Sponsored

CGNAT - is this really "the future"?

DTMark

ULTIMATE Member
I'd read about CGNAT but until it impacts you it ceases to be that important. It's impacting me as we've recently moved over to EE's 4G service not so much for speed but because Three's network has a fault in this area which they seem to have no inclination to repair. EE's 4G is blazingly quick yet only offers partial access to the internet because of CGNAT.

We could go back to looking around as we'd tracked down the nearest cabled areas before and almost did move home but family events meant that had to be put on the back-burner. I shudder at the thought of moving back somewhere urban but we may have no choice.

But, there's nothing to say that Virgin Media won't implement CGNAT at some point. And AFAIK the cable network is not IPv6 capable.

Is CGNAT a serious proposition? ISPs are going to be flooded with support questions and problems going down this route.

However so far as I can see, almost nobody is adopting IPv6 anywhere other than maybe AAISP and to get that you have to involve BT at some point and AAISP are only as good as BT's decrepit old last-mile network enables them to be.

I'm sure that in certain circles this has been a hot topic and one which this site has covered before on multiple occasions.

Are we really out of IPv4 addresses to the point where the internet is basically going to begin "breaking" for everyone as more ISPs take this up? From my brief experience with it, CGNAT is going to be a shambles.

I can only hope, at this point, that ISPs implementing it are going to be met with such a flood of issues that they invest the necessary cash to sort IPv6, but this seems to be moving along very slowly.

Thoughts...?
 

KDS

ULTIMATE Member
I think most big isps will go down the route of CGNAT, which is fine for most people. problems comes when you try to connect in but most 3rd party services now do this like logmein for remote login etc which works fine even on NAT.

I'm sure gaming services will do that too. they might even do that now. things like VOIP etc again they will become like skype.

so the CGNAT looks like going to be here for a while.

I personally want IPv6 to take over. but ISPs want to make the most out of the equipment they bought.

I haven't tried it my self but if your router can dial in to a ipv6 network using AICCU you can use http://www.sixxs.net/main/ to get your self a ipv6 address this might work under your CGNAT too.

that might get around the issues your are having with EE4G. I know draytek 2860 have the option but I haven't tried under CGNAT.

If it worked let me know.
 

DTMark

ULTIMATE Member
Thanks for the link - I'll check that out, looks interesting.

I'd thought about leasing a cheap server to configure it as a "middle man" with VPN services to act as a "gateway" to the other boxes I need to access which are secured by IP address. That might also get around this. Perhaps "old school" but I've always considered locking things to IP addresses *as well* as important, but CGNAT means this level of security is dangerous since it renders it meaningless - securing by IP only locks that down to an ISP level not a user level.

The biggest issue with it is that if I go to a site and begin to browse it, it will work fine. For a while. Then it will stop responding and serve blank pages. The browser isn't "hung" or "waiting", the page load is complete.

If I check the IP address being presented, I can see that at the point where it stopped loading, that IP changed. (usually the third octet). The web server therefore considers this suspect - it's like a "session hijack". If I repeatedly press F5 to refresh then eventually it will load, and checking again, I now have the same presented IP as I had at the start of the session. This only happens on certain sites, maybe it's just a couple that I use that have it :)

Apart from the online gaming issues which don't impact me, I'd have thought this is going to be the biggest problem and lead to endless support calls to say that the connection "keeps going down". Which is not actually true, but it might as well be.

You could argue this isn't a "fault" with the connection and the "problem" is with those websites. This will require administrators and developers to leave out this layer of security in order for those sites to work properly with ISPs using CGNAT.
 

KDS

ULTIMATE Member
I think CGNAT routers need lot of processing/memory power to keep with lot of peoples NAT table etc. your slowness might be to do with that.

I remember when I was with a cable ISP NTL they use to use a transparent proxy which had similar issues when it was busy.
 

DTMark

ULTIMATE Member
Nothing's slow - it's very quick ;)

Simply, CGNAT renders some websites out of bounds.

I'd have thought in particular

1. Sites behind pay-walls which lodge your connecting IP along with your session so as to try to ensure you don't give your login to other people, and

2. Bulletin board type sites who have troublesome members and ban them via IP - for webmasters that isn't possible any more, because if you ban their connecting IP you will achieve precisely nothing and will actually end up banning other people too. You'd have to ban based on the third and fourth octet so in effect you'd ban "everyone" from that ISP connecting.
 

Mark.J

Administrator
Staff member
ISPreview Team
I think CGNAT, which we've written about quite a lot on ISPr, is fine so long as the ISP gives you a choice (i.e. enable CGNAT by default, if necessary, but give customers an option to disable it if they encounter related problems).

Alternatively some ISPs might try to make a little extra money by offering it as a paid upgrade (perhaps alongside a static IPv4), although IMO this would be quite controversial. The third option would of course be IPv6 but then you might as well go dual-stack and even then CGNAT may still be needed for the transition period.

