Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


18 posts

Geek


Topic # 229196 12-Feb-2018 12:53
Send private message quote this post

Hi, I'm starting this thread to learn and possibly help others find usable workarounds for CGNAT. Two days ago I hadn't heard of CGNAT but the problem became apparent when I went to set up remote viewing for my CCTV DVR security cameras on recently joined Skinny Unlimited VDSL. I'd been using port forwarding and DDNS to facilitate camera surveillance for many years with previous ISP.

 

Skinny confirmed today their service does not handle port forwarding. It looks like CGNAT will become more prevalent in the near future. Apart from Skinny, Bigpipe and Flip currently use CGNAT. 

 

 

 

Possible workarounds:

 

 

 

Set up a VPS ...apparently an account can be from US $10/yr (Thanks to poster hio77)

 

remot3.it ....looks really interesting and there's a free account for non commercial (which I am).

 

portmap.io ....Uses vpn tunnel. Russian based. Free basic account. Wouldn't be my 1st choice.

 

 

 

That's what I've got so far. Any thoughts and comments would be great.


Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3

nas

399 posts

Ultimate Geek
+1 received by user: 244


  Reply # 1955681 12-Feb-2018 12:58
Send private message quote this post

For video you really want low latency, so unless you can get a decent NZ based VPS your best option would be to find an ISP that doesn't use CGNAT.

 

Or one that can provide a static or public IP


26772 posts

Uber Geek
+1 received by user: 6248

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1955691 12-Feb-2018 13:22
8 people support this post
Send private message quote this post

CGNAT won't become more prevalent except for low cost RSP's that don't want to fork out for IPv4 address space. Some such as Bigpipe offer a public address for a one off fee.

 

As your requirements are for a public IP, your best option would be to move to a RSP that offers one rather than CG-NAT.

 

Secondly you should never ever port forward to IP cameras or a NVR/DVR for surveillance. Never. Ever. Most people use port forwards without understanding the massive security risks it opens there networks up to.

 

 

 

 




18 posts

Geek


  Reply # 1955703 12-Feb-2018 13:54
Send private message quote this post

nas:

 

For video you really want low latency, so unless you can get a decent NZ based VPS your best option would be to find an ISP that doesn't use CGNAT.

 

Or one that can provide a static or public IP

 

Good thought on the latency. My DvR is older analog which may not be so hungry on the resources. I do have one IP camera though it's not currently in use.

 

Yes, had I have known about CGNAT I wouldn't have moved.




18 posts

Geek


  Reply # 1955721 12-Feb-2018 14:00
Send private message quote this post

sbiddle:

 

CGNAT won't become more prevalent except for low cost RSP's that don't want to fork out for IPv4 address space. Some such as Bigpipe offer a public address for a one off fee.

 

As your requirements are for a public IP, your best option would be to move to a RSP that offers one rather than CG-NAT.

 

Secondly you should never ever port forward to IP cameras or a NVR/DVR for surveillance. Never. Ever. Most people use port forwards without understanding the massive security risks it opens there networks up to.

 

I'm guessing it will mean a defined margin between those that have and those that don't. Yes, If I'd only opted for Bigpipe, I could fix the IP.

 

As I understand it, breaking the contract has a $249 penalty clause.

 

I never had problem with hackers/security but there's always a first time.


26772 posts

Uber Geek
+1 received by user: 6248

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1955781 12-Feb-2018 14:58
6 people support this post
Send private message quote this post

CGNAT:

 

I never had problem with hackers/security but there's always a first time.

 

 

In all seriousness unless you're logging all traffic connecting to your device and reviewing this you wouldn't have a clue in the world if you had ever been hacked. There should never be a first time, because you should be taking steps to ensure it doesn't happen.

 

The fact this is an older device raises even more alarm bells, the reality is it probably is insecure. People don't care less about your cameras, they merely want access to your hardware for DDoS or Crypto mining.

 

I wrote this a while ago in response to people who can't understand the issues https://www.geekzone.co.nz/sbiddle/8941 - and the reality is what I wrote then is actually far more important now. If you port forward and expose your devices you're not only compromising your own security, you're potentially compromising the Internet as a whole if your devices are used for malicious attacks.

 

I'm sorry if this sounds harsh - but dealing with the consequences of people who do things like ends up often being my job, and in so many cases it's people saying "nobody told me I shouldn't do this" which is why I ensure people who do have insecure setups fully understands the risks of what they're doing. 

 

Configuring a port forward to any device is like leaving your house door wide open. It doesn't mean somebody will walk in and steal your stuff, but you've made it very easy for them to do it.

 

 


4966 posts

Uber Geek
+1 received by user: 1577


  Reply # 1955805 12-Feb-2018 15:25
One person supports this post
Send private message quote this post

I realise that you've only just heard of CGNAT, but this is not a new thing, ISPs have been doing it for years. There's plenty of info here if you search, but in practise, it's very simple.

 

1) It's just another level of NAT, like your existing router is probably doing.

 

2) It's no impediment to the average user

 

3) It will prevent any incoming connection, because there is no public IP address to connect to.

 

4) A good portion of the things it prevents shouldn't be done anyway, as they are a significant security risk as @sbiddle has already pointed out.

 

5) For those that genuinely need a public IP address, shop around for a provider that suits you better, don't go for the cheapest product you can find.


2106 posts

Uber Geek
+1 received by user: 525


  Reply # 1955977 12-Feb-2018 20:08
Send private message quote this post

Unless you're in a contract you're probably better to move to Bigpipe, Skinny Broadband is literally rebadged Bigpipe, and Bigpipe will give you a static IP for a fee. You can use the same modem with Bigpipe.




18 posts

Geek


  Reply # 1956175 13-Feb-2018 09:46
Send private message quote this post

sbiddle:

 

In all seriousness unless you're logging all traffic connecting to your device and reviewing this you wouldn't have a clue in the world if you had ever been hacked. There should never be a first time, because you should be taking steps to ensure it doesn't happen.

 

The fact this is an older device raises even more alarm bells, the reality is it probably is insecure. People don't care less about your cameras, they merely want access to your hardware for DDoS or Crypto mining.

 

I wrote this a while ago in response to people who can't understand the issues https://www.geekzone.co.nz/sbiddle/8941 - and the reality is what I wrote then is actually far more important now. If you port forward and expose your devices you're not only compromising your own security, you're potentially compromising the Internet as a whole if your devices are used for malicious attacks.

 

I'm sorry if this sounds harsh - but dealing with the consequences of people who do things like ends up often being my job, and in so many cases it's people saying "nobody told me I shouldn't do this" which is why I ensure people who do have insecure setups fully understands the risks of what they're doing. 

 

Configuring a port forward to any device is like leaving your house door wide open. It doesn't mean somebody will walk in and steal your stuff, but you've made it very easy for them to do it.

 

Thanks for the wake up call re security. The article you wrote was excellent. Bad thinking people are always going to be out there. They prey on the unwary.

 

Your article points to VPN as the only safe way so I suppose the real question is, can it work to get around CGNAT (in theory)? I've been studying the subject and it appears as though I need a VPS to connect to my HG659 VPN L2TP. Is this the basis of it?

 

Thanks.




18 posts

Geek


  Reply # 1966177 28-Feb-2018 23:01
Send private message quote this post

After 2 weeks of studying various options I got the first workaround going.  This is how...

 

I opened a free account at NGROK. They have a lightweight tool that creates a secure tunnel on your local machine along with a public URL.

 

The ngrok.exe file now lives on the desktop for convenience. When I open it, a window appears to which I type the command line (example):

 

ngrok http 192.168.1.69:2232

 

The 192.168... is the IP address of dvr and the 2232 is its' designated web port.

 

Next step is to copy the forwarding address, example: http://823476f8.ngrok.io and email to myself. Then open my Samsung galaxy and open the email. The link is clickable and will open as a URL.

 

My cameras update a still pic every 6 seconds so no problem for any bandwidth limitation.

 

I'm posting here in detail in case it helps.

