Hello Friends
Normally a ISP gives a dynamic ip. Use a static IP is not free by the ISP
Around 2010/2012 I was able to use by free in that time through DynDNS a simple installer in Windows (no Linux) to get a static IP. It worked fine.
For Linux (if exists)
Question
It in case if I need to access to other PC in other place through either Remmina or SSH
Thank You
There simply is NO OTHER way for free - i.e. if your ISP can’t give you one - then there’s nothing you can do… it’s the rules of the internet - you can’t just arbitrarily assign yourself a public, routable IP address…
I’m lucky - I logged a ticket with my ISP because my port forwarding NAT rules on my router stopped working - and - they switched me to a fixed IP address plan, for NO additional costs.
I didn’t really need a fixed IP address…
My router supports Dynamic DNS anyway - and I pay a yearly subscription (it’s very reasonable) to NoIP… So I didn’t need a fixed IP address…
Note : there are HEAPS of clients and options to use one of the many Dynamic DNS services out there - you can e.g. use NoIP for free (you just have renew it monthly when they prompt you via email to renew). i.e. google “dynamic DNS client for Linux” - this topic is probably more than 20 years old… I remember doing stuff like this - 20 years ago - on Linux. Don’t ask me how - it was a long time ago - and I don’t need it as my router supports Dynamic DNS.
I don’t know the tech behind my ISP’s decision, but it seems their fix for allowing customers to have port forwarding NAT rules on their router (router was pre-configured, and supplied, by my ISP and supports port forwarding NAT rules out of the box) is to change your plan to fixed IP address.
If they start charging extra for this - I will request to go back to dynamic IP address…
If you router does support using a Dynamic DNS service (like DynDNS or NoIP) - use that method - it’s MUCH easier than doing it on Linux. Then on your router - you port forward (e.g. NAT) whatever ports you want :
Here’s a shonky ASCII diagram :
Cloud tcp/udp-port DEVCE NAT port Destination
--------
Internet ---> 8882 ---> | router | ---> 22 ---> Linux machine IP address
--------
--------
Internet ---> 9589 ---> | router | ---> 3389 ---> Linux machine IP address
--------
If you’re not sure whether TCP or UDP - you can usually select both. SSH is TCP only - don’t know about RDP (3389). Note : I’m assuming 3389 for Remmina client - but you don’t say whether your’re using it for RDP or VNC (VNC is a different port than RDP).
NOTE: SEVERE WARNING - DANGER DANGER DANGER :
Don’t allow external internet users to login to your Linux machine over SSH!
Don’t ALLOW root to login to your machine over ssh.
Install and configure fail2ban - there’s plenty of topics on here started by forum members -e.g. :
PLEASE READ and search ALL of the hit results for “fail2ban” on this forum before asking further questions 
Note : I have something similar setup to above ascii diagram - but I also have fail2ban, I also have root login over ssh disabled and I also limit by group - which users can login (“AllowGroups $GROUP” - where $GROUP is a username belonging to a group in /etc/group - appended to end of /etc/ssh/sshd_config). Even though I’m not port forwarding “22” hackers / bots are port scanning me to see whats open, and attempting to login on the non standard arbitrary port I’m listening on… I can see them. The IP addresses are all (recently) from Russian ISPs - I’ve previously seen obscure countries like Pacific Islands (a favourite of malicious entities) or China…
It’s easy to lookup - e.g. tail -10 /var/log/fail2ban.log - note down the IP address attempting - then run “whois” on it :
â•â”€x@frambo ~
╰─➤ grep Found /var/log/fail2ban.log |uniq |tail -1
2025-06-03 10:00:59,668 fail2ban.filter [721]: INFO [sshd] Found 45.135.232.92 - 2025-06-03 10:00:59
â•â”€x@frambo ~
╰─➤ whois 45.135.232.92
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See https://docs.db.ripe.net/terms-conditions.html
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '45.135.232.0 - 45.135.232.255'
% Abuse contact for '45.135.232.0 - 45.135.232.255' is 'mail@proton66.ru'
inetnum: 45.135.232.0 - 45.135.232.255
netname: RU-PROTON66
country: RU
org: ORG-PL533-RIPE
admin-c: PL14453-RIPE
tech-c: PL14453-RIPE
status: ASSIGNED PA
mnt-by: IP-RIPE
created: 2023-03-31T20:14:04Z
last-modified: 2023-03-31T20:14:07Z
source: RIPE
organisation: ORG-PL533-RIPE
org-name: Proton66 LLC
org-type: OTHER
address: pr-kt Iskrovskiy, d. 21YU, kv. 218
address: 193230 Saint Petersburg
address: Russia
abuse-c: PL14453-RIPE
mnt-ref: IP-RIPE
mnt-by: IP-RIPE
created: 2023-03-31T20:10:41Z
last-modified: 2023-03-31T20:10:41Z
source: RIPE # Filtered
role: Proton66 LLC
nic-hdl: PL14453-RIPE
address: pr-kt Iskrovskiy, d. 21YU, kv. 218
address: 193230 Saint Petersburg
address: Russia
abuse-mailbox: mail@proton66.ru
phone: +7 999 5285271
mnt-by: IP-RIPE
created: 2023-03-31T20:09:34Z
last-modified: 2023-03-31T20:10:30Z
source: RIPE # Filtered
% Information related to '45.135.232.0/24AS198953'
route: 45.135.232.0/24
origin: AS198953
mnt-by: IP-RIPE
created: 2023-04-14T19:15:16Z
last-modified: 2023-04-14T19:15:16Z
source: RIPE
% This query was served by the RIPE Database Query Service version 1.117 (DEXTER)
Above is on one of my Raspberry Pi4 computers running Raspbian (Debian) Bookworm - I can’t remember if it comes with whois CLI tool - or if I had to install it… I think its installed by default on Bookworm…
Oh - remembered another thing - my router also has an OpenVPN server - so - I could use that instead… But port forwarding a non-standard TCP port for SSH and using fail2ban works for me.
