Access network behind private nat isp ip

LGA1150 · August 31, 2019, 4:29pm

Did you see my comment?
I think your ISP modem is doing double NAT so your router will only get a private address. Set it to bridge mode if possible.

slh · August 31, 2019, 8:28pm

Very unlikely in this case, new ISPs (fibre, cable, …) just don't get a large enough IPv4 subnet to serve each of their users a single one, so they use DS-Lite instead (cgNAT IPv4 out of the 100.64.0.0/10 range).

Other than only using IPv6 for external access, there isn't a whole lot you can do. Options beside this would involve switching to a business contract (those typically have a dedicated IPv4 address, eventually even a static one) or the VPN route @Ansuel already implicated. While the VPN option would be possible, it's not easy and messy - as -for optimal results- you'd have a second 'free' IPv4 address on the VPN server, an IPv4 address you could allocate freely, without affecting the operations of the VPN host (possible, but finding a hoster that will offer this might take a while). There are some commercial vendors who offer these services though (full-service). Sharing the same IPv4 address with the VPN host is technically only possible with very tricky firewall/ forwarding rules, possible, but not for the faint of heart.

I'm actually bothering about the same issue myself, ftth with DS-Lite or sticking to VDSL with native dual-stack… tough decision, I haven't made up my mind yet (the business contracts would not be economically viable)…

Ansuel · August 31, 2019, 8:42pm

In my case I have a host with a dedicated public IP so I think softether bridge would work. IF NAT traversal works.
So to sum up... To access a local network behind dslite I need another public IP and total control over it right?

slh · August 31, 2019, 9:08pm

Yes (and even then it's tricky).

vgaetera · August 31, 2019, 9:28pm

In this case I'd personally prefer a WireGuard or OpenVPN based solution as it looks more transparent in my opinion.

Ansuel · August 31, 2019, 11:00pm

Openvpn or wireguard is not well supported by android/windows (without 3rd party software)

Ansuel · August 31, 2019, 11:22pm

My idea is to use my vpn server present on my private connection (that has public ip) and create a bridge on the connection with the private ip (dslite)

Should work and """easy""" to setup right?

slh · August 31, 2019, 11:36pm

As long as you get by with a couple of port forwardings, yes - if you need more direct exposure, it's getting more difficult.

stragies · September 1, 2019, 9:23am

If you can get a TOR client running at home (as in, your ISP doesn't block it, or such), you could expose an SSH daemon as a hidden service.

That would enable to reach the internal network from outside.

To then cut down on the latency( or to get a full L2 ethernet), you can probably manually UDP-hole-punch your way to a direct UDP connection, which you can then run VPN over.

You'd have to scipt some glue code around this, or pick-up/adapt somebody elses script to your scenario

eduperez · September 1, 2019, 11:56am

Can you expose a hidden service with a TOR client, or do you need a server? Can you run a TOR sever without a public IP address? Isn't there a less convoluted solution?

Ansuel · September 1, 2019, 12:06pm

I still don't have any idea how to reach my local network using tor

stragies · September 1, 2019, 12:19pm

Most mobile devices are on private 10.x.y.z addresses. Tor-for-android exists, and is in wide useage. So "yes" for the non-public IP. (Of course, your direct peers are limited to ones your device can reach via outgoing connection)

TOR does (to my understanding) not have this "traditional" Client-Server model. The client works better, if it can receive incoming connections, but It can also work with only out-going connections.
You may be thinking of being an exit-node, or not.

SO, basically the process is:

(more complicated)

Note public facing IP of VPN-client(mobile device)
Note public facing IP of VPN-server(at home)
Manuall punch outgoing UDP hole towards each-other
start vpn client -> Full Layer 2 ethernet to Home

Ansuel · September 7, 2019, 3:22pm

Hello i'm again me...

Today i set up my vpn bridge and it does actually work... i can succesfull access my device (behind isp nat with private ip) by connecting to the vpn server where i have a public ip

Only problem... now my device use the remote connection of the vpn and not the isp one (private ip)

How can I make the device accessible from the remote server and at the same time use the isp network ?

vgaetera · September 7, 2019, 3:33pm

Ansuel · September 7, 2019, 3:35pm

can you explain ?

Ansuel · September 7, 2019, 4:09pm

mh i decided to put the 2 network on a big subnet
192.168.2.0/23

The first router dhcp serve 192.168.2.1/24
the second router serve 192.168.3.1/24

this way i can access them...

Does someone know how to have name resolution on the entire network even if there are 2 dhcp server?

vgaetera · September 7, 2019, 4:18pm

This is basically split DNS mode:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#conditional_dns_forwarding

Assuming that 192.168.1.1 is your primary DNS, you need to configure the following:

192.168.2.0/24 - domain lan2
192.168.3.0/24 - domain lan3

Then you should be able to resolve hosts from lan2 and lan3 domains via 192.168.1.1.

Ansuel · September 7, 2019, 7:03pm

what if i use unbound as my dns server?

vgaetera · September 7, 2019, 8:00pm

Probably you need to configure multiple sections forward-zone, one section per subnet.

system · September 17, 2019, 8:00pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.