Jump to content

Overcoming Carrier Grade NAT ( Double NAT )

Venkatesh Ravi
 Share
Go to solution Solved by Venkatesh Ravi,
17 hours ago, Falconevo said:

This can be worked around, but it would require you to have full access to a server and/or firewall depending on what is on the other end.

 

23 hours ago, schizznick said:

Only way to bypass the NAT is using some sort of tunnel.

 

17 hours ago, Falconevo said:

This can be worked around, but it would require you to have full access to a server and/or firewall depending on what is on the other end.

 

On 9/13/2017 at 6:12 PM, Brian Blankenship said:

You could use a dynamic DNS Name service.I use "http://freedns.afraid.org/" to publish my public IP so, I can have client services point to my home network. I use pfSense to keep it updated and NAT forwarding for the ports I need open. Everything else is blocked from the outside.

Hey guys I found the wonderful new service called portmap.io specifically to address this particular issue an  it works amazingly fine. 

It allows you to forward one port to your pc via a Open VPN tunnel. I think it uses split tunneling to just tunnel that particular port to their VPN servers.

 

Its free for one port and its all I'll ever need :D. Also it seems its just $30 a year for unlimited port forwards. 

If you guys do check it out, Please let me know if all my plex data flows from my pc to their servers and then me ? ( Like an actual VPN would ? ) 

I just want to know if this is just a repackaged VPN for enthusiasts

 

Aside from not knowing if these guys are stealing data or not, this service is amazing. LOL I dont know the legitimacy of the provider but the service is just awesome

Posted

This is a big problem and the explanation is going to be relatively big so strap yourselves in. Also its a bit of a story as well.

I recently got a 100 Mbps up and 100 Mbps dedicated FTTH line from a local ISP for $15 . I have switched between over 5-10 ISP's in India.

 

India is a country with a lot of people and extremely limited IPV4 allocation. ~ 35 million IP addresses for 1.2 billion people.

As of Match of 2017, the amount of people with internet access soared to 420 million users, a quarter of it due to a revolutionary company called Reliance Jio, with 4G only, VoLTE calling, fully IPV6 ready networks

 

Unlike Mobile Network operators who flock to ipv6 due to heavy shortage, ISP's have clutched the egregious abomination CG-NAT aka Double NAT.

 

As I mentioned earlier nearly all of the ISP's have so little IPV4 addresses that they universally adopted CG-NAT. Older ISP's who have enough IPV4 addresses either use Dynamic IP (which for me is fine) or still give out static as a standard. However by literal definition older ISP's are not providing FTTH instead still relying on DSL connections or false branding Vectorization DSL as V-Fiber. 

 

As all ISP's do,   my ISP also has a paid Static IP service. However that is only available in a business plan. And the Business plans have Data Caps of about 250 GB for a 100 Mbps connection at a higher price. And the static IP charges alone per year is almost half as much as the yearly service bill. I just cant bear to live with a 250 GB data cap beyond which my internet goes back to stone age 512 kbps, a increased bill of almost 75% extra just for the "pleasure" of having static IP.


My ISP is relatively small and although I would consider myself a noob in networking, those guys are even more so. I begged them to enable the support for IPV6. However they haven't bought any due to the fears that some of the equipment in people's home wont support it, it does not add value to the sales pitch, and they have to shell out for ipv4 NAT anyway.  They pretty much said to me I am the only guy asking for this and its just absurd.

 

I run a Plex Server in my Home. Since I am stuck behind CG NAT for the past year or two, Its useless other than for local streaming.

At least during the time of ridiculous mobile network speeds I could have convinced myself to scrap the Plex idea. However I pay $7 Flat fee prepaid per month for 2 GB per Day 4G LTE only network ( with 90% network coverage all over India including rural areas with 100% coverage expected by next year). And I use 0% of it because I am behind a damn CGNAT and bored whenever I leave my house.

 

I have already tried running a VPN as a default to Pure VPN's dedicated IP service and reverse SSH tunneling to my Network. It is super slow and slows down pretty much everything.

 

Here is the scenario :

1)  All expected client devices for the Plex Server support IPV6.

2)  The server does not have access to an IPV6 address because the ISP does not support it.

3)  I get a private IP address from my ISP and am not able to reach my network behind a NAT.

4)  My ISP will offer little to no help whatsoever

 

Question :

What is the best fastest solution to expose my Home Network to the Internet ?  

If a solution that I have mentioned as already tried sounds the best to you and/or have a similar but faster approach please let me know. 

