Does my ISP use CG-NAT?
-
I would appreciate it if you guys share your knowledge and help me with my confusion.
I'm trying to troubleshoot the endless issues I have with UPnP and read somewhere that miniupnpd blocks traffic if it's coming from WAN with a private IP address (RFC1918).
As far as I'm aware, my ISP does not use CG-NAT, and I do not have double NAT (at least this is what they keep saying to me), but in pfSense and besides my WAN public address, I have another WAN_PPOE IP address which is an RFC1918 private address.
Does that mean pfSense communicate with my WAN with a private IP address 10.20.xx.xx? If no, why is my IPv4 Gateway is private address 10.20.xx.xx instead of 203.166.xx.xx public address?
Also, considering I have a private IP address in my gateway, should I leave "Block private networks and loopback addresses" in the WAN setting disabled? It is enabled by default, but I've disabled it, which didn't change anything that I could notice.
-
@omid_1985 said in Does my ISP use CG-NAT?:
As far as I'm aware, my ISP does not use CG-NAT, and I do not have double NAT (at least this is what they keep saying to me), but in pfSense and besides my WAN public address, I have another WAN_PPOE IP address which is an RFC1918 private address.
From your screenshots I'd assume that no, you do not have a CG-NATted address. Normally with CG-NAT you get assigned a 100.x range IP address from the CG-NAT gateway. That your upstream GW is a private IP is a bit unusual/strange but that may or may not have to do how your ISP is doing things.
Did you check if that IP you got (203.xx) is reachable via internet or from an external address and if you see those connections on your firewall rules logging? I like to test those things with trying to connect to e.g. a nc/telnet <ip>:12345 command from an external host to simulate access to tcp/12345 on that IP, then go to Status/System Logs/Firewall and filter for "destionation port 12345" to check if that request was blocked.
Other possibility would be to run a packet capture for that port and check if you had incoming traffic on your checkport on the IF.If that's the case then I'd say your ISP routes or hands you that public IP and you're well.
I have another WAN_PPOE IP address which is an RFC1918 private address.
I'd guess that is for the ISPs router/modem in front of your pfSense to be available in case the connection to upstream is broken so you/a technician on site can check the modem status.
Also, considering I have a private IP address in my gateway, should I leave "Block private networks and loopback addresses" in the WAN setting disabled? It is enabled by default, but I've disabled it, which didn't change anything that I could notice.
if your public IP is indeed the 203.xx address and you are sending/receiving traffic from that address primarily, then you can enable the private block. I don't see that it would have any negative side effects then.
Cheers