Jump to content
RESET Forums (homeservershow.com)
oj88

So my ISP just put me behind a NAT...

Recommended Posts

oj88

I've been enjoying my ISP for 15 years now, not because they're great, but in the place where I live, I didn't have any other choice. But since about a few weeks ago, I started getting 'connectivity' issues with my published services like WHS2011, Plex, remote access VPN, and even the ability to administer my pfSense box from the internet. I then realized that my good ISP have put me behind a NAT without so much as an email. I am certain about it as the WAN IP address issued to my firewall does not match the IP address result from Googling "What's my IP?". So now, this nice pfSense box sitting between me and the internet is no longer the center of the universe..... all those port-forwards, published services are no longer working.

 

My question is; Does there exist a VPN service (ie. OpenVPN) that hands out public IP addresses?

Share this post


Link to post
Share on other sites
pcdoc

I've been enjoying my ISP for 15 years now, not because they're great, but in the place where I live, I didn't have any other choice. But since about a few weeks ago, I started getting 'connectivity' issues with my published services like WHS2011, Plex, remote access VPN, and even the ability to administer my pfSense box from the internet. I then realized that my good ISP have put me behind a NAT without so much as an email. I am certain about it as the WAN IP address issued to my firewall does not match the IP address result from Googling "What's my IP?". So now, this nice pfSense box sitting between me and the internet is no longer the center of the universe..... all those port-forwards, published services are no longer working.

 

My question is; Does there exist a VPN service (ie. OpenVPN) that hands out public IP addresses?

 

You can use a DNS service like DynDNS with services like OpenVPN but that may or may not solve your problem.  First, how are you determining you are getting nat'd? Are you sure they did not just change your IP?  If you run whatismyip, do you get the right public address?  Lastly, do you believe your modem is NAT'ing you or at the ISP level?  If the ISP, then using a DNS service may work for you, if the modem there may be a way to bypass that.  My guess is that something changed at the ISP and you may be forced into a intermediate service like DynDNS.

Share this post


Link to post
Share on other sites
oj88

You can use a DNS service like DynDNS with services like OpenVPN but that may or may not solve your problem.  First, how are you determining you are getting nat'd? Are you sure they did not just change your IP?  If you run whatismyip, do you get the right public address?  Lastly, do you believe your modem is NAT'ing you or at the ISP level?  If the ISP, then using a DNS service may work for you, if the modem there may be a way to bypass that.  My guess is that something changed at the ISP and you may be forced into a intermediate service like DynDNS.

I have refreshed my connection on my firewall and it's still getting a 100.x.x.x IP. If I do a query about what my public IP address is, it returns a 124.x.x.x. The modem is configured for bridge mode, so it's not it.

 

I have tried doing a traceroute from my LTE phone to both 100.x.x.x and 124.x.x.x. From the results, the 100.x.x.x address is unreachable after a couple of hops while the 124.x.x.x can be reached after several hops. It's weird as well for them to use 100.x.x.x behind the NAT, as this block falls into the list of routable IP addresses.

 

If I ping my WHS hostname from the outside (ie. <something>.homeserver.com), it returns the 124.x.x.x address.

 

Outbound internet access is not affected. There doesn't seem to be any filtering going on. Even outbound VPN (OpenVPN and IPSec) gets through.

Share this post


Link to post
Share on other sites
itGeeks

I have refreshed my connection on my firewall and it's still getting a 100.x.x.x IP. If I do a query about what my public IP address is, it returns a 124.x.x.x. The modem is configured for bridge mode, so it's not it.

 

I have tried doing a traceroute from my LTE phone to both 100.x.x.x and 124.x.x.x. From the results, the 100.x.x.x address is unreachable after a couple of hops while the 124.x.x.x can be reached after several hops. It's weird as well for them to use 100.x.x.x behind the NAT, as this block falls into the list of routable IP addresses.

 

If I ping my WHS hostname from the outside (ie. <something>.homeserver.com), it returns the 124.x.x.x address.

 

Outbound internet access is not affected. There doesn't seem to be any filtering going on. Even outbound VPN (OpenVPN and IPSec) gets through.