 

Looking ahead I thought maybe a batch file to automate the process. One downside is if there's a power failure or service interruption. I plan to study the Ngrok website as the paid plans might have better features.

 

 

 

So that's one workaround for CGNAT. Currently looking at others... Hope this helps.


21286 posts

Uber Geek
+1 received by user: 4291

Trusted
Subscriber

  Reply # 1966191 28-Feb-2018 23:37
Send private message quote this post

If the product you bought from the ISP isnt fit for purpose then bring that up with them if they are expecting to enforce any contract terms.





Richard rich.ms

50 posts

Geek


  Reply # 1970390 7-Mar-2018 10:05
Send private message quote this post

Im glad I came on here before switching over to Skinny.
First time I had heard of CGNAT also.

 

Currently with Spark which I have passed my contract to leave date, and have realized I never use any of the extra features that spark provide. Lightbox, Netflix etc. Just plain unlimited Fibre.

Now the reason I wanted to change over to Skinny was because Skinny price for "Unlimited Fibre Ultra" Max Speed is cheaper then my Spark Fibre100. So sounds like the ideal thing to do.

 

UNTIL i came on here lol...

 

So I understand at a low level of what CGNAT is and why cheaper ISP's are doing it. But I have not gone into dept of what this can cause for me reguarding a few things...

 

Without using a VPS service.
1: Console Gaming (NOT PC). Would that mean open nat port is impossible on CGNAT?

2: I have a VPN service / seedbox to errr umm store stuff............ Can this affect the speed / setup in anyway?

 

3: I also have a CCTV setup NVR. That I can access via a phone iOS app. I Have never FWD a port to allow this to work, just plug and play?
Never really looked into how this is all connected, I just assumed it uses some secure portal that the app connects to :/  Should I be worried?

Does CGNAT affect DL / UL speed's in anyway?

 

 


1492 posts

Uber Geek
+1 received by user: 559


  Reply # 1970430 7-Mar-2018 10:54
Send private message quote this post

Xplaya:

 

 

 

Without using a VPS service.
1: Console Gaming (NOT PC). Would that mean open nat port is impossible on CGNAT?

2: I have a VPN service / seedbox to errr umm store stuff............ Can this affect the speed / setup in anyway?

 

3: I also have a CCTV setup NVR. That I can access via a phone iOS app. I Have never FWD a port to allow this to work, just plug and play?
Never really looked into how this is all connected, I just assumed it uses some secure portal that the app connects to :/  Should I be worried?

4: Does CGNAT affect DL / UL speed's in anyway?

 

 

 

 

1. Yes

 

2. No, because the seedbox is outside your ISP's network so it won't be affected by CGNAT

 

3. Needs more detail on how exactly it is setup.

 

4. No, you can expect near-gigabit speeds on the gigabit plan, even on CGNAT


50 posts

Geek


  Reply # 1970666 7-Mar-2018 13:41
Send private message quote this post

DarkShadow:

 

Xplaya:

 

 

 

Without using a VPS service.
1: Console Gaming (NOT PC). Would that mean open nat port is impossible on CGNAT?

2: I have a VPN service / seedbox to errr umm store stuff............ Can this affect the speed / setup in anyway?

 

3: I also have a CCTV setup NVR. That I can access via a phone iOS app. I Have never FWD a port to allow this to work, just plug and play?
Never really looked into how this is all connected, I just assumed it uses some secure portal that the app connects to :/  Should I be worried?

4: Does CGNAT affect DL / UL speed's in anyway?

 

 

 

 

2. No, because the seedbox is outside your ISP's network so it won't be affected by CGNAT

 

3. Needs more detail on how exactly it is setup.

 

4. No, you can expect near-gigabit speeds on the gigabit plan, even on CGNAT

 

 

2. Sorry I should have asked, would it affect my FTP speed to the seedbox.

3. I will get back to you on this one....

 

4. 1 thing popped up in my head. Under the spark thread "Spark is not doing any shaping on ADSL, VDSL or Fibre"
Is this the same for Skinny also?




