User can’t connect because of CGNAT

Started by csupi003, October 24, 2024, 08:47:38 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 24, 2024, 08:47:38 PM
Hi,

I have a small server at home and users are connected via Softether VPN. One of them is behind CGNAT so if I block private networks on WAN she cannot connect.

What if I remove it from the WAN interface and set a WAN firewall rule to block all private addresses except CGNAT network? Is there a security risk involved?

Or maybe any other solution? I set up Tailscale as a replacement until I find a solution.

Thanks in advance,
October 24, 2024, 09:54:19 PM #1
Huh? You wouldn't be seeing her CGNAT private address - you'd be seeing whatever public address she gets (dynamically) NAT'ed to. I don't know why it's not working, but I don't think it's because of private IP blocking. A quick Google suggests that SoftEther VPN is supposed to be capable of traversing CGNAT.....
October 25, 2024, 08:09:11 PM #2
In the logs it was a 100.64.0.0/10 address blocked because private address block is enabled in WAN interface.

The Softether CGNAT traversal feature is for the other way around when the server is behind CGNAT right? Cause that's not the case, the server network is a public IP.
October 25, 2024, 08:13:23 PM #3
But the CGNAT is supposed to NAT that address to a public one - that's the point.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 25, 2024, 08:58:42 PM #4
I had a chance to check it with a CGNAT 4G mobile (other than the previous):

WAN      2024-10-25T20:56:19   100.112.xxx.xxx:51095   85.66.xxx.xxx:51821   udp   Block private networks from WAN

And here's one which passed and not behind CGNAT:

WAN      2024-10-25T20:57:20   185.6.xxx.xxx:5677   85.66.xxx.xxx:51821   udp   Wireguard OpnSense
October 25, 2024, 09:02:25 PM #5
Quote from: csupi003 on October 25, 2024, 08:58:42 PM
I had a chance to check it with a CGNAT 4G mobile (other than the previous):

WAN      2024-10-25T20:56:19   100.112.xxx.xxx:51095   85.66.xxx.xxx:51821   udp   Block private networks from WAN

Absolutely not doubting you but that is weird. Could you for comparison check with that same 4G connection e.g.

https://test-ipv6.com

The CGNAT address should never leak into the public Internet, so that particular carrier (or carriers?) are not doing their job it seems.

Do they NAT only TCP connections now, to lower the load on their CGNAT devices? WTH?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 25, 2024, 09:17:44 PM #6
I checked it on test-ipv6 and it has a public IP of 104.28.xxx.xxx and ipv6 is available as well.

And yes these are from the same ISP.
October 25, 2024, 09:21:21 PM #7
Then why are they not NATing these UDP packets?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 25, 2024, 09:26:28 PM #8
I'm not that well up on CGNAT, but I believe the private range is 100.64.0.0/10. 104.28.x.x is not part of that.
October 25, 2024, 09:37:25 PM #9 Last Edit: October 25, 2024, 09:39:00 PM by Patrick M. Hausen
Quote from: dseven on October 25, 2024, 09:26:28 PM
I'm not that well up on CGNAT, but I believe the private range is 100.64.0.0/10. 104.28.x.x is not part of that.

Exactly. If they use TCP to connect to https://test-ipv6.com they are correctly NATed to a public address, but if they use WireGuard (UDP) their packets arrive with a source of 100.112.xxx.xxx:51095 which is in the CGNAT range.

Somehow the provider is enforcing CGNAT but doing only half the job. Because who needs UDP apart from DNS, right?

@csupi003 can't you provide the VPN endpoint via IPv6 at all?

Worst case: also provide OpenVPN over TCP/443.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 25, 2024, 09:56:21 PM #10
Sorry, lost the thread a bit. If they really are leaking UDP packets with 100.64.0.0/10 source addresses, that's just broken - there's (obviously?) no way to get a response back. Nothing OPNsense can do about that.....
October 25, 2024, 10:18:05 PM #11 Last Edit: October 25, 2024, 10:21:35 PM by Patrick M. Hausen
No need to apologise. I dug into this thread for a morbid fascination of what providers can get wrong in 2024 - more than 50 years into the game - for absolutely half-arsed reasons.

- PPPoE: deserves to die
- dynamic address/prefix allocation: deserves to die
- no IPv6 at all: please go out of business
- allocating anything less than a /56 to a consumer line: sheer incompetence or malice ("market differentiation")
- allocating anything less than a /48 to a business line: sheer incompetence
- placing a prefix larger than /64 on the customer "outside" network: sheer incompetence
- new to me today - CGNAT but not quite: sheer incompetence
- ...

To be continued ...

P.S. How dare I? I am AS16188, LIR and ISP.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 26, 2024, 11:38:05 PM #12
For now I solved it with Tailscale. I briefly checked ipv6 and for one user on home network it would probably work but the same provider on mobile doesn't have IPv6.

OpenVPN over TCP/443 is also an option, I will try it one day.

Thanks for the hints and explanation!
Print
Go Up Pages1
User actions