CGNAT

I've got a rather basic network knowledge and I've lately come across a problem/limitation I was not aware of and that I think is increasingly common, CGNAT. With my Internet Provider (Telecable) in Asturies, my FTTH router (a nice ZTE F6640) has a stable IP. I mean, it's not static, but it rarely changes (even after rebooting it). So when I recently felt that it could be convenient for me to occasionally connect to one of the computers in my LAN from outside, I thought it would be feasible.

So let's say I want to be able to ssh into my RasPI 5 from downtown while I discuss with my friends about how woke ideology is destroying humanity. The DHCP server in my router is configured to provide a static IP to all significant devices in my LAN, let's say 192.168.1.5 for my rasPi5. To make the port 22 in my rasPi accessible from outside I have to configure port forwarding in my router. It's just a matter of telling the router "forward incoming connections to one of your ports (let's say 10022) to port 22 in 192.168.1.5". I'd never done it before, but seems like something that has existed for decades and should work. So I connected my laptop to my mobile phone hotspot, to simulate the "I'm on the outside world thing", and tried. And tried, and tried... to not avail.

Checking some forums with similar questions involving other Internet providers in Spain I came across this fucking technology: CGNAT

Carrier-grade NAT (CGN or CGNAT), also known as large-scale NAT (LSN), is a type of network address translation (NAT) used by ISPs in IPv4 network design. With CGNAT, end sites, in particular residential networks, are configured with private network addresses that are translated to public IPv4 addresses by middlebox network address translator devices embedded in the network operator's network, permitting the sharing of small pools of public addresses among many end users. This essentially repeats the traditional customer-premises NAT function at the ISP level.

My internet provider in Asturies continues to use IPv4 (that's not the case in France, where to my surprise I found recently that it's using IPv6), and given that it has not enough public IP addresses for all its customers, it's adding an extra NAT (Network Address Translation) Layer.

I had got my router public address using curl ident.me, that gave me a nice and public 85.152.xxx.yyy address, but if I connect to my fiber router and check in it, I see a different one: 100.102.x.y. Well, that's not a public IP, and an indicator that my ISP is using CGNAT, as explained here.

If it's any of the following, then your router doesn't have a public IP address:

• 192.168.x.x
• 10.x.x.x
• 172.16.x.x through 172.31.x.x
• 100.64.x.x through 100.127.x.x

The last one is usually indicative of your ISP using CGNAT.

Summing up, my laptop has a 192.168. private IP address. My fiber Router faces the outside world with another private IP address (100.102.). Me and other customers in my area are connected to another upstream router in my ISP network, and this one faces the outside world with the 85.152.xxx.yyy public IP that I can see with ident.me. So in order for the connection from the outside to my RasPi to work I would also have to set up port-forwarding in that upstream ISP router shared with my "neighbours". So, no way...

Well, there's another way (that I have not tried) to set up this, a sort of reverse approach. In the last year I've been using SSH tunnels to connect to some non public servers at work through a "Bastion" work server with a public IP. With a standard SSH tunnel I basically create a SSH connection to that Bastion server telling it (to the Bastion server) that any connection that goes through it (through that "tunnel") has to be forwarded to another server. There are also reverse SSH Tunnels, where I create a SSH connection to a server (a tunnel) telling that server that any connections it receives to a certain port have to be forwarded to "me" through that tunnel, to a certain port on my machine. So if you have a server on the internet (Azure, AWS...) you could use it to create a reverse SSH tunnel to your PC located behind CGNAT. All this is explained for example here.