 

Thank you guys in advance

 

STORMBORN

  


CPU : Intel Core i7 4790K 4.6Ghz
Motherboard : Asus Z97-A
GPU : Asus GTX 970 Strix
RAM : 16 GB (8*2) Kingston Hyperx Fury
Case : NZXT H440
Cooler : Corsair H100i
SSD : 2 X Intel 530 Series 120 GB in RAID 0
HDD: 2TB Seagate Barracuda + 500 GB Seagate Momentus
PSU : Corsair RM 750
Display: 2 X Dell S2240L Monitors in Surround
Mouse : Logitech G 402 Hyperion Fury
Headphones: Sennheiser HD 439 
Keyboard : TVS (cheepo) Cherry MX Blue Mechanical Keyboard
Mousepad : Steelseries QCK Mass
OS : Windows 8.1 Pro 

 

Purpose : Mechanical 3D Modelling/ Photorealistic Rendering (Solidworks) and Gaming

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

It appears the ONT is either being used as a residential gateway, which is easy for them to disable or something is not forwarded correctly on your router.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
11 minutes ago, mynameisjuan said:

It appears the ONT is either being used as a residential gateway, which is easy for them to disable or something is not forwarded correctly on your router.

This is a different problem than my other post man. Its regarding CGNAT and IPV4 shortage therby limiting me access to my home network from the outside

STORMBORN

  


CPU : Intel Core i7 4790K 4.6Ghz
Motherboard : Asus Z97-A
GPU : Asus GTX 970 Strix
RAM : 16 GB (8*2) Kingston Hyperx Fury
Case : NZXT H440
Cooler : Corsair H100i
SSD : 2 X Intel 530 Series 120 GB in RAID 0
HDD: 2TB Seagate Barracuda + 500 GB Seagate Momentus
PSU : Corsair RM 750
Display: 2 X Dell S2240L Monitors in Surround
Mouse : Logitech G 402 Hyperion Fury
Headphones: Sennheiser HD 439 
Keyboard : TVS (cheepo) Cherry MX Blue Mechanical Keyboard
Mousepad : Steelseries QCK Mass
OS : Windows 8.1 Pro 

 

Purpose : Mechanical 3D Modelling/ Photorealistic Rendering (Solidworks) and Gaming

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
6 hours ago, Venkatesh Ravi said:

This is a different problem than my other post man. Its regarding CGNAT and IPV4 shortage therby limiting me access to my home network from the outside

You have no options, your at your ISP's mercy, as they are the only ones who can open ports. Keep in mind port forwarding can only be done to 1 ip address, which means all the others who share that public IP with you would be screwed. Has India not moved to IPv6 yet? A few US providers dual stack addresses, giving IPv4 and v6 addresses. 

I just want to sit back and watch the world burn. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

You could use a dynamic DNS Name service.I use "http://freedns.afraid.org/" to publish my public IP so, I can have client services point to my home network. I use pfSense to keep it updated and NAT forwarding for the ports I need open. Everything else is blocked from the outside.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
35 minutes ago, Brian Blankenship said:

You could use a dynamic DNS Name service.I use "http://freedns.afraid.org/" to publish my public IP so, I can have client services point to my home network. I use pfSense to keep it updated and NAT forwarding for the ports I need open. Everything else is blocked from the outside.

You cannot do that with CG-NAT when you and 1000 other people appear to the world to come from the same IP address. Maybe a VPN tunnel to somewhere that doesn't use CG-NAT could work but that's about it.

Current Network Layout:

Current Build Log/PC:

Prior Build Log/PC:

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Only way to bypass the NAT is using some sort of tunnel. VPN is by far the easiest and cheapest. I have used a VPN to a Mikrotik RouterOS instance on AWS. This worked pretty well and using EOIP I could connect with a phone or tablet and be on the same layer 2 as my home network. Speeds were decent, but depended on location from the Datacenter, your mileage may very. Also AWS costs may be prohibitive especially if streaming video. In the US you can get a tunnelbroker IPV6 tunnel for free. If this is an option in India it may get you on IPV6 at little or no cost, thus bypassing the CG-NAT.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

This can be worked around, but it would require you to have full access to a server and/or firewall depending on what is on the other end.

 

I have done something similar before on request of a client to a mobile device.

 

VPN to a firewall or server (VPN to be terminated on firewall) on a public IPv4 address

Configure NAT rule for public address on TCP 32400 to an internal IP of your plex machine on the other end of the VPN

Configure a firewall rule on the VPN interface to allow the traffic on the subnet

Allow any local software firewalls (windows fw etc) to have access on the private vpn IP

Make sure the VPN is set to allow split tunneling so you can still access your local network

 

You could likely do this with custom virtual server from a cloud provider.

