Possible solutions for Double Nat issue

Guys, I received a particular internet device with internet security and mining features. Sadly I learnt my ISP has the fiber modem set in Nat mode and the device refuses to work properly, when the openwrt's wan port doesn't get the public ip.
I spent 2 days trying to find a solution with the ISP, but they refuse to do anything about it, their only solution is that I get a dedicated line with them, costing over a grand a month. The modem is Juniper Networks device, which only the ISP can access, no http server, telnet etc access. Sadly I just signed 12 months contract with them and switching the ISP is out of question.
I want to see, if there are any options to bypass the double nat issue, like vps vpn proxy,transparent bridge of some sort ,... anything


You can get a public IPv6 address/prefix:

  • For free with Hurricane Electric over a public IPv4.
  • For ~$5/month over a VPS even behind NAT.

I have a couple of the vps servers running. But never had to deal with the IPv6 part.
Any guidance on hot to set it up with Openwrt?

Actually, the ISP set up a dedicated ip for me, but it was still routed via NAT, So dhcp was pulling the private ip again. They told me they way they the dedicated ip is working in their system is useless in my case ..

Set up a VPN, preferably WireGuard:

  • VPN server - VPS.
  • VPN client - OpenWrt.

Then request a public IPv6 prefix from the VPS provider.
A /56 prefix would be optimal, but /64 should work too.

1 Like

I have previously used wireguard, installing it now again. IPv6 is already set up on my vps with /56 prefix.
So the client set up is typical or without the Ipv4 part?
Would appreciate any guidance... Still having a hard times to understand how this can overcome my issue )

Split one /64 prefix for the VPN network and another one for your LAN.
This way hosts in your LAN will get public IPv6 addresses routed over the VPN.

When you provide IPv6 connectivity, clients should prefer it over IPv4 when possible.
IPv6 using GUA addresses can work without masquerading and doesn't require NAT.

1 Like