Losing the war against CGNAT, IPv6 and Plex working

[sukerman]

Hola all,

I've recently changed ISP to DIGI in Spain.  Its great, its 10G up/down and EUR 25.00 a month.

But I noticed Plex has stopped working outside the house, because of CGNAT.

So I thought no problem, get IPv6 working, I've got a VPS at Hetzner ready to forward people without IPv6 etc.

But after a week of headbanging, I think I can't get it to work because (I think) I am behind the DIGI router and the delegation cannot be passed to Opensense.   From what I can establish the delegation should be /56, but Opnsense just gets /128 or /64 if I use Slaac.

So I got to here:

DIGI Router (all clients on WLAN / LAN having working IPv6)

Opnsense, gets IPv6 on WAN (SLAAC) and LAN (tracking) but can't route.
All clients on the LAN appear to have a valid IPv6.   Maybe there's some routing setting I'm missing but... I give up.
See here - https://forum.opnsense.org/index.php?topic=45442.0

My conclusion is, the DIGI router is not offering DHCP-PD, so Opnsense doesn't know what prefixes are available, gives me an address, but I have nothing I can then offer to the LAN. This is as far as I can make out (with my confusion) the issue.  I've tried PFsense, same issue.

So how can I defeat CGNAT so I can host my own services, without relying on relays etc that will ruin my bandwidth?

How can I achieve this?

1) Some routing hack to get things working as is.
2) Ask DIGI to make their router work in bridge mode, hopefully then I get the IPv6 delegations to Opnsense.
3) Spend EUR 250 on a SFP+ ONT transceiver that I can use to plug in the fibre directly to Opnsense and put in the PPPoE credentials.
4) Some other magic, IPv6 works in Opnsense, but not on LAN, Maybe some IPv6 -> 4 translation, reverse proxys...
5) Give up, run another box outside of Opnsense plugging directly into the DIGI modem.  This would work, but suck.

Sigh.

Any ideas please?

[w9hdg]

You could always vpn from your house to your VPS (wireguard) and then run the forward from the VPS through the VPN completely bypassing all the CGNAT stuff.

[JohnBee]

Just setup a WG tunnel - very low overhead due to encryption - negligible

[dMopp]

Or Tailscale, which in the end opens p2p Wireguard tunnel, skipping the jump host :)

[sukerman]

Thank you for your replies.   I'll pipe everything over wireguard from the VPS until I get get the ISP modem bridged.

I would be interested if someone can confirm that what I was trying to do here is indeed impossible ? - https://forum.opnsense.org/index.php?topic=45442.0

I have to say my first venture into IPv6 has been disappointing. I thought all my devices could have their own address and goodbye to problems with NAT and forwarding.    Having to rent a server somewhere else so you can have a homelab is not a great advert for it, and I know its because I'm behind the ISP modem but surely a lot of others will be as well. 

Thanks,

[nautilus7]

3) Spend EUR 250 on a SFP+ ONT transceiver that I can use to plug in the fibre directly to Opnsense and put in the PPPoE credentials.

Maybe your DIGI router has a PPPoE passthrough option, so you can do no3 without the need of an ONT. Most providers allow for a 2nd PPP call to be made.

[sukerman]

Thank you all, I'll try everything and update this with any solutions I find.