so ive read on a forum of openwrt that its possible to remove cgnat with ipsets and i gave it a go. i want to know if its actually possible to remove cgnat and i was hoping that maybe one of you guys that are more experienced can take a look at my created ipset settings. well here they are P.S. all advice and knowledge would be appreciated
thank you

/etc/rc.local
#!/bin/sh
ipset create bogons hash:net
ipset -A bogons 0.0.0.0/8
ipset -A bogons 10.0.0.0/8
ipset -A bogons 100.64.0.0/10
ipset -A bogons 127.0.0.0/8
ipset -A bogons 169.254.0.0/16
ipset -A bogons 172.16.0.0/12
ipset -A bogons 192.0.0.0/24
ipset -A bogons 192.0.2.0/24
ipset -A bogons 192.168.0.0/16
ipset -A bogons 198.18.0.0/15
ipset -A bogons 198.51.100.0/24
ipset -A bogons 203.0.113.0/24
ipset -A bogons 224.0.0.0/4
ipset -A bogons 240.0.0.0/4
ipset -A bogons 100.93.192.195/24

Save and restore ipset to preserve it across reboots

ipset save > /etc/ipsum
ipset restore < /etc/ipsum

/etc/config/firewall
config ipset
option name 'bogons'
option match 'ip'
option family 'inet'

config rule
option name 'Drop-Bogons_In_WAN'
option src 'wan'
option proto 'all'
option ipset 'bogons'
option target 'DROP'

Really? Where did you read this?

No, it's not possible to 'remove CG-NAT' if your provider does not provide a public IPv4 address to your router.

i read it on a forum where @dlakelan commented on. i may have misread

Can you provide the link?

my ip is public as my wan ip matches on whatsmyipaddress.com but when i do a tracert my second hop is this ip 100.93.192.195

sure

[Solved] How secure is the preconfigured firewall? - Installing and Using OpenWrt - OpenWrt Forum

but do my ipset configurations look correct???

What address is on the following (post only the first to octets in bold: aaa.bbb.ccc.ddd if you decide to post this):

ifstatus wan | grep address

You'll always have an apparent public IP address. If the address above matches the result you get from the website, then you have a public IP. If it doesn't match, you have a NAT/CG-NAT address.

The ISP will have internal routing that traverses their network that may or may not use NAT/CG-NAT addresses since they don't necessarily need to have every device using a public address if the device is only involved in intra-ISP 'transport' routing. The addresses of these are outside your control and largely irrelevant since they're just moving your traffic through the ISP's network. You can think of it like mail or packages traversing the internal addresses within the postal service -- you don't need to know or worry about which buildings process your mail, as long as it gets through the system and to its destination.

Entirely unnecessary, IMO.

well it shows my ip addres which is wan ip 98.56.xxx.xx

and that matches the ip when i look whatsmyipaddress.com. but about bogon networks. is it worth to drop them???

So that means that you have a public IP on your wan.

As I said, the CG-NAT addresses you're seeing are related to the intra-ISP transport of the traffic. Nothing you can do on your end can block that, nor would you want to because it would break your connection if you could.

With respect to blocking bogons, yes, you could create those ipsets, but the wan is already pre-configured to reject all unsolicited traffic -- this would include bogons as well as stuff originating from actual public addresses.

ahhh i see. and as for the firewall zones i do have drop invalid packets checked and the zones for wan as drop >> accept >> drop. but i also see input and output etc... under drop invalid packets, should i set those the same way??

It is recommended to use REJECT for input and forward on the wan zone, ACCEPT for output.

and thats for the zones directly under the drop invalid packets box??

Same recommendation for the General Settings

ok i get it now

Looks fine except for the wan zone per my earlier comment.

for sure. set it to reject > accept > reject

also i know this question is irrelevant to the topic but is it normal to not be able to adjust coalesce settings via ethtool for your wan port??? im trying to reduce delays for low latency

Honestly, I'd recommend against messing with parameters like that unless you really know what you;'re doing.