Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




31 posts

Geek


# 229196 12-Feb-2018 12:53
Send private message

Hi, I'm starting this thread to learn and possibly help others find usable workarounds for CGNAT. Two days ago I hadn't heard of CGNAT but the problem became apparent when I went to set up remote viewing for my CCTV DVR security cameras on recently joined Skinny Unlimited VDSL. I'd been using port forwarding and DDNS to facilitate camera surveillance for many years with previous ISP.

 

Skinny confirmed today their service does not handle port forwarding. It looks like CGNAT will become more prevalent in the near future. Apart from Skinny, Bigpipe and Flip currently use CGNAT. 

 

 

 

Possible workarounds:

 

 

 

Set up a VPS ...apparently an account can be from US $10/yr (Thanks to poster hio77)

 

remot3.it ....looks really interesting and there's a free account for non commercial (which I am).

 

portmap.io ....Uses vpn tunnel. Russian based. Free basic account. Wouldn't be my 1st choice.

 

 

 

That's what I've got so far. Any thoughts and comments would be great.


Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
defiant
1000 posts

Ultimate Geek

Lifetime subscriber

  # 1955681 12-Feb-2018 12:58
Send private message

For video you really want low latency, so unless you can get a decent NZ based VPS your best option would be to find an ISP that doesn't use CGNAT.

 

Or one that can provide a static or public IP


28263 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 1955691 12-Feb-2018 13:22
8 people support this post
Send private message

CGNAT won't become more prevalent except for low cost RSP's that don't want to fork out for IPv4 address space. Some such as Bigpipe offer a public address for a one off fee.

 

As your requirements are for a public IP, your best option would be to move to a RSP that offers one rather than CG-NAT.

 

Secondly you should never ever port forward to IP cameras or a NVR/DVR for surveillance. Never. Ever. Most people use port forwards without understanding the massive security risks it opens there networks up to.

 

 

 

 


 
 
 
 




31 posts

Geek


  # 1955703 12-Feb-2018 13:54
Send private message

nas:

 

For video you really want low latency, so unless you can get a decent NZ based VPS your best option would be to find an ISP that doesn't use CGNAT.

 

Or one that can provide a static or public IP

 

Good thought on the latency. My DvR is older analog which may not be so hungry on the resources. I do have one IP camera though it's not currently in use.

 

Yes, had I have known about CGNAT I wouldn't have moved.




31 posts

Geek


  # 1955721 12-Feb-2018 14:00
Send private message

sbiddle:

 

CGNAT won't become more prevalent except for low cost RSP's that don't want to fork out for IPv4 address space. Some such as Bigpipe offer a public address for a one off fee.

 

As your requirements are for a public IP, your best option would be to move to a RSP that offers one rather than CG-NAT.

 

Secondly you should never ever port forward to IP cameras or a NVR/DVR for surveillance. Never. Ever. Most people use port forwards without understanding the massive security risks it opens there networks up to.

 

I'm guessing it will mean a defined margin between those that have and those that don't. Yes, If I'd only opted for Bigpipe, I could fix the IP.

 

As I understand it, breaking the contract has a $249 penalty clause.

 

I never had problem with hackers/security but there's always a first time.


28263 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 1955781 12-Feb-2018 14:58
6 people support this post
Send private message

CGNAT:

 

I never had problem with hackers/security but there's always a first time.

 

 

In all seriousness unless you're logging all traffic connecting to your device and reviewing this you wouldn't have a clue in the world if you had ever been hacked. There should never be a first time, because you should be taking steps to ensure it doesn't happen.

 

The fact this is an older device raises even more alarm bells, the reality is it probably is insecure. People don't care less about your cameras, they merely want access to your hardware for DDoS or Crypto mining.

 

I wrote this a while ago in response to people who can't understand the issues https://www.geekzone.co.nz/sbiddle/8941 - and the reality is what I wrote then is actually far more important now. If you port forward and expose your devices you're not only compromising your own security, you're potentially compromising the Internet as a whole if your devices are used for malicious attacks.

 

I'm sorry if this sounds harsh - but dealing with the consequences of people who do things like ends up often being my job, and in so many cases it's people saying "nobody told me I shouldn't do this" which is why I ensure people who do have insecure setups fully understands the risks of what they're doing. 

 

Configuring a port forward to any device is like leaving your house door wide open. It doesn't mean somebody will walk in and steal your stuff, but you've made it very easy for them to do it.

 

 


5573 posts

Uber Geek


  # 1955805 12-Feb-2018 15:25
One person supports this post
Send private message

I realise that you've only just heard of CGNAT, but this is not a new thing, ISPs have been doing it for years. There's plenty of info here if you search, but in practise, it's very simple.

 

1) It's just another level of NAT, like your existing router is probably doing.

 

2) It's no impediment to the average user

 

3) It will prevent any incoming connection, because there is no public IP address to connect to.

 

4) A good portion of the things it prevents shouldn't be done anyway, as they are a significant security risk as @sbiddle has already pointed out.

 

5) For those that genuinely need a public IP address, shop around for a provider that suits you better, don't go for the cheapest product you can find.