18 posts

Geek


  Reply # 1970686 7-Mar-2018 14:03
Send private message quote this post

Xplaya:

 

Im glad I came on here before switching over to Skinny.
First time I had heard of CGNAT also.

 

Currently with Spark which I have passed my contract to leave date, and have realized I never use any of the extra features that spark provide. Lightbox, Netflix etc. Just plain unlimited Fibre.

Now the reason I wanted to change over to Skinny was because Skinny price for "Unlimited Fibre Ultra" Max Speed is cheaper then my Spark Fibre100. So sounds like the ideal thing to do.

 

UNTIL i came on here lol...

 

Does CGNAT affect DL / UL speed's in anyway?

OK, I saved someone from a frustrating time. My efforts have been rewarded. The fact that Skinny BB doesn't allow port forwarding is a bit too hard to find in their documentation.

 

 

 

I tested download speeds through Skinny CGNAT:

 

34.5 Mbps down

 

13.6 Mbps up

 

Skinny claim: Most VDSL lines run between 10 and 30Mbps down, and 3-10Mbps upload. Some VDSL lines can run even faster than this if your address is close to the cabinet.

 

So I'm good for speed according to them.


1492 posts

Uber Geek
+1 received by user: 559


  Reply # 1970730 7-Mar-2018 15:22
Send private message quote this post

Xplaya:

 

DarkShadow:

 

Xplaya:

 

 

 

Without using a VPS service.
1: Console Gaming (NOT PC). Would that mean open nat port is impossible on CGNAT?

2: I have a VPN service / seedbox to errr umm store stuff............ Can this affect the speed / setup in anyway?

 

3: I also have a CCTV setup NVR. That I can access via a phone iOS app. I Have never FWD a port to allow this to work, just plug and play?
Never really looked into how this is all connected, I just assumed it uses some secure portal that the app connects to :/  Should I be worried?

4: Does CGNAT affect DL / UL speed's in anyway?

 

 

 

 

2. No, because the seedbox is outside your ISP's network so it won't be affected by CGNAT

 

3. Needs more detail on how exactly it is setup.

 

4. No, you can expect near-gigabit speeds on the gigabit plan, even on CGNAT

 

 

2. Sorry I should have asked, would it affect my FTP speed to the seedbox.

3. I will get back to you on this one....

 

4. 1 thing popped up in my head. Under the spark thread "Spark is not doing any shaping on ADSL, VDSL or Fibre"
Is this the same for Skinny also?

 

 

2. No

 

4. No one shapes domestic broadband anymore, no need to worry.


 1 | 2 | 3
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel introduces new NUC kits and NUC mini PCs
Posted 16-Aug-2018 11:03


The Warehouse leaps into the AI future with Google
Posted 15-Aug-2018 17:56


Targus set sights on enterprise and consumer growth in New Zealand
Posted 13-Aug-2018 13:47


Huawei to distribute nova 3i in New Zealand
Posted 9-Aug-2018 16:23


Home robot Vector to be available in New Zealand stores
Posted 9-Aug-2018 14:47


Panasonic announces new 2018 OLED TV line up
Posted 7-Aug-2018 16:38


Kordia completes first live 4K TV broadcast
Posted 1-Aug-2018 13:00


Schools get safer and smarter internet with Managed Network Upgrade
Posted 30-Jul-2018 20:01


DNC wants a safer .nz in the coming year
Posted 26-Jul-2018 16:08


Auldhouse becomes an AWS Authorised Training Delivery Partner in New Zealand
Posted 26-Jul-2018 15:55


Rakuten Kobo launches Kobo Clara HD entry level reader
Posted 26-Jul-2018 15:44


Kiwi team reaches semi-finals at the Microsoft Imagine Cup
Posted 26-Jul-2018 15:38


KidsCan App to Help Kiwi Children in Need
Posted 26-Jul-2018 15:32


FUJIFILM announces new high-performance lenses
Posted 24-Jul-2018 14:57


New FUJIFILM XF10 introduces square mode for Instagram sharing
Posted 24-Jul-2018 14:44



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.