Something seems very screwy to me, I would not be so quick to blame the ISP as I think something maybe wrong with your pfSense router but further testing will be needed. Did your ISP provide you with a router or modem/router combo? If they did I would disconnect pfSense and test with the ISP router and see if you get the same results. If they did not then if you have another off the shelf router such as Asus, Linksys, Netgear what ever try testing with that so you can eliminate the router being the problem. What is concerning me and would not make any sense is the 100.x.x.x and the 124.x.x.x are both route IP addresses so there would be no benefit for the ISP to do something like this. I have seen ISP's NAT but in those cases the IP address is something none route such as 10.x.x.x 

 

Update: The more I think about this the more I believe something is wrong with your pfSense router and or your configuration. Try testing with a wired connection using your ISP router or a different router all together. Please let us know after testing what you get.

Edited by itGeeks

Share this post


Link to post
Share on other sites
GotNoTime

Nothing wrong with your router or firewall. Your ISP has implemented CGN which is Carrier Grade NAT i.e. NAT on a huge scale. Your IP will be something in the 100.64.0.0/10 range which is reserved for CGN. Call them to see if you can opt out.

 

What is concerning me and would not make any sense is the 100.x.x.x and the 124.x.x.x are both route IP addresses so there would be no benefit for the ISP to do something like this.

100.64.0.0/10 isn't. It is reserved in RFC6598 for CGN purposes and not routed across the internet. Edited by GotNoTime
  • Like 2

Share this post


Link to post
Share on other sites
itGeeks

Nothing wrong with your router or firewall. Your ISP has implemented CGN which is Carrier Grade NAT i.e. NAT on a huge scale. Your IP will be something in the 100.64.0.0/10 range which is reserved for CGN. Call them to see if you can opt out.

 

100.64.0.0/10 isn't. It is reserved in RFC6598 for CGN purposes and not routed across the internet.

Hmm, Interesting and once again I learn something new every day :rolleyes:

 

Update: I guess that's one way to handle the fact that we have run out of IPv4 addresses and allow an ISP to continue adding customers without forcing then to IPv6, This is also a sure fire way to make sure your not hosting any internet services on your low cost home account. ISP want us to pay big $$$ for business planes if we want to host anything on the internet. Now by the ISP using CGN that pretty much seals the deal it seems to me.

Edited by itGeeks

Share this post


Link to post
Share on other sites
oj88

Thanks itGeeks and pcdoc. My firewall is fine. It has no say on what IP address it will get as the WAN port is configured as a DHCP client.

 

Thank you GotNoTime. That is probably it. I get a 100.69.x.x/17 on any device I connect behind the modem (bridge mode).

 

I'll try to get in touch with them and see if they can put me up with a public IP. Beyond Plex and other IT perks being published, I also use it to access my IP cameras remotely. Needless to say, this change in their NOC is not a welcome thing for me.

Share this post


Link to post
Share on other sites
GotNoTime

I get a 100.69.x.x/17 on any device I connect behind the modem (bridge mode).

Yes. That is within the CGN range of 100.64.0.0 to 100.127.255.255.

 

I'll try to get in touch with them and see if they can put me up with a public IP. Beyond Plex and other IT perks being published, I also use it to access my IP cameras remotely.

Another tactic to use is to say you're playing games on an XBox or PS and the CGN is breaking that.
  • Like 1

Share this post


Link to post
Share on other sites
TLN

I doubt they they fix it for you, to be honest.

DynDNS won't help you as well, cause it will publish your hostname with 124.x.x.x, and 100.x.x.x will be non-pingable.

 

You can either buy a VPS (say digitalocean - $5/mo), create vpn tunnel from pfsense, and forward traffic. Better choose closest location, since you don't want your traffic to go over the globe.

Share this post


Link to post
Share on other sites
itGeeks

I doubt they they fix it for you, to be honest.

DynDNS won't help you as well, cause it will publish your hostname with 124.x.x.x, and 100.x.x.x will be non-pingable.

 

You can either buy a VPS (say digitalocean - $5/mo), create vpn tunnel from pfsense, and forward traffic. Better choose closest location, since you don't want your traffic to go over the globe.

I don't think they will fix it either, There is a reason they did this and I believe the reason is so residential accounts don't host any internet services. In my humble opinion they want you to have a business account that would give you a static IP. I am surprised other ISP's have not done this yet as this would seal the deal for hosting any kind of services without paying them. Call the ISP and see if they offer a static IP option and see what it would cost, That's going to be the only way to fix this once and for all.

Edited by itGeeks

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...