2157 posts

Uber Geek


  # 1955977 12-Feb-2018 20:08
Send private message

Unless you're in a contract you're probably better to move to Bigpipe, Skinny Broadband is literally rebadged Bigpipe, and Bigpipe will give you a static IP for a fee. You can use the same modem with Bigpipe.


 
 
 
 




31 posts

Geek


  # 1956175 13-Feb-2018 09:46
Send private message

sbiddle:

 

In all seriousness unless you're logging all traffic connecting to your device and reviewing this you wouldn't have a clue in the world if you had ever been hacked. There should never be a first time, because you should be taking steps to ensure it doesn't happen.

 

The fact this is an older device raises even more alarm bells, the reality is it probably is insecure. People don't care less about your cameras, they merely want access to your hardware for DDoS or Crypto mining.

 

I wrote this a while ago in response to people who can't understand the issues https://www.geekzone.co.nz/sbiddle/8941 - and the reality is what I wrote then is actually far more important now. If you port forward and expose your devices you're not only compromising your own security, you're potentially compromising the Internet as a whole if your devices are used for malicious attacks.

 

I'm sorry if this sounds harsh - but dealing with the consequences of people who do things like ends up often being my job, and in so many cases it's people saying "nobody told me I shouldn't do this" which is why I ensure people who do have insecure setups fully understands the risks of what they're doing. 

 

Configuring a port forward to any device is like leaving your house door wide open. It doesn't mean somebody will walk in and steal your stuff, but you've made it very easy for them to do it.

 

Thanks for the wake up call re security. The article you wrote was excellent. Bad thinking people are always going to be out there. They prey on the unwary.

 

Your article points to VPN as the only safe way so I suppose the real question is, can it work to get around CGNAT (in theory)? I've been studying the subject and it appears as though I need a VPS to connect to my HG659 VPN L2TP. Is this the basis of it?

 

Thanks.




31 posts

Geek


  # 1966177 28-Feb-2018 23:01
Send private message

After 2 weeks of studying various options I got the first workaround going.  This is how...

 

I opened a free account at NGROK. They have a lightweight tool that creates a secure tunnel on your local machine along with a public URL.

 

The ngrok.exe file now lives on the desktop for convenience. When I open it, a window appears to which I type the command line (example):

 

ngrok http 192.168.1.69:2232

 

The 192.168... is the IP address of dvr and the 2232 is its' designated web port.

 

Next step is to copy the forwarding address, example: http://823476f8.ngrok.io and email to myself. Then open my Samsung galaxy and open the email. The link is clickable and will open as a URL.

 

My cameras update a still pic every 6 seconds so no problem for any bandwidth limitation.

 

I'm posting here in detail in case it helps.

 

Looking ahead I thought maybe a batch file to automate the process. One downside is if there's a power failure or service interruption. I plan to study the Ngrok website as the paid plans might have better features.

 

 

 

So that's one workaround for CGNAT. Currently looking at others... Hope this helps.


22519 posts

Uber Geek

Trusted
Subscriber

  # 1966191 28-Feb-2018 23:37
Send private message

If the product you bought from the ISP isnt fit for purpose then bring that up with them if they are expecting to enforce any contract terms.





Richard rich.ms

59 posts

Master Geek


  # 1970390 7-Mar-2018 10:05
Send private message

Im glad I came on here before switching over to Skinny.
First time I had heard of CGNAT also.

 

Currently with Spark which I have passed my contract to leave date, and have realized I never use any of the extra features that spark provide. Lightbox, Netflix etc. Just plain unlimited Fibre.

Now the reason I wanted to change over to Skinny was because Skinny price for "Unlimited Fibre Ultra" Max Speed is cheaper then my Spark Fibre100. So sounds like the ideal thing to do.

 

UNTIL i came on here lol...

 

So I understand at a low level of what CGNAT is and why cheaper ISP's are doing it. But I have not gone into dept of what this can cause for me reguarding a few things...

 

Without using a VPS service.
1: Console Gaming (NOT PC). Would that mean open nat port is impossible on CGNAT?

2: I have a VPN service / seedbox to errr umm store stuff............ Can this affect the speed / setup in anyway?

 

3: I also have a CCTV setup NVR. That I can access via a phone iOS app. I Have never FWD a port to allow this to work, just plug and play?
Never really looked into how this is all connected, I just assumed it uses some secure portal that the app connects to :/  Should I be worried?

Does CGNAT affect DL / UL speed's in anyway?

 

 


1611 posts

Uber Geek


  # 1970430 7-Mar-2018 10:54
Send private message

Xplaya:

 

 

 

Without using a VPS service.
1: Console Gaming (NOT PC). Would that mean open nat port is impossible on CGNAT?

2: I have a VPN service / seedbox to errr umm store stuff............ Can this affect the speed / setup in anyway?

 

3: I also have a CCTV setup NVR. That I can access via a phone iOS app. I Have never FWD a port to allow this to work, just plug and play?
Never really looked into how this is all connected, I just assumed it uses some secure portal that the app connects to :/  Should I be worried?

4: Does CGNAT affect DL / UL speed's in anyway?

 

 

 

 

1. Yes

 

2. No, because the seedbox is outside your ISP's network so it won't be affected by CGNAT

 

3. Needs more detail on how exactly it is setup.

 

4. No, you can expect near-gigabit speeds on the gigabit plan, even on CGNAT


59 posts

Master Geek


  # 1970666 7-Mar-2018 13:41
Send private message

DarkShadow:

 

Xplaya:

 

 

 

Without using a VPS service.
1: Console Gaming (NOT PC). Would that mean open nat port is impossible on CGNAT?

2: I have a VPN service / seedbox to errr umm store stuff............ Can this affect the speed / setup in anyway?

 

3: I also have a CCTV setup NVR. That I can access via a phone iOS app. I Have never FWD a port to allow this to work, just plug and play?
Never really looked into how this is all connected, I just assumed it uses some secure portal that the app connects to :/  Should I be worried?

4: Does CGNAT affect DL / UL speed's in anyway?

 

 

 

 

2. No, because the seedbox is outside your ISP's network so it won't be affected by CGNAT

 

3. Needs more detail on how exactly it is setup.

 

4. No, you can expect near-gigabit speeds on the gigabit plan, even on CGNAT

 

 

2. Sorry I should have asked, would it affect my FTP speed to the seedbox.

3. I will get back to you on this one....

 

4. 1 thing popped up in my head. Under the spark thread "Spark is not doing any shaping on ADSL, VDSL or Fibre"
Is this the same for Skinny also?




31 posts

Geek


  # 1970686 7-Mar-2018 14:03
Send private message

Xplaya:

 

Im glad I came on here before switching over to Skinny.
First time I had heard of CGNAT also.

 

Currently with Spark which I have passed my contract to leave date, and have realized I never use any of the extra features that spark provide. Lightbox, Netflix etc. Just plain unlimited Fibre.

Now the reason I wanted to change over to Skinny was because Skinny price for "Unlimited Fibre Ultra" Max Speed is cheaper then my Spark Fibre100. So sounds like the ideal thing to do.

 

UNTIL i came on here lol...

 

Does CGNAT affect DL / UL speed's in anyway?

OK, I saved someone from a frustrating time. My efforts have been rewarded. The fact that Skinny BB doesn't allow port forwarding is a bit too hard to find in their documentation.

 

 

 

I tested download speeds through Skinny CGNAT:

 

34.5 Mbps down

 

13.6 Mbps up

 

Skinny claim: Most VDSL lines run between 10 and 30Mbps down, and 3-10Mbps upload. Some VDSL lines can run even faster than this if your address is close to the cabinet.

 

So I'm good for speed according to them.


1611 posts

Uber Geek


  # 1970730 7-Mar-2018 15:22
Send private message

Xplaya:

 

DarkShadow:

 

Xplaya:

 

 

 

Without using a VPS service.
1: Console Gaming (NOT PC). Would that mean open nat port is impossible on CGNAT?

2: I have a VPN service / seedbox to errr umm store stuff............ Can this affect the speed / setup in anyway?

 

3: I also have a CCTV setup NVR. That I can access via a phone iOS app. I Have never FWD a port to allow this to work, just plug and play?
Never really looked into how this is all connected, I just assumed it uses some secure portal that the app connects to :/  Should I be worried?

4: Does CGNAT affect DL / UL speed's in anyway?

 

 

 

 

2. No, because the seedbox is outside your ISP's network so it won't be affected by CGNAT

 

3. Needs more detail on how exactly it is setup.

 

4. No, you can expect near-gigabit speeds on the gigabit plan, even on CGNAT

 

 

2. Sorry I should have asked, would it affect my FTP speed to the seedbox.

3. I will get back to you on this one....

 

4. 1 thing popped up in my head. Under the spark thread "Spark is not doing any shaping on ADSL, VDSL or Fibre"
Is this the same for Skinny also?

 

 

2. No

 

4. No one shapes domestic broadband anymore, no need to worry.


 1 | 2 | 3
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Logitech introduces new Made for Google keyboard and mouse devices
Posted 16-Oct-2019 13:36


MATTR launches to accelerate decentralised identity
Posted 16-Oct-2019 10:28


Vodafone X-Squad powers up for customers
Posted 16-Oct-2019 08:15


D Link ANZ launches EXO Smart Mesh Wi Fi Routers with McAfee protection
Posted 15-Oct-2019 11:31


Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29


Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24


Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59


Meet Nola, Noel Leeming's new digital employee
Posted 4-Oct-2019 08:07


Registrations for Sprout Accelerator open for 2020 season
Posted 4-Oct-2019 08:02


Teletrac Navman welcomes AI tech leader Jens Meggers as new President
Posted 4-Oct-2019 07:41


Vodafone makes voice of 4G (VoLTE) official
Posted 4-Oct-2019 07:36


2degrees Reaches Milestone of 100,000 Broadband Customers
Posted 1-Oct-2019 09:17


Nokia 1 Plus available in New Zealand from 2nd October
Posted 30-Sep-2019 17:46


Ola integrates Apple Pay as payment method in New Zealand
Posted 25-Sep-2019 09:51


Facebook Portal to land in New Zealand
Posted 19-Sep-2019 18:35



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.