Hi All,

Tip: when you can't log into your computer from
somewhere else on the internet.

Sometimes when an ISP (Internet Service Provider)
runs out of IPv4 addresses, he will insert a special
NAT router called a "Carrier Grade NAT (CGN)" router
to serve more IP addresses. You will never know the
difference, unless you are setting up a server (such
and RDP) on your computer. Then you will tear
your hair out trying to figure out why
you can't get past your router from the outside,
even when your have quadruple checked your own
routers port forwards.

A tip off is to set up a remote ping of a local
workstation's lookup of the WAN address, then
reboot the router. If the ping does not stop
during the reboot, then you are pinging the
"Carrier-grade NAT" router, not your local router.

A quick way to look up the WAN address from a
local workstation's is with
curl --connect-timeout 2 --silent ipinfo.io -o

Note: if there is a CGN router in line, this is the WAN
address of the CGN router, not your own local router

To verify that the user's WAN IP address as seen
by the router is not a "Shared" address, A.K.A.
Carrier-grade NAT". Retrieve this from the router's
WAN status page, not a (work station) web lookup:

Carrier Grade NAT (CGN) will typically show a WAN
IP address of
100.64.x.x through 100.127.x.x

-T

T wrote:

[snip]

Lesson on sucking eggs noted.

In addition, the IP address of your connection via CGNAT will be shared
with other - perhaps many other - users.

If any of those other users send "pork luncheon meat" then that IP
address will be logged in blocking sites such as <https://spamrl.com> or
<https://www.talosintelligence.com/reputation_center> or
<https://barracudacentral.org/lookups/lookup-reputation>

These sites and others like them are used by email anti-spam and
anti-malware programs as part of their checking processes.

For outgoing email, the solution is always to send via a trusted mail
service, rather than sending from an email server on your LAN.

For the requirement discussed in the original post (remote access to a
computer on your LAN) then the only solution is to change ISP to one
that provides you with a static public IP address. Clearly one that
also supports IPV6 would be a better choice.

--
Graham J

On 9/10/23 00:27, Graham J wrote:
> If any of those other users send "pork luncheon meat"
> then that IP address will be logged in blocking sites
Oh Geez! I had not thought of that.
> For the requirement discussed in the original post (remote access to a
> computer on your LAN) then the only solution is to change ISP to one
> that provides you with a static public IP address.  Clearly one that
> also supports IPV6 would be a better choice.

I have worked with this particular ISP for
years. They have even referred customers
to me. All I have to do is ask. They said
it would be accomplished by Monday.
I love dealing with them. They don't make
me jump thought hoops to talk to them about
one of their customers issues. They rather
enjoy having me help out. They all know me.
But as for the big corporate ISP's, their
tech support can not even talk to their network
technicians, so ya, your only other choice is
to get another provider.

On 10-Sept-2023 7:40 pm, T wrote:
> On 9/10/23 00:27, Graham J wrote:
>
> > If any of those other users send "pork luncheon meat"
> > then that IP address will be logged in blocking sites
>
> Oh Geez!  I had not thought of that.
>
>> For the requirement discussed in the original post (remote access to a
>> computer on your LAN) then the only solution is to change ISP to one
>> that provides you with a static public IP address.  Clearly one that
>> also supports IPV6 would be a better choice.
>
>
> I have worked with this particular ISP for
> years. They have even referred customers
> to me.  All I have to do is ask.  They said
> it would be accomplished by Monday.
>
> I love dealing with them.  They don't make
> me jump thought hoops to talk to them about
> one of their customers issues.  They rather
> enjoy having me help out.  They all know me.
>
> But as for the big corporate ISP's, their
> tech support can not even talk to their network
> technicians, so ya, your only other choice is
> to get another provider.

And if you're with Starlink, forget it. They use CG-NAT and won't
provide you with a static IP address or IPv6

Am 09.09.2023 um 23:46:57 Uhr schrieb T:

> Then you will tear your hair out trying to figure out why
> you can't get past your router from the outside,
> even when your have quadruple checked your own
> routers port forwards.

Simply log in and check the IP for the WAN interface.
If it is in RFC1918 range, CG-NAT is there.

Also, some provider have DS-Lite, where all IPv4 traffic is being
tunneled in IPv6 and mostly a CG-NAT at the provider exists.

Marco wrote:

> check the IP for the WAN interface.
> If it is in RFC1918 range, CG-NAT is there.

Also if it's in the RFC6598 range (100.64.0.1 - 100.127.255.254)

On 9/10/23 08:10, Andy Burns wrote:
> Marco wrote:
>
>> check the IP for the WAN interface.
>> If it is in RFC1918 range, CG-NAT is there.
>
> Also if it's in the RFC6598 range (100.64.0.1 - 100.127.255.254)

On 9/9/23 23:46, T wrote:
> Carrier Grade NAT (CGN) will typically show a WAN
> IP address of
> 100.64.x.x through 100.127.x.x

But you have to get that from your own router's
WAN status page unless you are hooked directly
to the Internet