Best Option To Bypass CGNAT

panzerscope · Feb 22, 2024, 7:40 PM

Hey guys,

So I recently switched ISP's. Unfortunately they use CGNAT and at this point do not offer any dedicated/static IP's. I have done some reading on some ways to bypass CGNAT via a PfSense implementation. I just wondered what you guys suggest?

Basically I have some home services that use reverse proxy on my TrueNas server which no longer work due to CGNAT, the same can be said for remote access to my Plex server.

I currently have a NordVPN subscription which comes with a dedicated IP, would that be an option ? I know I can setup NordVPN on Pfsense and the fact that I pay for a dedicated IP may in fact turn out as a bonus in my case.

What do you guys think ?

Thanks,
P

elvisimprsntr · Feb 22, 2024, 9:16 PM

@panzerscope

NordVPN is an outbound, so called "privacy", VPN to hide/disguise your outbound traffic.

What you need is to host your own VPN service on pfSense that will traverse CGNAT.

By far the easiest is Tailscale MESH VPN. Works automagically!

https://tailscale.com

Official pfSense package exists
Clients for every platform on the planet, including TrueNAS SCALE (Although it might be behind in updates)
Uses any number of existing identity managers
Free tier for up to 3 users and up to 100 nodes

Watch Christian McDonald's video to set it up on pfSense.

https://www.netgate.com/blog/tailscale-on-pfsense-software

JKnott · Feb 22, 2024, 8:11 PM

@panzerscope said in Best Option To Bypass CGNAT:

What do you guys think ?

Does that ISP offer IPv6? Many that use CGNAT do.

panzerscope · Feb 22, 2024, 9:10 PM

@elvisimprsntr

I did see Tailscale and listed it as an option, glad to see they have a TrueNas client. Thanks for the suggestion:)

@JKnott

I may have to call to determine that as the online literature they have doesn't go into much detail (Lightspeed Broadband). What I can see is PfSense is fetching an IPv6 address on the WAN. Whether that is a good indication, im not sure. But I will call them to confirm if they are serving IPv6 :)

Using IPv6 sounds like the best option over anything else, but I will know more tomorrow and come back to you.

stephenw10 · Feb 22, 2024, 9:23 PM

Any self hosted VPN can work for this. And by self hosted I mean something in the cloud most likely unless you have access to a friendly data center.

panzerscope · Feb 22, 2024, 9:23 PM

@panzerscope said in Best Option To Bypass CGNAT:

@elvisimprsntr

I did see Tailscale and listed it as an option, glad to see they have a TrueNas client. Thanks for the suggestion:)

@JKnott

I may have to call to determine that as the online literature they have doesn't go into much detail (Lightspeed Broadband). What I can see is PfSense is fetching an IPv6 address on the WAN. Whether that is a good indication, im not sure. But I will call them to confirm if they are serving IPv6 :)

Using IPv6 sounds like the best option over anything else, but I will know more tomorrow and come back to you.

Quoting myself here lol, but I did just run a test on https://ipv6-test.com/, results below look encouraging

login-to-view

JKnott · Feb 23, 2024, 2:11 AM

@panzerscope

You may be in luck. I was recently helping someone else on Lightspeed.. Perhaps he has some advice for you.

panzerscope · Feb 23, 2024, 12:47 PM

@JKnott said in Best Option To Bypass CGNAT:

@panzerscope

You may be in luck. I was recently helping someone else on Lightspeed.. Perhaps he has some advice for you.

That is me lol. Same guy :p

I called Lightspeed and im waiting on their tech team to confirm IPv6. Wil update here once I've heard :)

panzerscope · Feb 23, 2024, 3:37 PM

@JKnott said in Best Option To Bypass CGNAT:

@panzerscope said in Best Option To Bypass CGNAT:

What do you guys think ?

Does that ISP offer IPv6? Many that use CGNAT do.

I can confirm that Lightspeed is IPv6 enabled. As that is the case, does that mean that in essence I can shift PfSense to use IPv6 from the ISP to avoid the CGNAT plaguing IPv4 ?

If that is the case, what would I need to change on the PfSense config ?

Many thanks in advance.

stephenw10 · Feb 23, 2024, 4:46 PM

You can certainly enable IPv6. It would not replace IPv4 but you could then use it to reach your firewall externally. As long as you're coming from some other IPv6 enabled location.

It depends what you're trying to avoid in CGNAT.

panzerscope · Feb 23, 2024, 5:28 PM

@stephenw10 said in Best Option To Bypass CGNAT:

You can certainly enable IPv6. It would not replace IPv4 but you could then use it to reach your firewall externally. As long as you're coming from some other IPv6 enabled location.

It depends what you're trying to avoid in CGNAT.

Thanks for the info. Currently I am wanting to access my TrueNas server externally. I have a reverse DNS setup so I can access some of my apps located on the server, This includes things like Plex. I do play multiplayer games, but those are at the bottom of the totem pole so far as getting Port Forwarding working well.

stephenw10 · Feb 23, 2024, 5:33 PM

If you are doing that I would want to do so over a VPN anyway. So setting up an external VPN server to connect via starts to make a lot of sense. IMO.

panzerscope · Feb 23, 2024, 5:52 PM

@stephenw10 said in Best Option To Bypass CGNAT:

If you are doing that I would want to do so over a VPN anyway. So setting up an external VPN server to connect via starts to make a lot of sense. IMO.

When we talk VPN, I did investigate TailScale, but that is for accessing my devices remotely via a Tailscale account, I do not think that that will help me as I am needing to access my apps via domain names and not specifically via the device they reside on. Again, the same goes for Plex as others outside my network (including myself) cannot access the Plex server as port forwarding is currently non functional.

So, I am thinking that setting up an actual VPN Tunnel through NordVPN makes more sense, not only that but I also will have a dedicated IP on IPv4 as an added bonus. If I can then set in PfSense that certain devices use the Nord VPN Tunnel, such as my TrueNas server so I can access my apps via domains and by extension Plex as well as it should be able to port forward correctly.

Or am I mad ?

stephenw10 · Feb 23, 2024, 6:02 PM

Do NordVPN offer fixed IPs? Not something I have used.

But what I would do is install pfSense in some cloud hosting service. The Netgate image in AWS or Azure for example. That will then have a fixed IPv4 address.
Then configure on that a site-to-site tunnel with your home pfSense box and a remote access VPN server for anything remote to connect to.

Then when you are in some remote location you connect to the VPN server in the cloud and from there will have access to your home pfSense install along with whatever access you have allowed to LAN side resources.

You could also just port forward from the cloud install across the tunnel dircetly but I would always advise using the RA VPN.

JKnott · Feb 23, 2024, 8:00 PM

@panzerscope said in Best Option To Bypass CGNAT:

does that mean that in essence I can shift PfSense to use IPv6 from the ISP to avoid the CGNAT plaguing IPv4 ?

You will wind up with both. The IPv6 addresses will be public and no NAT either from the ISP or pfSense.

panzerscope · Feb 28, 2024, 8:35 AM

This post is deleted!

panzerscope · Feb 28, 2024, 12:15 PM

As a small update, I decided to go with PureVPN. This company offers VPN with dedicated IP and allows port forwarding on said IP. It is my hopes that I can route my Plex server over the VPN with port forwarding, working around the CGNAT. Fingers crossed. If it works out, either way I will pop an update here so that others are in the know.

cgnatsucks13 · Jun 15, 2024, 10:30 AM

@panzerscope Does PureVPN work? Can you host jobs in GTA now?