Hey,
I have a connection from my isp where I get a static public ipv4 but on the interface I see a 100.something cgnat ip.
What I basically want to do is for all that nftables cares the two ips are the same so it should rewrite my public one. I’ve thought of doing it by 2 methods. First DNAT SNAT all of it to a dummy interface, where it has my static ip, secondly snat dnat everything regardless and hope for the best.
I am not sure how it is best to implement this.
This cgnat is given to me by dhcp.
Thanks!
If they route another IP, all you need to do is create an interface and statically addresses it. Traffic will simply be routed there.
They dont route it, they only route the cgnat ip in the vlan that I have access. If I add the public ipv4 statically then that would only cause connectivity to be lost.
So I get a 100.something and my outgoing should be that and my incoming is also that.
But for example the conntrack for sip sets the 100 ip not the public one, even if I add an alias interface with the public ip.
How would I get conntrack miniupnp and the firewall to treat my 100. something ip as the public ip.
Both cannot be true. Either you have a static public IP or you have a CGNAT IP. Given that your ISP is allocating you a CGNAT IP then it seems the second one is true. Ergo, you don’t have a public IP. Trying to rewrite packets with the firewall is not the solution. You need to speak with our ISP and get it to configure the connection properly.
1 Like
I have a public ip behind CGNAT, where all ports are 1-1 mapped internally, my ISP is weird. Port forwarding works, I have like 50 Wireguard tunnels and a mx server with proper rdns.
This is how they deployed it, at least its not some GRE tunnel but I have to work with it since they refuse to do anything else. Its to save ipv4 space that the gateways would take up apparently.
1 Like
In this case, do not try to address, NAT or configure your device with the public IP. The ISP has done that for you.
From your descriptions, everything is configured properly.
But conntrack rewrites to the 100 IP and my isp does not have a conntrack helper, therefore on the other end at the far end sip server I get the wrong contact ip. That's what I want to fix, make conntrack rewrites the right IP(the public one)
1 Like
Do I need to make it so I reverse the 1-1 nat on my side with the kmod-nf-nathelper-extra off on the 1-1 emulator?
It is not 1:1 , it is cgnat preferred/standard behaviour that user is affined to one IP. If every client starts playing same game the public ips will run out and real M:N nat will kick in.
Measure https://natchecker.com/ - anything open or cone will rise chance miniupnpd-nftables handles incoming connections correctly.
I have 100.65.0.119 on my router as the wan interface IP, I have paid for a static ip. My services are accessible from the internet using a publicly routed IP and my ISP is doing 1:1 port mapping using a CGNAT IP. I can define a public ip in miniupnpd and it works okay but my issue is that they dont have an equivilent of kmod-nf-nathelper-extra on their side and I cant get that package to rewrite my public ip and keep the src ip as 100.65.0.119 in the IP header
You do not contol "nathelper" on their cgnat gateway. eg ipsec or pptp depends on their generousity (plus your nathelper)
Okay but I want my nat gateway to do it instead of them, they dont touch my packets other than classic nat on the ip header, nothing inside the packets, so in application where I can set a public external ip the packets arrive with that encapsulated in l3< .
What I want is to do nathelper with my external ip and nat with that cgnat range ip that is portmapped
It is not guaranteed that you are only one on that public IP...
I am, its literally a static IP I pay for. I have reverse dns on it with servfail’s nameservers.
They just implemented it like that.
However is there a way to do what I need to get nathelper to do what I need it to do
So you want to run inverse of their cgnat-crippled-static-ip on your router?
You have to attach a namespace between perceived wan andbreal cable which does static (un-)translation.
And do the 2x rewrite (not ports just saddr in one case daddr in other)
Note hhar saddr/daddr is encoded in the header chop in icmp errors... For full happiness you will need to master payload patching too.
netns example https://blog.getreu.net/20250121-IPv6-home-network/ (not exactly your scenario but at least the idea how to set it up unplugging real wan and configuring veth pair and untranslation
(and my applogies for not getting it at first)
Maybe it would be easier to use a under 5 dollar VM and and run the sip/voip stuff over there and reduce the headache you now got?
Ipv6 is not an option at all?
1 Like
Oh I have figured out a way to do it, ipv6 works and I can enable NAT on the softswitch on the provider side but having working nathelper is a good to have feature especially since its set and forget with the more recent openwrt versions
SIP nathelper is not perfect, it works depending on the phone and pbx...
The SIP ALG has been known vulnerable for at least 5 years. Visiting a properly crafted website can cause its creator to gain access your internal network.
1 Like
Why nat with IPv6?!