Jump to content
Not connected, Your IP: 34.237.124.210
Air4141841

is CGNAT known to block AirVpn?

Recommended Posts

I recently switched to a new fiber provider from cable internet.     my pfsense router could run as many tunnels as I wanted and had no issues, on cable internet:

since changing ISP's to a carrier grade nat system.    my wan connection only stays up for 24 hours then my internet is down entirely.

just curious if others have carrier grade nat + Pfsense + tunnel  and issues 

 

Share this post


Link to post

If you have CGNAT then you probably also have IPv6? Are you connecting to AirVPN over IPv6? With CGNAT, the ISP will at some point change the external IP address the internet sees you coming from. Like it or not. Perhaps that is breaking an OpenVPN connection over IPv4/CGNAT?
 

Share this post


Link to post

So you have CGNAT for IPv4 but no IPv6? I would check that. Hard to defend downgrading your IPv4 without providing IPv6.

I used to have a router for my LAN that went through another router provided by my ISP. My internal router had better WiFi and I didn't want my LAN to rely on equipment that was not mine. But as a result, my ISP began providing IPv6 and I was oblivious to this for several months.

If you have a router from your ISP that your pfSense box goes through, then I suggest you get logged into that and check whether it has an IPv6 WAN address. And if it does, I think you should look into getting set up to use it for AirVPN.

I can't find the post, but I recall Staff saying that one reason they were moving to provide IPv6 was that they had customers reporting problems using AirVPN over CGNAT.
 

Share this post


Link to post

I'll hardwire to the ONT tomorrow and see what is going on.

appreciate the helpful post 

I enabled everything ip6.  wan wise.  and within the openvpn tunnel.    wan and tunnel ip6 both show down as of now 

Share this post


Link to post
17 minutes ago, Air4141841 said:

I'll hardwire to the ONT tomorrow and see what is going on.

appreciate the helpful post 

I enabled everything ip6.  wan wise.  and within the openvpn tunnel.    wan and tunnel ip6 both show down as of now 


You probably can't connect directly to the ONT and get any network activity without doing some work  The ISP router probably does vlan tagging and has some sort of username/password authentication.

If you know what the settings are you may be able to replicate them on your pfsense box.  But if you don't know the best you can do is either put the ISP router into bridge mode or do some other trick where you use a dumb switch and clone the MAC address of the ISP router to your pfense box.  You let the ISP router get your connection up and running and then unplug it from the dumb switch and plug in your pfsense box with cloned MAC.

Share this post


Link to post

they do not offer IP6 yet.

they replaced my modem, and removed me from the cgnat and set me up on a static IP.    I am confident this will be resolved now 

 

Share this post


Link to post

First time hearing an ISP allocating CG-NAT v4 addresses without providing native v6 UGAs. I thought it's done because of the fact there are not enough native unique v4 addresses left for a given provider.
Also first time hearing CG-NAT "blocking" addresses. I imagine NAT as it is, not as a firewall.


» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post
57 minutes ago, giganerd said:

First time hearing an ISP allocating CG-NAT v4 addresses without providing native v6 UGAs. I thought it's done because of the fact there are not enough native unique v4 addresses left for a given provider.
Also first time hearing CG-NAT "blocking" addresses. I imagine NAT as it is, not as a firewall.


A quick search found this:
https://www.apnic.net/community/ipv6-program/about-cgn/

"However, SPs who do not deploy IPv6 services simultaneously with CGN/LSN ..."

So I guess they see this happening in their jurisdiction.

As far as using CGNAT for OpenVPN, how often the ISP forces IP changes would come into it I think. Do they allow you to keep an IP address for weeks (shared with others). Or do they want this to change often? I don't see what else could be the issue either. I still have full IPv4 with my IPv6, so I can't offer any insight based on personal experience. When the external IP address changes, the IP address given to you by AirVPN will change even if the OpenVPN client reconnects to the same server. So you would want to be sure your set up will correct for that.

Since the OP said ".. could run as many tunnels as I wanted ...", relying on the default gateway to be updated may not have been good enough. Not all of these tunnels could be the default gateway at once. There would have to be some configuration done that specfiied the IP address of the VPN NIC, which would need to be updated.

 

Share this post


Link to post

CGNAT (at least this company) won't work reliably with Pfsense.   very disappointed with this 

since I signed up for a static WAN address everything plays nice now.

they confirmed ip6 isn't utilized yet, and they are not sure when it will be...
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...