New Fiber Network, CGNATT'ed to Death

Hi everyone, New Guy been following Level1Techs on YT For a while, love their news of the week, after all the privacy scares and a few backup drive failures, I switched to Unraid last year during the pandemic loving it, I’ve a great ISP which gives a .5GB connections for under 40$ Unlimited(Truly Unlimited) I’m running everything locally as much as i can from Nextcloud to Vaultwarden on my Unraid Servers, I wanted to access these services externally yet I haven’t been able to setup anything externally the ISP provides its completely locked Router with almost no port forwarding even after repeated requests, I have a domain, i tried to Wireguard into a Linode instance can’t even get those two to ping, DDNS Services can’t seem to find my IP any solutions, I’m at my wits end.

P.S. I am a kind of an idiot.

Tailscale is pretty good at punching holes without you having to do anything.

1 Like

Well I’ll try it out hope Unraid has some kind of integration.

Zerotier is basically the same thing as well. I use it extensively. Very good at making connections. If you have internet 99% of the time it will connect.

+1 for tailscale. I’ve setup WireGuard manually w/Linode (per Ryan’s tutorial) and it works but then you have to manually manage all the keys which is a big hassle unless you just have a few hosts that never change. Even so, tailscale has a lot of nice value-add features (magic DNS is my favorite). They have a free tier (your first few hosts). Looks like someone wrote some tailscale-to-unraid glue to get your NAS side setup.

I’m assuming you have fiber going to an ONT and then their locked down router?

Have you tried calling and asking to talk to the area’s network engineer?

I had a very similar scenario. I setup a barebones pfsense router to connect to their router. Once I felt like I got the hang of it and felt fairly secure, I called them up and asked if they could take their router out and let me hook directly to the fiber ONT with my router. They were able to do everything on their end over a phone call and it worked beautifully.

I am doing this through a local/municipal ISP, and was able to talk directly to one of their network engineers, so your mileage may vary. I don’t think there is any hope of this working with any of the national brands :frowning:

What i assume that might be going on here is that your,
isp does not give you a full dual stack ip configuration.
But rather DS lite which means that you get a dedicated public ipv6 adress range,
and a shared ipv4 (CGnat).
In that case you can´t do port forwarding like you used to indeed.
But there are likely other alternative methods to get it to work.

1 Like

Oh man you’re right, it’s the day lite thing we get a public IPV6 but a CGNAT IPV4 it’s a pain to setup external services just wanted to be a bit more privacy minded

Yup I tried that once with the ISP they flatly refused, hey I know I’m no tech genius but even I could have setup a offense firewall. The ISP blatantly said we do not allow third party Devices connected to our ONT due to security hey I don’t blame them.

Well I’m off trying tailscale lord help me.

Well maybe they only support full dual stack for business type clients.
But like already mentioned above maybe Tailscale might work.

I personally view thises as more band-aids to what could be a self hosted solution. thats me though…

Dual stack isnt really needed. CGNAT can be made transparent whats occuring here is his ISP has it in their ToS that he is NOT allowed to host ANYTHING out of his HOME connection. Those are keywords there. Violating or getting caught violating that results in termination of service.

Try again. Wireguard is useful. Here man

Ive written all of these. The reason wireguard wont ping is because their documentation doesnt discuss the necessary IPtables and firewall rules. It also doesnt discuss setting up proper static routes

Good luck!

Disclaimer: I, being PLL or L1T, am/are not responsible for breakage. YMMV. Support on guides offered on a per my own free time basis. I am also not responsible for termination of ISP provided services in case you are circumventing their TOS.

Depends on how you handle it tbch.

You can let it run network wide. Provide static routes or have a router force all through if thats your goal

LOTS of ways to set it up that few people actually see because their docs aint great

if it fails try wg again. self host its worth controlling your endpoint security

Ah well yeah, then they likely won’t be cooperative with anything i guess. :slight_smile:

1 Like

6 can be NAT’d by the way. Its called NAT64 and NAT 66… lol

Any how… yeah he needs to be aware of the ToS (terms of service) before venturing into solutions

There is a selfhosted tailscale server called headscale. And tailscale does run on top of wireguard.


Interesting … its seems to be a software defined VPN of sorts. (might not be the correct word for it)

1 Like

Software defined WAN

1 Like

I would like to thank PhaseLockedLoop for his immensely helpful guides, you helped me setup Wireguard successfully and now I can share with my family my Jellyfin Server. Also thanks to other forum members with their constructive suggestions.


Now I’m getting curious…

… I saw Headscale mentioned in the Self-Hosted 54: Ultimate Off-Site Setup show notes, and it got me wondering what different setups people have.

1 Like

I’m currently using a wireguard setup through linode to access my services.

1 Like