Page 1 of 1

CGNAT

Posted: Wed Jan 29, 2020 9:59 am
by tbenz
I recently switched to the AT&T I-pad solution to replace my DSL. I am using a Nighthawk M1 (unlocked MR100-100NAS version) as a modem which is hardwired to an Asus router with Merlin firmware. The modem is in "IP Passthrough" mode, DHCP server off and wireless off. This setup works well and I'm getting much better internet than before.

I have several IP security cameras (and other devices, including the router itself) that I need to access remotely. With a true public IP, I have historically accessed them directly through their built-in web-servers or through apps: PC (Blue Iris), Android (TinyCam), by assigning each device to a port and then forwarding the ports. Used with a dynamic DNS service, this worked well for many years. With the new system, ATT implements CGNAT and my previous scheme doesn't work anymore. The router gets the same CGNAT'd "public"(private) WAN IP as the modem.

I need to figure out how to get outside access to devices on my network. I keep seeing “use a VPN” along with references to running a VPS (Virtual Private Server) on a VM (Virtual Machine). Some of them advertise themselves as a port-forwarding solution but I don’t know if that’s typically a default feature on all VPN’s. I can find info on how to install and set up these things on my Asus/Merlin router but I’m having difficulty figuring out how to actually use these strategies once they’re implemented. I understand what a VPN is but I'm having a hard time figuring out how to actually connect to the devices on my network. I suspect that I’m likely “not seeing the forest for all the trees”. Questions I have:
1. Do I need a VPN Client on the router?
2. Do I need a VPN Server on the router?
3. Do I need a Virtual Machine with a VPS installed on that?
4. Does the device (PC, Android, IPhone) trying to access the network remotely need to have a VPN client installed?
5. Once the VPN/VM/VPS is implemented, how do I access the devices remotely?
I'd like to continue using the same process that I'm using now -- provide the cam viewing program an IP (or Dynamic DNS name), a port # and user/pass. Once the app is set up with the address and credentials, I just open it and the cams appear. I don’t want to have to do a bunch of steps prior to using the app each time.

VPN’s I’ve seen reference to:
Portmap.io
ngrok
Zerotier
Torguard
PIA (I have this as a client on my PC)
ExpressVPN
AirVPN
NordVPN
SoftEther

Thanks for any assistance and/or clarification.

Re: CGNAT

Posted: Wed Jan 29, 2020 5:58 pm
by BillA
tbenz wrote: Wed Jan 29, 2020 9:59 am I recently switched to the AT&T I-pad solution to replace my DSL. I am using a Nighthawk M1 (unlocked MR100-100NAS version) as a modem which is hardwired to an Asus router with Merlin firmware. The modem is in "IP Passthrough" mode, DHCP server off and wireless off. This setup works well and I'm getting much better internet than before.

I have several IP security cameras (and other devices, including the router itself) that I need to access remotely. With a true public IP, I have historically accessed them directly through their built-in web-servers or through apps: PC (Blue Iris), Android (TinyCam), by assigning each device to a port and then forwarding the ports. Used with a dynamic DNS service, this worked well for many years. With the new system, ATT implements CGNAT and my previous scheme doesn't work anymore. The router gets the same CGNAT'd "public"(private) WAN IP as the modem.

I need to figure out how to get outside access to devices on my network. I keep seeing “use a VPN” along with references to running a VPS (Virtual Private Server) on a VM (Virtual Machine). Some of them advertise themselves as a port-forwarding solution but I don’t know if that’s typically a default feature on all VPN’s. I can find info on how to install and set up these things on my Asus/Merlin router but I’m having difficulty figuring out how to actually use these strategies once they’re implemented. I understand what a VPN is but I'm having a hard time figuring out how to actually connect to the devices on my network. I suspect that I’m likely “not seeing the forest for all the trees”.

Thanks for any assistance and/or clarification.

Unfortunately CGNAT can create major headaches for port forwarding.
Basically the carrier is running the show by assigning a local IP address (usually in the range of 100.64.0.0/10) between you and their CGNAT server, which breaks any port forwarding you have set up on your router.
There are several solutions you can try.

If you can set the IPv4v6 in your router to IPv4 explicitly, some carrier will assign a real external IPv4 address (your mileage may vary).

