My ISP offers access to the IPv4 Legacy Internet via CGNAT. One can also pay them a few EUR a month extra to have a static, properly end-to-end routed IPv4 address on the public Internet assigned. Still, even when paying that extra buck, once can get the "free" CGNAT address assigned via DHCP, and access the Internet over the CGNAT gateway, which provides a little pseudonymity at least - which is why I would like to use that in addition to my static address for "outbound" IPv4 traffic from LAN clients.
With my setup (see below), there's an annoying problem with inbound TCP4 connections to services available via my static address which, I would like to understand better and solve.
Right now, I have my WAN link configured via pppoe, which yields the static, public IPv4 address on the link, and have another interface created that performs DHCP on the Ethernet interface for the CGNAT address (providing the default gateway), like this:
config interface 'wan'
option device 'eth5'
option proto 'pppoe'
option username 'myusername@example.com'
option password 'somepassword'
option peerdns '0'
option ipv6 '1'
list dns '9.9.9.9'
list dns '2620:fe::fe'
option defaultroute '0'
config interface 'wancgnat'
option proto 'dhcp'
option device 'eth5'
option peerdns '0'
option hostname '*'
option delegate '0'
list dns '9.9.9.9'
... which results in an IPv4 address configuration like this:
7: eth5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP qlen 1000
inet 100.64.126.234/18 brd 100.64.127.255 scope global eth5
valid_lft forever preferred_lft forever
18: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
link/ppp
inet 193.a.b.c peer 100.126.0.243/32 scope global pppoe-wan
valid_lft forever preferred_lft forever
The IPv4 routing table looks like this:
# ip r
default via 100.64.64.1 dev eth5 src 100.64.126.234
100.64.64.0/18 dev eth5 scope link src 100.64.126.234
100.126.0.243 dev pppoe-wan scope link src 193.a.b.c
172.18.3.0/24 dev br-lan scope link src 172.18.3.254
The resulting problem I experience is this: On my router, which performs NAT for the LAN on 193.a.b.c, I have several services exposed for IPv4 clients via port forwards. This generally works, but some hosts on some networks on the Internet cannot properly establish/maintain TCP conversations. On hosts affected by this problem, when I connect to a TCP port bound on 193.a.b.c, I see duplicate ACKs and spurious as well as actual retransmissions which I do not understand the reasons for.
What I would like to find is the cause of this issue and then the minimal change I have to implement to fix it.
Thanks to anyone who read this far, and for any resulting advice!