AAAnd we are back
Carrier grade NAT. CGNAT.
Those of you who read anything on my blog may have noticed that it wasn’t online for a little while. Turns out my ISP decided it was time to do some maintenance, and stick me behind a Carrier Grade NAT.
What the hell is Carrier Grade NAT (CGNAT/CNAT)
Put simply its a way of ISP’s conserving external address space by making use of DNAT/SNAT but on a massive scale. CGNAT works the same way as normal NAT, except one step up the chain, instead of your router doing NAT, where it shares a single external IP address with your private internal network, the ISP does the NAT, where possibly hundreds of customers share the same external IP address. The ISP routers keep track of the connections and allow traffic from your router to be NAT out and then SNAT back to you.
The Problem.
Put simply, this breaks the ability to do port forwarding from the outside in, as your router is on a publicly routable IP address, it is instead sat on a CGNAT address, and traffic that arrives at the ISP router cannot get to your router, thus breaking port forwarding. It also has some other nasty issues, but for me the port forwarding issue was the highest priority to fix.
Detecting CGNAT
It can be fairly easy to detect. If when you look at the IP address of your WAN port on your router you see an address in the 100.64.0.0/10
range then your behind a CGNAT.
Solutions.
- Ring your ISP and demand a static public IP
- You may have to pay for the privilege
- If your ISP doesn’t do static IP’s you may have to move providers.
- Look at something like Tailscale or Zerotier and use them to provide a bridge head into your internal network.
- You will need a VPS or similar to provide the external routable IP, and then use a service like Tailscale or Zerotier to connect them together, this still allows you to self host, but if your paying for a VPS why host anything at home at all?
- A reverse SSH tunnel also works :D
- Give up on your self hosted dreams :(
I was lucky enough to get option 1 to work, but not before I had looked at option 2. Which I will write about shortly.
Until next time, Steve.
- header image stolen from A10networks