me a static IP, but they want a monthly handout for their services.
I am thus trying to weigh out whether, since I am doomed to pay money, whether it would be better to go VPS+VPN route?
I think the answer to your question statement is indeed “yes”
>however tailscale puts the point that’s receiving the connections out on the Internet.
Are there anyy concerns here?
Someone above commented about latency, but unless it is something reminiscing of the 56k adsl connection, I can live with as I am not gaming.
Anything else to be aware about? Is there more of a safety risk?
I am really unsure whether I am interested in Ipv4 or IPv6. I really don’t know what it would all mean for me? Probably need to read up on it
last I checked two months ago yes, they are the only ISP which provides those speeds for those (low) prices.
as I just signed up with them, I am not anyway in a place where switching already is an option I’d consider
The limited number of IPv4 addresses in the universe is just as true for fiber ISPs as for cellular ISPs. There is nothing about fiber as the physical layer of a network that magically makes more IPv4 addresses appear.
Youfibre charge £5 for a static ip (per month) this may or may not be more expensive than the cost of a vps… but will solve your problem too 
Just make sure that you’re only requesting a “public” IPv4, versus a “static”. Public is usually a cheap upgrade for a residential customer, whereas static cost substantially more and often requires a business account.
For running a self-hosted vpn, you only need public. You can use DDNS to handle any IP rotations.
If you disable caching for Plex they don’t care. It’s making them cache hundreds of gigs of data they are worried about: they aren’t worried about you proxying video through it.
thanks for this, you got my attention when you said “free”. I will look into it!