Which specific sites or services have you had problems with DTMark?
 

DTMark

ULTIMATE Member
I've come across this on two sites so far and I don't actually "browse" that much.

I read a number of economics websites quite regularly for differing views.

One such site which has this issue (this would be of the type "2" in my post above) is www.housepricecrash.co.uk

I couldn't see why it kept randomly returning blank pages at first until I opened "What's My IP" in a second tab on arrival at said site, clicked a few links until it "broke" and then refreshed that second tab to find that the third octet had changed.

I then kept refreshing the site until it "came back" and on checking, the "first" IP address had been restored.

I know I've coded two sites in the past to associate the login with the requesting IP address - sites which give access to protected information for which the customer has to pay. In those cases what would happen is that as soon as you request a page from a different IP to that with which you logged in, your would be thrown back to the login page.

Clearly this doesn't stop people sharing a login around the office, but it does stop that same login being used at multiple locations.

Incredibly, just having looked: one of them appears to still be going after all these years - was about a decade ago! So that won't work with CGNAT either.

If I asked such a client "a small number of customers will have problems accessing the content because of this new thing called CGNAT, would you like me to remove that layer of protection?" I would envisage the client would say "No, let's see if anyone complains, if it's only a few people then we won't bother".
 

KDS

ULTIMATE Member
I was thinking the same thing to run dual-stack still need same amount of ipv4 addresses so this wont save them any ip addresses so to speak
 

DTMark

ULTIMATE Member
I came across the solution by chance in a thread on another website..

https://www.astrill.com/

Really clever. Presents you as having a fixed IP, so even if your ISP provides you with a dynamic one, you can still appear to the world as the same UK IP externally.

As long as you trust that provider (who say that they do not retain logs) it also has the added benefit of making snooping on what you're doing a bit more difficult.

It does slow the connection down a bit and increases the ping times. But you can turn it on and off at will.

Seems like quite a clever piece of kit.
 

DTMark

ULTIMATE Member
Been playing around with this... my "24 hour introduction to the world of VPNs".

It's one of those nice pieces of kit that "does exactly what it says on the tin".

You can tunnel both in and out, so if you want to be able to RDP to your machine from the outside you can, or access your media files. With the cost of 4G data I probably won't be doing that.

Downstream speed isn't hit too hard but ping times and upstream are. That said it's still perfectly usable and you can enable and disable it with one click. A couple of back-to-back tests demonstrate this.

Disabled



Enabled



This is with a UK based VPN IP. If you wanted to, you could also pick a US based one if you like watching US TV streamed shows and need a US IP for that. Very handy in China, too.

Full credit to a certain pcoventry76 of Thinkbroadband.com for coincidentally starting a thread about this on the very day I was looking into it and for KDS's recommendation above - seems similar, and yes, it does work with CGNAT.
 

DanielMS

Regular Member
Thanks for the link - I'll check that out, looks interesting.

I'd thought about leasing a cheap server to configure it as a "middle man" with VPN services to act as a "gateway" to the other boxes I need to access which are secured by IP address. That might also get around this. Perhaps "old school" but I've always considered locking things to IP addresses *as well* as important, but CGNAT means this level of security is dangerous since it renders it meaningless - securing by IP only locks that down to an ISP level not a user level.

The biggest issue with it is that if I go to a site and begin to browse it, it will work fine. For a while. Then it will stop responding and serve blank pages. The browser isn't "hung" or "waiting", the page load is complete.

If I check the IP address being presented, I can see that at the point where it stopped loading, that IP changed. (usually the third octet). The web server therefore considers this suspect - it's like a "session hijack". If I repeatedly press F5 to refresh then eventually it will load, and checking again, I now have the same presented IP as I had at the start of the session. This only happens on certain sites, maybe it's just a couple that I use that have it :)

Apart from the online gaming issues which don't impact me, I'd have thought this is going to be the biggest problem and lead to endless support calls to say that the connection "keeps going down". Which is not actually true, but it might as well be.

You could argue this isn't a "fault" with the connection and the "problem" is with those websites. This will require administrators and developers to leave out this layer of security in order for those sites to work properly with ISPs using CGNAT.
half the time CGNAT isnt the problem its the fact that its CGNAT with a army of proxy servers, so literally every site you load the IP changes for example load this a few times and notice the ip change now and then http://whatismyipaddress.com/
 

KDS

ULTIMATE Member
I'm looking for similar thing but I need a ip for my self some clients uses EE4G as a backup but they cant receive mail direct due to the CGNAT but if some one can do assign a static ip for a CGNAT connection that will be amazing
 

DTMark

ULTIMATE Member
@DTMark

Are you markp from the ee forum? because i did actually reply to this topic. (http://community.ee.co.uk/t5/4G-Network/4G-and-only-partial-internet-access-CGN-issue/m-p/62274#U62274)

And if you are considering going via the vpn route. you might aswell get yourself a cheap uk vps from lowendbox.com and install openvpn access server (which takes a whole 2 minutes)
Yes, I was getting a little hacked off that the thing appeared to be largely "self help" and full of people moaning with nobody from EE actually responding, a comment someone else had made too ;)

With this working, I can keep the 4G connection and invest in that horrendously expensive Huawei modem/router box and have the roof antenna repointed.