 

Please quote or tag me if you need a reply

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
  • Solution
17 hours ago, Falconevo said:

This can be worked around, but it would require you to have full access to a server and/or firewall depending on what is on the other end.

 

23 hours ago, schizznick said:

Only way to bypass the NAT is using some sort of tunnel.

 

17 hours ago, Falconevo said:

This can be worked around, but it would require you to have full access to a server and/or firewall depending on what is on the other end.

 

On 9/13/2017 at 6:12 PM, Brian Blankenship said:

You could use a dynamic DNS Name service.I use "http://freedns.afraid.org/" to publish my public IP so, I can have client services point to my home network. I use pfSense to keep it updated and NAT forwarding for the ports I need open. Everything else is blocked from the outside.

Hey guys I found the wonderful new service called portmap.io specifically to address this particular issue an  it works amazingly fine. 

It allows you to forward one port to your pc via a Open VPN tunnel. I think it uses split tunneling to just tunnel that particular port to their VPN servers.

 

Its free for one port and its all I'll ever need :D. Also it seems its just $30 a year for unlimited port forwards. 

If you guys do check it out, Please let me know if all my plex data flows from my pc to their servers and then me ? ( Like an actual VPN would ? ) 

I just want to know if this is just a repackaged VPN for enthusiasts

 

Aside from not knowing if these guys are stealing data or not, this service is amazing. LOL I dont know the legitimacy of the provider but the service is just awesome

STORMBORN

  


CPU : Intel Core i7 4790K 4.6Ghz
Motherboard : Asus Z97-A
GPU : Asus GTX 970 Strix
RAM : 16 GB (8*2) Kingston Hyperx Fury
Case : NZXT H440
Cooler : Corsair H100i
SSD : 2 X Intel 530 Series 120 GB in RAID 0
HDD: 2TB Seagate Barracuda + 500 GB Seagate Momentus
PSU : Corsair RM 750
Display: 2 X Dell S2240L Monitors in Surround
Mouse : Logitech G 402 Hyperion Fury
Headphones: Sennheiser HD 439 
Keyboard : TVS (cheepo) Cherry MX Blue Mechanical Keyboard
Mousepad : Steelseries QCK Mass
OS : Windows 8.1 Pro 

 

Purpose : Mechanical 3D Modelling/ Photorealistic Rendering (Solidworks) and Gaming

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

lol the link to their privacy policy doesn't even work ... sounds like a compagny you can really trust indeed!

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
10 minutes ago, Levisallanon said:

lol the link to their privacy policy doesn't even work ... sounds like a compagny you can really trust indeed!

Yeah, and apparently the servers are in Russia. Nothing against russians but you guys are the second worst when it comes to hacking and shit. 
I am kinda creeped out too. but it works super well. 

 

Oh god i found 1 proper usable solution and this it it xDxDxD   :ph34r:

STORMBORN

  


CPU : Intel Core i7 4790K 4.6Ghz
Motherboard : Asus Z97-A
GPU : Asus GTX 970 Strix
RAM : 16 GB (8*2) Kingston Hyperx Fury
Case : NZXT H440
Cooler : Corsair H100i
SSD : 2 X Intel 530 Series 120 GB in RAID 0
HDD: 2TB Seagate Barracuda + 500 GB Seagate Momentus
PSU : Corsair RM 750
Display: 2 X Dell S2240L Monitors in Surround
Mouse : Logitech G 402 Hyperion Fury
Headphones: Sennheiser HD 439 
Keyboard : TVS (cheepo) Cherry MX Blue Mechanical Keyboard
Mousepad : Steelseries QCK Mass
OS : Windows 8.1 Pro 

 

Purpose : Mechanical 3D Modelling/ Photorealistic Rendering (Solidworks) and Gaming

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
14 minutes ago, Levisallanon said:

lol the link to their privacy policy doesn't even work ... sounds like a compagny you can really trust indeed!

The privacy policy is mentioned along with the Terms of Use.  I found this after years of fighting. GOD WHY JUST Why do you hate me?????????

STORMBORN

  


CPU : Intel Core i7 4790K 4.6Ghz
Motherboard : Asus Z97-A
GPU : Asus GTX 970 Strix
RAM : 16 GB (8*2) Kingston Hyperx Fury
Case : NZXT H440
Cooler : Corsair H100i
SSD : 2 X Intel 530 Series 120 GB in RAID 0
HDD: 2TB Seagate Barracuda + 500 GB Seagate Momentus
PSU : Corsair RM 750
Display: 2 X Dell S2240L Monitors in Surround
Mouse : Logitech G 402 Hyperion Fury
Headphones: Sennheiser HD 439 
Keyboard : TVS (cheepo) Cherry MX Blue Mechanical Keyboard
Mousepad : Steelseries QCK Mass
OS : Windows 8.1 Pro 

 

Purpose : Mechanical 3D Modelling/ Photorealistic Rendering (Solidworks) and Gaming

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
On 9/14/2017 at 0:09 PM, Venkatesh Ravi said:

 

 

 

Hey guys I found the wonderful new service called portmap.io specifically to address this particular issue an  it works amazingly fine. 

It allows you to forward one port to your pc via a Open VPN tunnel. I think it uses split tunneling to just tunnel that particular port to their VPN servers.

 

Its free for one port and its all I'll ever need :D. Also it seems its just $30 a year for unlimited port forwards. 

If you guys do check it out, Please let me know if all my plex data flows from my pc to their servers and then me ? ( Like an actual VPN would ? ) 

I just want to know if this is just a repackaged VPN for enthusiasts

 

Aside from not knowing if these guys are stealing data or not, this service is amazing. LOL I dont know the legitimacy of the provider but the service is just awesome

I think you can be assured they are stealing your data and lord knows what else.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Personally I wouldn't use someone elses service for this, just get yourself a cloud VPS and do it yourself.  Few quid a month.

Please quote or tag me if you need a reply

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
On 9/18/2017 at 9:44 AM, Brian Blankenship said:

I think you can be assured they are stealing your data and lord knows what else.

 

On 9/18/2017 at 7:23 PM, Falconevo said:

Personally I wouldn't use someone elses service for this, just get yourself a cloud VPS and do it yourself.  Few quid a month.

Now another doubt i hate is, I only selectively tunnel Plex via that port, It is password protected and is a secure connection. Am I still at risk ? 


P.S I love it and cant get my grip around that its highly highly risky. However I did uninstall everything already and I am just looking to learn more about networking and security in general.

STORMBORN

  


CPU : Intel Core i7 4790K 4.6Ghz
Motherboard : Asus Z97-A
GPU : Asus GTX 970 Strix
RAM : 16 GB (8*2) Kingston Hyperx Fury
Case : NZXT H440
Cooler : Corsair H100i
SSD : 2 X Intel 530 Series 120 GB in RAID 0
HDD: 2TB Seagate Barracuda + 500 GB Seagate Momentus
PSU : Corsair RM 750
Display: 2 X Dell S2240L Monitors in Surround
Mouse : Logitech G 402 Hyperion Fury
Headphones: Sennheiser HD 439 
Keyboard : TVS (cheepo) Cherry MX Blue Mechanical Keyboard
Mousepad : Steelseries QCK Mass
OS : Windows 8.1 Pro 

 

Purpose : Mechanical 3D Modelling/ Photorealistic Rendering (Solidworks) and Gaming

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 hour ago, Venkatesh Ravi said:

 

Now another doubt i hate is, I only selectively tunnel Plex via that port, It is password protected and is a secure connection. Am I still at risk ? 


P.S I love it and cant get my grip around that its highly highly risky. However I did uninstall everything already and I am just looking to learn more about networking and security in general.

You have absolutely no idea what is going on in the middle, for all you know a MITM (Man in the middle) attack could be performed with ease. 

 

You are passing traffic via their network routing so its up to them what they want to do with it. 

 

The layers of the network are completely transparent to you so this is not something I would personally do.  Its not my data or credentials so weigh up the pro's and con's yourself.

 

Providing that type of service for free, means your information is being retrieved in some manner, likely not a manner you want it to be.  Weigh up the risks yourself, do you give a toss or not?

Please quote or tag me if you need a reply

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
42 minutes ago, Falconevo said:

You have absolutely no idea what is going on in the middle, for all you know a MITM (Man in the middle) attack could be performed with ease. 

 

You are passing traffic via their network routing so its up to them what they want to do with it. 

 

The layers of the network are completely transparent to you so this is not something I would personally do.  Its not my data or credentials so weigh up the pro's and con's yourself.

 

Providing that type of service for free, means your information is being retrieved in some manner, likely not a manner you want it to be.  Weigh up the risks yourself, do you give a toss or not?

Nope, I got rid of it, and am trying to configure a VPS in AWS as you suggested, 

 

Thank you very much for the help :D

 

STORMBORN

  


CPU : Intel Core i7 4790K 4.6Ghz
Motherboard : Asus Z97-A
GPU : Asus GTX 970 Strix
RAM : 16 GB (8*2) Kingston Hyperx Fury
Case : NZXT H440
Cooler : Corsair H100i
SSD : 2 X Intel 530 Series 120 GB in RAID 0
HDD: 2TB Seagate Barracuda + 500 GB Seagate Momentus
PSU : Corsair RM 750
Display: 2 X Dell S2240L Monitors in Surround
Mouse : Logitech G 402 Hyperion Fury
Headphones: Sennheiser HD 439 
Keyboard : TVS (cheepo) Cherry MX Blue Mechanical Keyboard
Mousepad : Steelseries QCK Mass
OS : Windows 8.1 Pro 

 

Purpose : Mechanical 3D Modelling/ Photorealistic Rendering (Solidworks) and Gaming

Link to comment
Share on other sites
Link to post
Share on other sites
  • 2 years later...
Posted
On 9/13/2017 at 12:02 AM, Venkatesh Ravi said:

This is a big problem and the explanation is going to be relatively big so strap yourselves in. Also its a bit of a story as well.

I recently got a 100 Mbps up and 100 Mbps dedicated FTTH line from a local ISP for $15 . I have switched between over 5-10 ISP's in India.

 

India is a country with a lot of people and extremely limited IPV4 allocation. ~ 35 million IP addresses for 1.2 billion people.

As of Match of 2017, the amount of people with internet access soared to 420 million users, a quarter of it due to a revolutionary company called Reliance Jio, with 4G only, VoLTE calling, fully IPV6 ready networks

 

Unlike Mobile Network operators who flock to ipv6 due to heavy shortage, ISP's have clutched the egregious abomination CG-NAT aka Double NAT.

 

As I mentioned earlier nearly all of the ISP's have so little IPV4 addresses that they universally adopted CG-NAT. Older ISP's who have enough IPV4 addresses either use Dynamic IP (which for me is fine) or still give out static as a standard. However by literal definition older ISP's are not providing FTTH instead still relying on DSL connections or false branding Vectorization DSL as V-Fiber. 

 

As all ISP's do,   my ISP also has a paid Static IP service. However that is only available in a business plan. And the Business plans have Data Caps of about 250 GB for a 100 Mbps connection at a higher price. And the static IP charges alone per year is almost half as much as the yearly service bill. I just cant bear to live with a 250 GB data cap beyond which my internet goes back to stone age 512 kbps, a increased bill of almost 75% extra just for the "pleasure" of having static IP.


My ISP is relatively small and although I would consider myself a noob in networking, those guys are even more so. I begged them to enable the support for IPV6. However they haven't bought any due to the fears that some of the equipment in people's home wont support it, it does not add value to the sales pitch, and they have to shell out for ipv4 NAT anyway.  They pretty much said to me I am the only guy asking for this and its just absurd.

 

I run a Plex Server in my Home. Since I am stuck behind CG NAT for the past year or two, Its useless other than for local streaming.

At least during the time of ridiculous mobile network speeds I could have convinced myself to scrap the Plex idea. However I pay $7 Flat fee prepaid per month for 2 GB per Day 4G LTE only network ( with 90% network coverage all over India including rural areas with 100% coverage expected by next year). And I use 0% of it because I am behind a damn CGNAT and bored whenever I leave my house.

 

I have already tried running a VPN as a default to Pure VPN's dedicated IP service and reverse SSH tunneling to my Network. It is super slow and slows down pretty much everything.

 

Here is the scenario :

1)  All expected client devices for the Plex Server support IPV6.

2)  The server does not have access to an IPV6 address because the ISP does not support it.

3)  I get a private IP address from my ISP and am not able to reach my network behind a NAT.

4)  My ISP will offer little to no help whatsoever

 

Question :

What is the best fastest solution to expose my Home Network to the Internet ?  

If a solution that I have mentioned as already tried sounds the best to you and/or have a similar but faster approach please let me know. 

 

Thank you guys in advance

 

I am having the same issue as you, even in 2020, i use jio for opening and forwarding port through NAT , one thing can be considered is to contact isp technician and ask them to put your router (either by ip or mac) in DMZ server by configuring the default gateway (CGN having a specific public ip) being used to provide your router an internet connection, that will bypass the firewall at CGN and your router will have access to all the ports and ip connections now you can configure it at your router level firewall.

In my case , i have contacted today and waiting for a reply 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

*** Thread locked ***

 

Please don't revive old threads.

^^^^ That's my post ^^^^
<-- This is me --- That's your scrollbar -->
vvvv Who's there? vvvv

Link to comment
Share on other sites
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing Networking

×