User can’t connect because of CGNAT

[csupi003]

Hi,

I have a small server at home and users are connected via Softether VPN. One of them is behind CGNAT so if I block private networks on WAN she cannot connect.

What if I remove it from the WAN interface and set a WAN firewall rule to block all private addresses except CGNAT network? Is there a security risk involved?

Or maybe any other solution? I set up Tailscale as a replacement until I find a solution.

Thanks in advance,

[dseven]

Huh? You wouldn't be seeing her CGNAT private address - you'd be seeing whatever public address she gets (dynamically) NAT'ed to. I don't know why it's not working, but I don't think it's because of private IP blocking. A quick Google suggests that SoftEther VPN is supposed to be capable of traversing CGNAT.....

[csupi003]

In the logs it was a 100.64.0.0/10 address blocked because private address block is enabled in WAN interface.

The Softether CGNAT traversal feature is for the other way around when the server is behind CGNAT right? Cause that’s not the case, the server network is a public IP.

[Patrick M. Hausen]

But the CGNAT is supposed to NAT that address to a public one - that's the point.

[csupi003]

I had a chance to check it with a CGNAT 4G mobile (other than the previous):

WAN      2024-10-25T20:56:19   100.112.xxx.xxx:51095   85.66.xxx.xxx:51821   udp   Block private networks from WAN

And here’s one which passed and not behind CGNAT:

WAN      2024-10-25T20:57:20   185.6.xxx.xxx:5677   85.66.xxx.xxx:51821   udp   Wireguard OpnSense

[Patrick M. Hausen]

I had a chance to check it with a CGNAT 4G mobile (other than the previous):

WAN      2024-10-25T20:56:19   100.112.xxx.xxx:51095   85.66.xxx.xxx:51821   udp   Block private networks from WAN

Absolutely not doubting you but that is weird. Could you for comparison check with that same 4G connection e.g.

https://test-ipv6.com

The CGNAT address should never leak into the public Internet, so that particular carrier (or carriers?) are not doing their job it seems.

Do they NAT only TCP connections now, to lower the load on their CGNAT devices? WTH?

[csupi003]

I checked it on test-ipv6 and it has a public IP of 104.28.xxx.xxx and ipv6 is available as well.

And yes these are from the same ISP.

[Patrick M. Hausen]

Then why are they not NATing these UDP packets?

[dseven]

I'm not that well up on CGNAT, but I believe the private range is 100.64.0.0/10. 104.28.x.x is not part of that.

[Patrick M. Hausen]

I'm not that well up on CGNAT, but I believe the private range is 100.64.0.0/10. 104.28.x.x is not part of that.

Exactly. If they use TCP to connect to https://test-ipv6.com they are correctly NATed to a public address, but if they use WireGuard (UDP) their packets arrive with a source of 100.112.xxx.xxx:51095 which is in the CGNAT range.

Somehow the provider is enforcing CGNAT but doing only half the job. Because who needs UDP apart from DNS, right?

@csupi003 can't you provide the VPN endpoint via IPv6 at all?

Worst case: also provide OpenVPN over TCP/443.

[dseven]

Sorry, lost the thread a bit. If they really are leaking UDP packets with 100.64.0.0/10 source addresses, that's just broken - there's (obviously?) no way to get a response back. Nothing OPNsense can do about that.....

[Patrick M. Hausen]

No need to apologise. I dug into this thread for a morbid fascination of what providers can get wrong in 2024 - more than 50 years into the game - for absolutely half-arsed reasons.

- PPPoE: deserves to die
- dynamic address/prefix allocation: deserves to die
- no IPv6 at all: please go out of business
- allocating anything less than a /56 to a consumer line: sheer incompetence or malice ("market differentiation")
- allocating anything less than a /48 to a business line: sheer incompetence
- placing a prefix larger than /64 on the customer "outside" network: sheer incompetence
- new to me today - CGNAT but not quite: sheer incompetence
- ...

To be continued ...

P.S. How dare I? I am AS16188, LIR and ISP.

[csupi003]

For now I solved it with Tailscale. I briefly checked ipv6 and for one user on home network it would probably work but the same provider on mobile doesn’t have IPv6.

OpenVPN over TCP/443 is also an option, I will try it one day.

Thanks for the hints and explanation!