ISP level NAT bypass

In a fit of rage a few weeks ago I canceled my cable internet connection. I then went to my local telecom provider and got a unlimited sim card. its actually cheaper by a few euros then i was paying for the landline. I was up and running speed was a lot better 175 down 100 up and the biggest win 0 drops in over 3 weeks. The problem I am now facing is I am behind a double NAT situation. My LTE modem is in pass through mode and works fine. But the IP I am getting from my ISP falls in to the 100.67.x.x. Googling whats my ip shows that im 80.187.103.x thus double NAT. from my googling this is a common practice on LTE. Now I am stuck with a amazing internet connection that I can not host services on plex, nextcloud, minecraft server you get the idea. my first idea was to just fire up a VPN but no dice. I now understand why I can not port forward on/through a VPN. My next idea involves using Zero tier and a VPS but not sure how to make that work in practice or if that even can. Anyone have a idea or a guide to point me at if not lets make one!

not sure about Zerotier but there’s this thing called tailscale which will probably do what you want punching holes through nat and setting up wireguard for you.

Maybe you don’t need a vps or a public IP with it, but you could use it with a VPS as well

Can you get an IPv6 address? Most of the phone companies are extremely limited on IPv4 as you discovered, but IPv6 seems to be well supported by mobile carriers.

2 Likes

You can if you control the VPN (on a VPS presumably). But you are essentially paying for the bandwidth twice at that point.

Agree with @zlynx that ipv6 is your best option if available.

I will have to look in to that I am assuming I in theory would kill the ipv4 on my wan port and just have ipv6 enabled to test if it would work.

2 Likes

You should be able to have both addresses but you’ll need to serve on the ipv6.

So I am not getting served a ipv6 address so kinda not looking good for the home team.

Companies often use LTE as a backup and as such these companies sometimes offer removing NAT. Call them up and ask if they have a business tier that would provide a direct ipv4 address.

For personal devices and such, wireguard or zerotier would work great. Install it on your plex server and on your phone and every device as needed. If you have a friend that’s a heavy plex user, maybe ask them to house a small box you could use as a proxy per se.

I am not suprised. ISP develop fast and loose.

Outside of dealing with them, You have two options:

  1. be a part of VPN - Great for creating a safe haven (DMZ) for limited number of specific users. Can be designed to lower latency as much as possible.
  2. Use proxy service - great for serving specific data.

VPS can provide both, implementation can be as simple as SSH tunnel or complicated as HAProxy (Video and guide on LeveL1 YT Channel)
Minecraft over LTE and VPN will likely bave too much lag, so you could run it online too.
Some services already use public proxy servers - like Plex or Syncthing. It is very prevalent these days.

I wish you good luck and as you approach or read more - share and ask away.

thank you all for reading my woes! for speed and kinda ping (family in the states so always 150+) my LTE connection is the best (up time) and fastest I have had in my life. I can game and stream and not know the wife is on Netflix. On a good day I am pulling around 220Mb down and 160Mb up (4k 60fps anyone?) for the folks that I would want to share my Plex with now that bandwidth is much less of a issue doing anything besides running Plex is beyond them will dig in to the HAProxy mentioned above and most of all thanks for the bread crumbs to get me going! much better then bam drop this script and go.

So after some digging around and reading the post about the HA proxy it sounds perfect but i do not think it will work in my situation where i can not even port forward any ports because of the double NAT situation.

It would as you can reverse through NAT, if you have a public VPS running HAProxy you can create a persistent outgoing connection to the VPS and route the traffic back through it.

It would also allow you to hide DNS/IP of your PC. (Not to a person in the middle with privileged position. For each packet there will be similar size sent to your PC generating an obvious pattern over time. )

I finally got a working solution! The YouTube algorithm served me a video about Openmtcprouter I get some the ins and outs and the bonding works great as well. It was a simple solution to a PIA problem. I am running it on bare metal and is totally over kill but I had a box in the rack doing nothing and it had 6 eth ports. Another upside I am finally running more then one network so if I want to expose internal services to the world I can with a reduced threat surface. I am thinking about making a short video about the topic and go threw the steps I did to get it working. Below are the links to the project and the video that got me going