Another method is by using PCP (Port Control Protocol, but don't worry, this PCP won't get your high... maybe low... lol), which will allow you to tunnel through the carrier's server. Unfortunately both your device (such as camera or IoT devices) and your router has to support PCP in order to be able to set up forwarding rules. Here's some more info on how it's done. https://www.juniper.net/documentation/e ... tocol.html

Then there's TCP hole punching method, again your devices and router has to support it. Here's some more info about it. https://bford.info/pub/net/p2pnat/index.html

And finally there's the dreaded VPN solution... Every single extra server and bunny-hop along with encryption overhead will slow down your speeds (as low as below 10Mbps even on a 100Mbps raw connection), adds extra monthly costs, etc... so yeah, it gets messy.

ATT is known to employ CGNAT, while Tmobile seems to work fine with my VOIP box behind the router using a simple STUN discovery method. So a carrier change might also do the trick. Don't know about other carriers, so if anyone has more info, feel free to post it.


Wiki info about CGNAT

Like any form of NAT, it breaks the end-to-end principle.
It has significant security, scalability, and reliability problems, by virtue of being stateful.
It makes it impossible to host services.
It does not solve the IPv4 address exhaustion problem when a public IP address is needed, such as in web hosting.

Carrier-grade NAT usually prevents the ISP customers from using port forwarding, because the network address translation (NAT) is usually implemented by mapping ports of the NAT devices in the network to other ports in the external interface. This is done so the router will be able to map the responses to the correct device; in carrier-grade NAT networks, even though the router at the consumer end might be configured for port forwarding, the "master router" of the ISP, which runs the CGN, will block this port forwarding because the actual port would not be the port configured by the consumer. In order to overcome the former disadvantage, the Port Control Protocol (PCP) has been standardized in the RFC 6887.

In cases of banning traffic based on IP addresses, the system might block the traffic of a spamming user by banning the user's IP address. If that user happens to be behind carrier-grade NAT, other users sharing the same public address with the spammer will be mistakenly blocked. This can create serious problems for forum and wiki administrators attempting to address disruptive actions from a single user sharing an IP address with legitimate users.

Re: CGNAT

Posted: Thu Jan 30, 2020 5:18 am
by tbenz
Good info Bill. Thanks!
From the research I've done, and considering the equipment/devices I have, it looks like VPN is the route I need to go. This particular setup is at my "cabin in the woods". I can disable the VPN when we're there and then enable it when we leave. Then I don't have to suffer slower speeds and latency issues while we're actively using the internet and still be able to access the cams externally.

Is a stand-alone VPN client installed on the router an option that would satisfy my requirements in #5 in the OP or would I need to go the VPS on a VM route?
Thanks

Re: CGNAT

Posted: Sat Feb 01, 2020 8:45 pm
by BillA
tbenz wrote: Thu Jan 30, 2020 5:18 am Good info Bill. Thanks!
From the research I've done, and considering the equipment/devices I have, it looks like VPN is the route I need to go. This particular setup is at my "cabin in the woods". I can disable the VPN when we're there and then enable it when we leave. Then I don't have to suffer slower speeds and latency issues while we're actively using the internet and still be able to access the cams externally.

Is a stand-alone VPN client installed on the router an option that would satisfy my requirements in #5 in the OP or would I need to go the VPS on a VM route?
Thanks

A regular VPN should work, since it tunnels through the carrier's CGNAT.
You can buy a static IP VPN which would eliminate the need to also run some kind of DDNS client to update your ever changing IP address, which you need to access your camera remotely. I use a regular proxy with static IP, in order to bypass Tmobile's video throttling (specifically YouTube). Initially I thought that I would need a VPN, but out of pure chance I have discovered that a plain old proxy will do just fine. I use one from BestProxyAndVPN.com for $5/month, but you can use one from any proxy/VPN provider (just stay away from any free public VPN's unless you wanna get hacked lol). You could try a regular Proxy with static IP first, it might work for your cameras and it's a lot easier to set up than a VPN (here's a link about a 72hour free trial bestproxyandvpn.com/guaranteed-refund.html). If a proxy doesn't work, you can always go the VPN route (costs a little more at $8/month), it's entirely up to you.

Re: CGNAT

Posted: Sun Feb 02, 2020 6:20 am
by tbenz
Bill-Thank you!! I'll give that a look