All public WAN IP's of devices are one WAN IP, similar to CG-NAT

Hello,
I am having trouble with getting an individual public IP address of each device under my home network. I am running a TP-Link Archer C7 v5, running OpenWRT Snapshot r13499-7b4877c204 (Quite new, timestamp is a few days old).

I am located in Ireland, and my ISP is Eir. I have the WAN setup as a PPPoE using the credentials provided by Eir for the config. I have a VLAN ID set to 10 as the WAN interface, as Eir required this specific VLAN ID to get internet access.

Here is my network config (cat /etc/config/network):

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc6:ef52:4fa3::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.10.1'

config interface 'wan'
        option ifname 'eth0.10'
        option proto 'pppoe'
        option password 'broadband1'
        option username 'eir@eir.ie'
        option ipv6 '1'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option peerdns '0'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'b0:be:76:23:60:25'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2 3 4 5'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '10'
        option ports '0t 5t 1t'
        option vid '10'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'
        option reqprefix 'auto'
        option reqaddress 'try'
        option peerdns '0'

And my firewall config (cat /etc/config/firewall):

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

I am getting a similar outcome to a Carrier-Grade NAT, in which there is one public IP for every device inside my network, instead of there being an individual public IP for each device. I don't think this is an ISP CG-NAT issue, as only a few months ago I was able to get a separate public IP for each device.

I will have to ring up my ISP tomorrow and ask them about this issue, more specifically if they implemented a CG-NAT on my network. But in the meantime, let's say that my ISP isn't implementing a CG-NAT, what would rectify my problem?

If anyone has any ideas on what I can do to solve this, that would be great.

Thanks.

That is actually very simple to check yourself, OpenWrt tells you the WAN IPv4 address assigned to you by your ISP, if that differs from the one shown when checked by an external IP checker (and there are thousands services offering this), you're behind a cgNAT.

3 Likes

Are you talking about IPv4 or v6? IPv4's are scarce and the usual home ISP subscription only gets one. So you have to NAT everything in the house out to that one public IP.

4 Likes

It's not usual for an ISP to give out more than one public IPv4 address per customer, unless you are paying for some sort of a range of public addresses.

100.64.0.0/10 [RFC 6598] is IPv4 address space allocated specifically for CGN - for all intents and purposes it should be treated the same as private address space and must not be advertised out on the internet and not be forwarded across any ISP edge.

If your devices were grabbing an address in the above range - then they were under CGN all along.

On the other hand if you were actually getting a public address for each of your devices, ignore my comment and it's contents.

Cheers

1 Like

Thanks for that, so I checked with OpenWRT and an online tool called whatismyipaddress.com, and the IP address is the same, so I can assume that a CG-NAT is not in place. The reason I wanted the devices in my network to have their own dedicated WAN IPv4 IP is because I need to access my raspberry pi remotely, by it's WAN IP.

Now that I'm thinking about it to be honest, I don't need for every device to have it's own dedicated WAN IP, I just need the raspberry pi to have a separate WAN IP (So I can remote into it when I'm not in my home network). Is there a way to do this?
Thanks.

IPv4, but yeah that makes sense.

That is done by "forwarding a port". When a TCP or UDP connection comes in from the Internet to your one public IP, on a specific port, the router sends it across to a particular device on the LAN such as the Raspberry Pi.

You can host multiple services on different machines by using unique public ports for them. For non-public services it is common to use non-standard port numbers. It does mean that you can only have one web server on port 443 for example. (Your ISP will frown upon running a popular public web server on a home line, that is usually not allowed in the contract).

For this to work the Pi has to have a consistent IP on the LAN this is best done by setting up a DHCP static lease for it.

2 Likes

Thank you for this, it helped me understand what I need to do, which is to port forward.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.