Unfortunately, as far as i can read here, the router seems the first place to look for.
Screenshots came from an identical installation as yours, with these small differences:
- you can see the configurations that i remember are necessaries
- the firewall consider NethServer part of a Green network instead of a Orange one (DMZ)
- the firewall is instructed/configured for:
- port forwarding from the public port i choosed to the private port necessary (currently, 9090 for Cockpit)
- firewall rule to allow communication from the subnet i specified to the port 9090 of NethServer
Without these last settings on the firewall, when i tried to “knock on” the port i specified (for instance public.address.ext:8909) firewall/router just bounced me out, because no rule was setup for allowing me to dialog to NethServer.
Also… DMZ is quite a bit… “trickier” than usual. In “regular” firewall/routers, this kind of network is subjet to a major rule of thumb: no allowances unless specified (from LAN, to LAN, from WAN, to WAN). Some commericial devices (AVM/Fritz if i’m not wrong) “call” DMZ the massive port forwarding to a single host without any protection enabled. But IMVHO most depend from the device.
Also Act II: some ISPs currently do not provide public address on the WAN port of the CPE/router, but only some kind of “geographical LAN” used by the ISP for delivering content and traffic to the customer. Therefore, for having the option to use a public IP address, ISP must be poked (or payed) for the “privilege”.
Last but not least: NethServer rely on an linux distro fully enabled for IPv6, but NethServer is no IPv6 compatible. All configurations for IPv4 are honored and distributed to linux services any time the “save/apply” button will be pushed. But no configuration will be proviede for IPv6 stack.