Mobile backup - why not RDP?

[AhmedIlyas]

So I have DynDns.

I also have a Dual WAN router (Linksys LRT224 - which I actually just replaced with another one from support)

I have my primary internet (comcast)

I have my backup internet (AT&T mobile sim card)

 

The LRT224 connects to my netgear R9000 router which ultimately all the LAN devices (and wireless) connect to. 

The LRT224 connects to the backup internet using the netgear LB1120 (will refer to it as mobile router, heron in)

I can RDP no problem from primary internet (and always have done so actually) 

 

The failover works.

 

But when it fails over to the backup internet and the IP is updated on DynDns, I cannot seem to RDP

 

The IP Address it seems to give from the mobile internet is a private IP rather than the one that is actually given from the provider from a public IP. So the private IP seems to give it the last IP Address as defined in the IP Address range in the mobile router config (netgear) which is 192.168.5.99.

 

Why?! The settings are pretty much identical from what I can see with the main router I have for the primary internet along with the mobile router.

The "Internet IP" given from the LRT to the routers connected to it is 192.168.1.101. I added this setting manually for the port forwarding on the mobile router

 

Thoughts? 

[Donut417]

49 minutes ago, AhmedIlyas said:

The IP Address it seems to give from the mobile internet is a private IP rather than the one that is actually given from the provider from a public IP

Mobile  providres DONT have any more IP addresses. They ALL use carrier grade NAT to solve the issue. So none of them will give you a public IP. The only real solution in this case is I have heard of people renting a VPS and using a VPN to tunnel betwen their network and the VPS and that can sometimes help with carrier grade NAT. I myself have never set this up, so I can speak for how it works. 

[AhmedIlyas]

Thanks.

But when I do a "what is my ip" it shows me the public up address, however the dyndns/router is giving it the private local LAN IP?

[Donut417]

4 minutes ago, AhmedIlyas said:

Thanks.

But when I do a "what is my ip" it shows me the public up address, however the dyndns/router is giving it the private local LAN IP?

Thats because thats how carrier grade NAT works. YOU share that IP will a whole shit load of cusomers. So you and a whole lot of customers would get the same Public IP if checking it on Whats my IP. Remember in order to get to the Internet you need an internet routable address, Whatsmyip is a website, meaning in order to access it you need an address that works on the internet. ISP's figured out they could use the same tech as we do on our home routers (NAT) to prevent them from having to turn away customers for lack of IP's. With Carrier grade NAT and having a router that performs NAT on your end, you have whats called double NAT. BUT from what I have read above, you might have more than double NAT, in some cases you might have 3/4 layers. EVERY router uses NAT, so connecting a router to a router creates multiple layers of NAT. This means you will have to port forward thru each layer, which is not an issue until your ISP starts using NAT. AT&T would have to do the port forwarding on their end as well, thats not going to happen. 

 

If Im reading the OP correctly. You have Comcast, and if your renting a modem, then you have a gateway (Modem/router 1 layer of NAT) then you have the Linksys dual WAN router (2nd layer of NAT) and then you have the Netgear router (3rd Layer of NAT), on the AT&T Front you have their Carrier Grade NAT (1 layer of NAT), next you have their gateway (2nd layer of NAT), Third you have the Linksys dual WAN (3rd layer of NAT) and Finally the Netgear router (4th layer of NAT). 

 

If all those devices are configured as routers then they are all doing NAT. This is not really good but any stretch. 

[AhmedIlyas]

Yeah pretty much right.

I have the dual wan router.

The netgear nighthawk r9000 router 

The netgear mobile router 

Then the Motorola sb6800 modem which plugs to the coax cable for comcast. 

All are connected to the dual wan router.

 

All are in router mode. 

[Donut417]

1 minute ago, AhmedIlyas said:

Motorola sb6800 modem

Good news thats not a gateway so minus a layer from the Comcast side. NAT is your issue, because of how it works. One layer of NAT is easily managed, multiple layers is a nightmare. While you might be able to put the AT&T gateway in to bridge mode, essentially making it a modem, you would still have the issue of AT&T doing NAT on their side. 

 

Not 100% sure how to approch this. I know I have read of people using a VPN to get around carrier grade NAT. But you have so many layers between you an AT&T Im not sure what to do here with what equipment you have. If it were mean Id probably use the Netgear router as an AP and just plug every thing in to the Linksys box directly and try to put the AT&T box in to bridge mode. Then you might be able to do the VPN trick, but If I recall correclty that would require you to rent a VPS and setup a VPN connection between your home and the VPS, Not sure how this works with mutliple internet connections. 

 

 

[Alex Atkin UK]

As an aside, isn't RDP over the Internet considered insecure?

I only ever remote in using a VPN.

[Donut417]

25 minutes ago, Alex Atkin UK said:

As an aside, isn't RDP over the Internet considered insecure?

I only ever remote in using a VPN.

Good point. 

[AhmedIlyas]

Sure but it works for me. I dont RDP all the time but when i need to, quick and short. Bur regardless, RDP or not... same issue. :) 

[jagdtigger]

It does not matter how much you use it. Nor is it a question if its going to be hacked, but rather when it will happen.

 

[AhmedIlyas]

I understand. But that is not the point on this thread

[jagdtigger]

As the others already wrote the only way to deal with CGNAT is to have an external VPN server and hook your lan and remote machine up to that. Or i think ZeroTier might be an option as well. Just dont expose that time bomb to the internet....

[AhmedIlyas]

I got it. Thanks.