Someone on another discussion also mentioned “port knocking” for SSH - I’d like to try that - but I’m in no rush as my current solution works…
Hi Daniel,
If this is the topic you’re referring to:
I hope to update it soon, because I have more information to get the knock porting working properly in my case, but I’m a bit short of time for testing.
The same applies to the topic you mentioned:
The 2 topics are interconnected and I also hope to update them, but once again, time for these matters is scarce
The help from all users on both topics has been invaluable
Hi Manuel,
As Daniel rightly said, there’s a lot of information in these topics that can help you.
If you need help, come here and we’ll try to help you as much as possible.
Jorge
Ooops!
I just enabled port forward (a different port than for the Pi4 NAT rule) on my router to ssh on my Raspberry Pi5 running Ubuntu 24…
And realised - OH NO! I don’t have fail2ban on there! Doh!
Lucky I realised before anyone tried port scanning me again…
Fail2Ban just seems to work out of the box on Ubuntu 24… Not so with Debian… You install it - but you have to manually tweak a few text files to get it working…
On Ubuntu 24 - “sudo apt install fail2ban” - and it’s now up and running (don’t even have to enable it)…
To be more precise: By using a DDNS service, you don’t get a static IP address, rather you get a DNS name for your still dynamic address.
BTW, I also use a NoIP service, easy and no install required.
I’m back 
As others pointed out, you can’t get a static IP unless your ISP provides it for you (maybe for additional charge).
You don’t really need a static IP if you have a dyndns, my choice for dyndns provide was dynu.com.
It is free, and after some period you can add not just the A records, but also MX, TXT, SPF, which is very nice of a free service.
You don’t need your router to support dyndns at all, you can install ddclient on your Linux box.
So to make the thing work you need your Linux box, install ddclient onto it and configure according your choosen dyndns provider; open the required ports towards your server, do the security measures, such as install and configure fail2ban.
And done, it should work.
There’s only one catch: be sure, your ISP did not put you behind NAT.
Over here some ISP’s put their client behind NAT, and that basically renders your port forwardings useleless. You can detect this case by looking at your public IP in the routers admin page, and compare it to a result given by whatismyip.com or similar. If they differ, your are behind NAT.
If that’s the case, you need to ask your ISP “please don’t NAT me!”
Recently I deployed a Seafile server for a friend, but that thing runs just behind NAT on a home network. I keep opened a reverse SSH tunnel from the server behind NAT to my VPS.
So I SSH into my VPS, and from there I can SSH into that “hidden” server.
Maybe such a “mandiner” could be an option for you too?
You might want to look into Tailscale.
It allows you to connect to a virtual network without static IPs or using a VPN service. Tailscale provides the management of your network. Once connected, all computers on the network communicate point to point rather than through some central VPN concentrator.
You can start for free with up to three devices.
There are other similar services.
Hi Manuel,
I think you already have all the answers you want.
I’ll just add to László’s answer:
Here in PT, one ISP is using CGNAT (Carrier-Grade Network Address Translation) and still doesn’t provide a fixed IP if we want it.
I think the first thing to do is to test your external IP as explained here in the thread. At the same, you could contact your ISP and ask which service you have contracted, fixed IP, dynamic IP, CGNAT, etc, and if there are any restrictions on external ports.
That’s my opinion
Jorge