LTE IP passthrough - still double NAT?

Hi,
I have a 5G LTE router from the ISP (some chinese ZLT X28) configured in "IP Passthrough" and NAT disabled, dhcp disabled, wifi disabled...
In IP Passthrough I had to provide MAC address of the machine that I want to pass the traffic, so I input here the MAC address of the eth0 wan port of openwrt.
It's connected to my tplink openwrt "main" router wan port.
the wan port is just configured as DHCP client and it works.
Openwrt router gets the public IP on that inerface. If I type "route" I see the default route with that public IP.

Now the strange part - ISP router is still accessible via its LAN IP (192.168.70.1)
Now the strangest part - if I do traceroute on any of the clients, I see 2 hops
1 openwrt lan IP
2.isp router lan IP (192.168.70.1)

what the hell?
Can I do any magic on openwrt side or the ISP router just does not do proper passthrough?

The thing that confuses me is that openwrt wan port gets the public IP, and its routing table does not know about any 192.168.70.1, but still it somehow gets routed via it...
I run policy based routing, which also reads the public IP of the LTE interface correctly, I see no mention of 192.168.70.1
I rebooted both devices just to clear out some cache of old configuration (as prior to enabling the passthrough, it was indeed routed via 192.168.70.1 but then I decided to try to avoid double nat, unsuccessfuly so far)

Likely they inject routes to their cpe pages eg.

IP passthrough mode indeed disables NAT. The LTE router still routes packets which is why you see it in the trace.

The LTE router does the following:

  • requests an PDP context from the network and during that setup it gets an IPv4 address or IPv6/64 prefix. All this is done without using DHCP.
  • the router itself remembers that address and doesn't configure it locally but hands it out to your downstream router via DHCP
  • it adds a route in it's internal routing table for the address to be on it's lan port
  • it still has a (local) ip address configured for itself
  • it still does routing but no NAT

Since it has a local IP address still configured, it will respond to any packets you send to it: ping it, open the web ui for configuration or even when doing traceroute.

In passthrough mode it gets much easier to process packets as it doesn't have to keep track of connections for NAT.

still behaves the same with that option disabled, but thanks for pointing it out, I'm happy to have it disabled :slight_smile:

great, thanks for clarification. as long as I'm not being NATed by it, all good.
The problem is, I don't know of any other way of testing if I'm behind double nat other then looking at the traceroute.
I'll check with my kid if his nintendo switch still keeps dropping out of online games or its fixed, that will be the best test :slight_smile:

EDIT: the interesting thing is, when I route the traffic (with pbr) via wireguard vpn interface, then I don't have this LTE router IP in the trace. then it looks like this:
1 local lan ip of openwrt
2. wireguard IP of the peer on the other side
3. internet

EDIT2: I also realised I am behind CGNAT, the WAN IP i get is not the public ip but 100.127...
In that case it means I was behind triple nat, and now reduced to double nat with one hop to a router that just routes :slight_smile:
Not ideal for gaming...do you think routing via wireguard interface on openwrt (the peer on the other side is a digitalocean vps with fixed public ip) would be better for online gaming then direct internet access via double nat (CGNAT + local openwrt router NAT).
In the end of the day, I can just do nothing, and my kid will have to find other ways of amusement...

hvala

If you think that will decrease your latency, I highly doubt so. Modern CGNAT ISPs actually provide better performance, since once you traverse the local telco hops you end up in their border routers - going out to your destination. Unless you are in some 3d world country NAT is very well accelerated. Once you opt-out of it, you will usually take a longer route, mostly copper one, going to their core infrastructure, and only then you will go to that gateway that connects your ISP to the rest of the internet.

There is no absolute answer to this and this question is simply wrong.
This all depends on:

  1. How is your peering between your ISP and DigitalOcean
  2. How is the peering between DigitalOcean and the destination
  3. Does your ISP apply traffic shaping on non-standard ports

In most cases, a VPN will decrease your performance and increase your latency, unless you have a DigitalOcean server in the same city of your ISP.

Yes i understand vpn will add lag, but I was refering to peer to peer connectivity issues that double nat introduces to gaming.
So, it's kind of pick less worst from 2 evils. add more lag or deal with double nat perks...

edit: I am actually in 3rd world country internet wise, united arab emirates, even though they are rich and developed, internet monopolized (2 government isp), expensive, censored and not so great in general :slight_smile:

There is no double nat, just 1918 ip is routing.

Your latency from UAE to game servers (EU/US/SG is where most of them are) is so negligible compared to the double NAT you are scaring yourself about.
Literally the double NAT will add extra 3-5ms. And knowing Du and Etisalat, they do it properly and use the most expensive hardware possible to optimize stuff.

You can tell if there is NAT between your router and the Internet by:

  • noting that "whats my IP" test sites report the same IP that is held by your router's WAN.
  • pinging and/or scanning ports from outside. Although, even if there may be no NAT, some ISPs block incoming traffic.

Traceroute sends a packet with a short time to live expecting the router were the packet died will send back a report with its IP. This works about the same whether or not there is NAT. Blank lines in a traceroute result because not all ISP or other routers send the report of packet death.

1 Like

I already explained i don't care about latency. I would rather add 50ms latency then be behind double nat. Thats why some suggest using a vpn. By the context in which you write, it seems you think the only problem with double nat is extra latency.

  • Online gaming – Games need direct peer-to-peer connections between players. A double NAT breaks this connectivity, leading to lag, disconnects, failed matchmaking, and problems joining games or voice chat. Over 65% of gaming connectivity complaints were linked to double NAT issues according to Xbox support logs.
  • Voice and video calls – Video chat services like Zoom, FaceTime and Skype also require direct connections between callers. Calls may disconnect or have poor quality when working through a double NAT.

If your ISP offers IPv6 you should use it, as it offers the potential of a NAT-free connection all the way from end to end. However some games and services (like Skype) are v4 only and can't take advantage of that.

Check here:

Directly out via isp cgnat + openwrt nat = Cone restricted nat

Via wireguard on the same openwrt router = port restricted cone nat

So, it's even worse via vpn? :slight_smile:

No double NAT. You get connections back directly. Issue over

So which one is the double nat for future reference?

  • Full Cone NAT: Each external address and port can access an internal resource provided it initiates communication first
  • Restricted Cone NAT: An external address and port can access an internal resource only if it has previously communicated with that resource
  • Port Restricted Cone NAT: An external address and port can access an internal resource only if it has previously communicated with that resource through that port
  • Symmetric NAT: Packets sent to the same external IP address and port will be sent to different external IP addresses and ports. Each external user will get a unique address when they try to connect to the same internal IP address and port

Symmetric nat is either port randomizing or not letting incoming connections back on same outgoing ports as client. Typical on BSD.