In other news Three confirm there's no fault with the network, so I don't know what's wrong with that (this being the reason for EE 4G in the first place) but actually this + VPN is a better solution than I had before, albeit twice as expensive.
 

DTMark

ULTIMATE Member
I'm looking for similar thing but I need a ip for my self some clients uses EE4G as a backup but they cant receive mail direct due to the CGNAT but if some one can do assign a static ip for a CGNAT connection that will be amazing
I guess it would work, but given the performance hit would impact everything on the client side of the internet I suspect you'd want two network cards and a Huawei box..

http://www.amazon.co.uk/HUAWEI-B593-4G-B593-Wireless-Router/dp/B009QW3ZG4/ref=wl_it_dp_o_pd_S_nC?ie=UTF8&colid=12LFDOM0GD788&coliid=I3UW5TM785WP64

.. and have "browsing" type traffic bypassing it via the other network card.

You'd buy the static IP ($5 a month) and open the port forwarding in the web control panel online to make the traffic go "the other way" on the one which routes the mail traffic.

However it would only take someone to flood-bomb the mail server or for the primary connection to be down for a long time for the data allowance to get used up and a very large bill to mount :(
 

KDS

ULTIMATE Member
draytek will connect 4G modems fine so if I pay $5 extra do they give me a static ip ? and connect back ? that will be amazing :)
 

DTMark

ULTIMATE Member
Yes. You can even have more than one e.g. several in different countries.

GCHQ will start becoming interested in this thread ;)

However point to note.. the installation I have is the software version. Which is to say that a little applet pops up on the desktop with a big "ON" and "OFF" button and you specify e.g. which browsers/LAN connections use it.

You can also install it at a router level apparently, I don't need to do this as only my PC needs to have this special tunnelling not everything connected to the net. That looks to be a bit more involved and specialised but there are details on the website.

Having used it today I think last night's speed comparison might have been a bit of an exception and a little unfair especially on the latency. Speed does suffer, but not as badly as indicated earlier - shaves a few meg off in both directions.

 

DTMark

ULTIMATE Member
Just to revert on this - a little belatedly...

I'd never actually attempted this before, but now I have, and yes, you can connect to a PC that's connected to EE 4G, even with the CGNAT, using the Port Forwarding.

In this manner I've set up my home/office PC with Real VNC Server, then in the Astrill settings turned on Port Forwarding, then connected our laptop to Three 3G - so entirely separate external connections - and on that, run VNC Client, and entered my Astrill fixed IP.

It just works. No effort at all. So it can "punch through" CGNAT.
 

Mark.J

Administrator
Staff member
ISPreview Team
What settings did you use for Port Forwarding?
 

DTMark

ULTIMATE Member
I didn't actually have to do much at all. Within the Astrill online management panel Members > My Services then Port Forwarding.

All there is on the page is a box that gives you your "forwarded" port number and a button labelled ON/OFF

I'm guessing some services would need a little more help to work - for instance SQL Server "listens" on Port 1433 by default but Real VNC doesn't need any help to "see" the incoming requests.

I was amazed it was that easy.
 
Top
Promotion
Cheapest Superfast ISPs
  • Hyperoptic £20.00 (*22.00)
    Avg. Speed 50Mbps, Unlimited
    Gift: None
  • Vodafone £22.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • TalkTalk £22.45 (*36.00)
    Avg. Speed 38Mbps, Unlimited
    Gift: None
  • Post Office £22.90 (*37.00)
    Avg. Speed 38Mbps, Unlimited
    Gift: None
  • Direct Save Telecom £22.95 (*29.95)
    Avg. Speed 35Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Promotion
The Top 20 Category Tags
  1. BT (2512)
  2. FTTP (2205)
  3. FTTC (1659)
  4. Building Digital UK (1607)
  5. Politics (1428)
  6. Openreach (1419)
  7. Business (1239)
  8. Statistics (1100)
  9. FTTH (1076)
  10. Mobile Broadband (1039)
  11. Fibre Optic (969)
  12. Ofcom Regulation (916)
  13. Wireless Internet (909)
  14. 4G (900)
  15. Virgin Media (857)
  16. Sky Broadband (596)
  17. EE (592)
  18. TalkTalk (580)
  19. Vodafone (518)
  20. Security (413)
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules