Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsSpark New Zealand (including Skinny and BigPipe)Studying CGNAT workarounds on Skinny VDSL
CGNAT

58 posts

Master Geek


#229196 12-Feb-2018 12:53
Send private message

Hi, I'm starting this thread to learn and possibly help others find usable workarounds for CGNAT. Two days ago I hadn't heard of CGNAT but the problem became apparent when I went to set up remote viewing for my CCTV DVR security cameras on recently joined Skinny Unlimited VDSL. I'd been using port forwarding and DDNS to facilitate camera surveillance for many years with previous ISP.

 

Skinny confirmed today their service does not handle port forwarding. It looks like CGNAT will become more prevalent in the near future. Apart from Skinny, Bigpipe and Flip currently use CGNAT. 

 

 

 

Possible workarounds:

 

 

 

Set up a VPS ...apparently an account can be from US $10/yr (Thanks to poster hio77)

 

remot3.it ....looks really interesting and there's a free account for non commercial (which I am).

 

portmap.io ....Uses vpn tunnel. Russian based. Free basic account. Wouldn't be my 1st choice.

 

 

 

That's what I've got so far. Any thoughts and comments would be great.

Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
dfnt
1511 posts

Uber Geek

Lifetime subscriber

  #1955681 12-Feb-2018 12:58
Send private message

For video you really want low latency, so unless you can get a decent NZ based VPS your best option would be to find an ISP that doesn't use CGNAT.

 

Or one that can provide a static or public IP



sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #1955691 12-Feb-2018 13:22
Send private message

CGNAT won't become more prevalent except for low cost RSP's that don't want to fork out for IPv4 address space. Some such as Bigpipe offer a public address for a one off fee.

 

As your requirements are for a public IP, your best option would be to move to a RSP that offers one rather than CG-NAT.

 

Secondly you should never ever port forward to IP cameras or a NVR/DVR for surveillance. Never. Ever. Most people use port forwards without understanding the massive security risks it opens there networks up to.

 

 

 

 

CGNAT

58 posts

Master Geek


  #1955703 12-Feb-2018 13:54
Send private message

nas:

 

For video you really want low latency, so unless you can get a decent NZ based VPS your best option would be to find an ISP that doesn't use CGNAT.

 

Or one that can provide a static or public IP

 

Good thought on the latency. My DvR is older analog which may not be so hungry on the resources. I do have one IP camera though it's not currently in use.

 

Yes, had I have known about CGNAT I wouldn't have moved.



CGNAT

58 posts

Master Geek


  #1955721 12-Feb-2018 14:00
Send private message

sbiddle:

 

CGNAT won't become more prevalent except for low cost RSP's that don't want to fork out for IPv4 address space. Some such as Bigpipe offer a public address for a one off fee.

 

As your requirements are for a public IP, your best option would be to move to a RSP that offers one rather than CG-NAT.

 

Secondly you should never ever port forward to IP cameras or a NVR/DVR for surveillance. Never. Ever. Most people use port forwards without understanding the massive security risks it opens there networks up to.

 

I'm guessing it will mean a defined margin between those that have and those that don't. Yes, If I'd only opted for Bigpipe, I could fix the IP.

 

As I understand it, breaking the contract has a $249 penalty clause.

 

I never had problem with hackers/security but there's always a first time.

sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #1955781 12-Feb-2018 14:58
Send private message

CGNAT:

 

I never had problem with hackers/security but there's always a first time.

 

 

In all seriousness unless you're logging all traffic connecting to your device and reviewing this you wouldn't have a clue in the world if you had ever been hacked. There should never be a first time, because you should be taking steps to ensure it doesn't happen.

 

The fact this is an older device raises even more alarm bells, the reality is it probably is insecure. People don't care less about your cameras, they merely want access to your hardware for DDoS or Crypto mining.

 

I wrote this a while ago in response to people who can't understand the issues https://www.geekzone.co.nz/sbiddle/8941 - and the reality is what I wrote then is actually far more important now. If you port forward and expose your devices you're not only compromising your own security, you're potentially compromising the Internet as a whole if your devices are used for malicious attacks.

 

I'm sorry if this sounds harsh - but dealing with the consequences of people who do things like ends up often being my job, and in so many cases it's people saying "nobody told me I shouldn't do this" which is why I ensure people who do have insecure setups fully understands the risks of what they're doing. 

 

Configuring a port forward to any device is like leaving your house door wide open. It doesn't mean somebody will walk in and steal your stuff, but you've made it very easy for them to do it.

 

 

RunningMan
8953 posts

Uber Geek


  #1955805 12-Feb-2018 15:25
Send private message

I realise that you've only just heard of CGNAT, but this is not a new thing, ISPs have been doing it for years. There's plenty of info here if you search, but in practise, it's very simple.

 

1) It's just another level of NAT, like your existing router is probably doing.

 

2) It's no impediment to the average user

 

3) It will prevent any incoming connection, because there is no public IP address to connect to.

 

4) A good portion of the things it prevents shouldn't be done anyway, as they are a significant security risk as @sbiddle has already pointed out.

 

5) For those that genuinely need a public IP address, shop around for a provider that suits you better, don't go for the cheapest product you can find.

Yabanize
2350 posts

Uber Geek


  #1955977 12-Feb-2018 20:08
Send private message

Unless you're in a contract you're probably better to move to Bigpipe, Skinny Broadband is literally rebadged Bigpipe, and Bigpipe will give you a static IP for a fee. You can use the same modem with Bigpipe.

 
 
 
 

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.
CGNAT

58 posts

Master Geek


  #1956175 13-Feb-2018 09:46
Send private message

sbiddle:

 

In all seriousness unless you're logging all traffic connecting to your device and reviewing this you wouldn't have a clue in the world if you had ever been hacked. There should never be a first time, because you should be taking steps to ensure it doesn't happen.

 

The fact this is an older device raises even more alarm bells, the reality is it probably is insecure. People don't care less about your cameras, they merely want access to your hardware for DDoS or Crypto mining.

 

I wrote this a while ago in response to people who can't understand the issues https://www.geekzone.co.nz/sbiddle/8941 - and the reality is what I wrote then is actually far more important now. If you port forward and expose your devices you're not only compromising your own security, you're potentially compromising the Internet as a whole if your devices are used for malicious attacks.

 

I'm sorry if this sounds harsh - but dealing with the consequences of people who do things like ends up often being my job, and in so many cases it's people saying "nobody told me I shouldn't do this" which is why I ensure people who do have insecure setups fully understands the risks of what they're doing. 

 

Configuring a port forward to any device is like leaving your house door wide open. It doesn't mean somebody will walk in and steal your stuff, but you've made it very easy for them to do it.

 

Thanks for the wake up call re security. The article you wrote was excellent. Bad thinking people are always going to be out there. They prey on the unwary.

 

Your article points to VPN as the only safe way so I suppose the real question is, can it work to get around CGNAT (in theory)? I've been studying the subject and it appears as though I need a VPS to connect to my HG659 VPN L2TP. Is this the basis of it?

 

Thanks.

CGNAT

58 posts

Master Geek


  #1966177 28-Feb-2018 23:01
Send private message

After 2 weeks of studying various options I got the first workaround going.  This is how...

 

I opened a free account at NGROK. They have a lightweight tool that creates a secure tunnel on your local machine along with a public URL.

 

The ngrok.exe file now lives on the desktop for convenience. When I open it, a window appears to which I type the command line (example):

 

ngrok http 192.168.1.69:2232

 

The 192.168... is the IP address of dvr and the 2232 is its' designated web port.

 

Next step is to copy the forwarding address, example: http://823476f8.ngrok.io and email to myself. Then open my Samsung galaxy and open the email. The link is clickable and will open as a URL.

 

My cameras update a still pic every 6 seconds so no problem for any bandwidth limitation.

 

I'm posting here in detail in case it helps.

 

Looking ahead I thought maybe a batch file to automate the process. One downside is if there's a power failure or service interruption. I plan to study the Ngrok website as the paid plans might have better features.

 

 

 

So that's one workaround for CGNAT. Currently looking at others... Hope this helps.

richms
28168 posts

Uber Geek

Trusted
Lifetime subscriber

  #1966191 28-Feb-2018 23:37
Send private message

If the product you bought from the ISP isnt fit for purpose then bring that up with them if they are expecting to enforce any contract terms.




Richard rich.ms

Xplaya
62 posts

Master Geek


  #1970390 7-Mar-2018 10:05
Send private message

Im glad I came on here before switching over to Skinny.
First time I had heard of CGNAT also.

 

Currently with Spark which I have passed my contract to leave date, and have realized I never use any of the extra features that spark provide. Lightbox, Netflix etc. Just plain unlimited Fibre.

Now the reason I wanted to change over to Skinny was because Skinny price for "Unlimited Fibre Ultra" Max Speed is cheaper then my Spark Fibre100. So sounds like the ideal thing to do.

 

UNTIL i came on here lol...

 

So I understand at a low level of what CGNAT is and why cheaper ISP's are doing it. But I have not gone into dept of what this can cause for me reguarding a few things...

 

Without using a VPS service.
1: Console Gaming (NOT PC). Would that mean open nat port is impossible on CGNAT?

2: I have a VPN service / seedbox to errr umm store stuff............ Can this affect the speed / setup in anyway?

 

3: I also have a CCTV setup NVR. That I can access via a phone iOS app. I Have never FWD a port to allow this to work, just plug and play?
Never really looked into how this is all connected, I just assumed it uses some secure portal that the app connects to :/  Should I be worried?

Does CGNAT affect DL / UL speed's in anyway?

 

 

DarkShadow
1647 posts

Uber Geek


  #1970430 7-Mar-2018 10:54
Send private message

Xplaya:

 

 

 

Without using a VPS service.
1: Console Gaming (NOT PC). Would that mean open nat port is impossible on CGNAT?

2: I have a VPN service / seedbox to errr umm store stuff............ Can this affect the speed / setup in anyway?

 

3: I also have a CCTV setup NVR. That I can access via a phone iOS app. I Have never FWD a port to allow this to work, just plug and play?
Never really looked into how this is all connected, I just assumed it uses some secure portal that the app connects to :/  Should I be worried?

4: Does CGNAT affect DL / UL speed's in anyway?

 

 

 

 

1. Yes

 

2. No, because the seedbox is outside your ISP's network so it won't be affected by CGNAT

 

3. Needs more detail on how exactly it is setup.

 

4. No, you can expect near-gigabit speeds on the gigabit plan, even on CGNAT

Xplaya
62 posts

Master Geek


  #1970666 7-Mar-2018 13:41
Send private message

DarkShadow:

 

Xplaya:

 

 

 

Without using a VPS service.
1: Console Gaming (NOT PC). Would that mean open nat port is impossible on CGNAT?

2: I have a VPN service / seedbox to errr umm store stuff............ Can this affect the speed / setup in anyway?

 

3: I also have a CCTV setup NVR. That I can access via a phone iOS app. I Have never FWD a port to allow this to work, just plug and play?
Never really looked into how this is all connected, I just assumed it uses some secure portal that the app connects to :/  Should I be worried?

4: Does CGNAT affect DL / UL speed's in anyway?

 

 

 

 

2. No, because the seedbox is outside your ISP's network so it won't be affected by CGNAT

 

3. Needs more detail on how exactly it is setup.

 

4. No, you can expect near-gigabit speeds on the gigabit plan, even on CGNAT

 

 

2. Sorry I should have asked, would it affect my FTP speed to the seedbox.

3. I will get back to you on this one....

 

4. 1 thing popped up in my head. Under the spark thread "Spark is not doing any shaping on ADSL, VDSL or Fibre"
Is this the same for Skinny also?

CGNAT

58 posts

Master Geek


  #1970686 7-Mar-2018 14:03
Send private message

Xplaya:

 

Im glad I came on here before switching over to Skinny.
First time I had heard of CGNAT also.

 

Currently with Spark which I have passed my contract to leave date, and have realized I never use any of the extra features that spark provide. Lightbox, Netflix etc. Just plain unlimited Fibre.

Now the reason I wanted to change over to Skinny was because Skinny price for "Unlimited Fibre Ultra" Max Speed is cheaper then my Spark Fibre100. So sounds like the ideal thing to do.

 

UNTIL i came on here lol...

 

Does CGNAT affect DL / UL speed's in anyway?

OK, I saved someone from a frustrating time. My efforts have been rewarded. The fact that Skinny BB doesn't allow port forwarding is a bit too hard to find in their documentation.

 

 

 

I tested download speeds through Skinny CGNAT:

 

34.5 Mbps down

 

13.6 Mbps up

 

Skinny claim: Most VDSL lines run between 10 and 30Mbps down, and 3-10Mbps upload. Some VDSL lines can run even faster than this if your address is close to the cabinet.

 

So I'm good for speed according to them.

DarkShadow
1647 posts

Uber Geek


  #1970730 7-Mar-2018 15:22
Send private message

Xplaya:

 

DarkShadow:

 

Xplaya:

 

 

 

Without using a VPS service.
1: Console Gaming (NOT PC). Would that mean open nat port is impossible on CGNAT?

2: I have a VPN service / seedbox to errr umm store stuff............ Can this affect the speed / setup in anyway?

 

3: I also have a CCTV setup NVR. That I can access via a phone iOS app. I Have never FWD a port to allow this to work, just plug and play?
Never really looked into how this is all connected, I just assumed it uses some secure portal that the app connects to :/  Should I be worried?

4: Does CGNAT affect DL / UL speed's in anyway?

 

 

 

 

2. No, because the seedbox is outside your ISP's network so it won't be affected by CGNAT

 

3. Needs more detail on how exactly it is setup.

 

4. No, you can expect near-gigabit speeds on the gigabit plan, even on CGNAT

 

 

2. Sorry I should have asked, would it affect my FTP speed to the seedbox.

3. I will get back to you on this one....

 

4. 1 thing popped up in my head. Under the spark thread "Spark is not doing any shaping on ADSL, VDSL or Fibre"
Is this the same for Skinny also?

 

 

2. No

 

4. No one shapes domestic broadband anymore, no need to worry.

 1 | 2 | 3
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright