21 Sep
2018
21 Sep
'18
3:57 p.m.
On Fri, Sep 21, 2018 at 2:20 PM <secret.memail.com(a)gmail.com> wrote:
It it certainly true that many home users are now
behind firewalls and “NAT” devices that cause issues with many tunneling protocols such as
IPIP. It’s worthwhile to mention that for a majority of these people it is possible to fix
this issue with a third party device such as Ubiquiti’s Edgerouter X. I have seen a number
of threads about this so it is clear that a majority of the participants in this mailing
list are aware of this solution.
The issue is with those who utilize an ISP that uses “Carrier Grade NAT” (often just
“CGNAT”). In this situation, the user will often have no control over the firewall or
“NAT” appliance and therefore no way to allow IPIP (or otherwise) traffic to travel to
their 44net router.
I am surprised that these have not been a significant number of threads about this
issue before especially as there appears to be no good solution (not to say that there are
not any solutions).
Bryce Wilson, AS202313
Note about NAT and NAT related terms being in quotation marks: I have been informed
several times that the version of NAT found on most consumer hardware is in fact not NAT
(Network Address Translation) but Stateful PAT (Port Address Translation). I use NAT above
because that is the term that the majority of people would be familiar with. I aim not to
use terms that are technically correct but not understood by the reader.
I often wonder how many people outside of mobile providers are behind
carrier grade NAT. At some point I suppose its inevitable for IPv4.
I am hoping if providers implement that, they are are least offering
IPv6 too.
As for our purposes behind carrier NAT, John K9VE proposed a solution.
And its to buy a cheap VPS (virtual host) and have a 44net subnet
brought to it by BGP. From there you could use Openvpn which is a
stateless (continuous handshaking to keep the outside connection open)
so you don't need to worry about protocol/port forwarding from your
home connection to the VPS.
I don't think you are able to bring in more than one IP address (per
connection) with openvpn though. Where with ipip you can specify
something other than a /32 to tunnel to you. I am sure there are
other open source stateless VPN packages that I don't know about
though.
The other thing is BGP requires nothing less than a /24 so you might
end up with an allocation to your VPS that is bigger than you really
need. So a group approach might be best.
https://groups.io/g/net-44-vpn/wiki/home