New Fiber Network, CGNATT'ed to Death

Well I’ll try it out hope Unraid has some kind of integration.

Zerotier is basically the same thing as well. I use it extensively. Very good at making connections. If you have internet 99% of the time it will connect.

+1 for tailscale. I’ve setup WireGuard manually w/Linode (per Ryan’s tutorial) and it works but then you have to manually manage all the keys which is a big hassle unless you just have a few hosts that never change. Even so, tailscale has a lot of nice value-add features (magic DNS is my favorite). They have a free tier (your first few hosts). Looks like someone wrote some tailscale-to-unraid glue to get your NAS side setup.

I’m assuming you have fiber going to an ONT and then their locked down router?

Have you tried calling and asking to talk to the area’s network engineer?

I had a very similar scenario. I setup a barebones pfsense router to connect to their router. Once I felt like I got the hang of it and felt fairly secure, I called them up and asked if they could take their router out and let me hook directly to the fiber ONT with my router. They were able to do everything on their end over a phone call and it worked beautifully.

I am doing this through a local/municipal ISP, and was able to talk directly to one of their network engineers, so your mileage may vary. I don’t think there is any hope of this working with any of the national brands :frowning:

What i assume that might be going on here is that your,
isp does not give you a full dual stack ip configuration.
But rather DS lite which means that you get a dedicated public ipv6 adress range,
and a shared ipv4 (CGnat).
In that case you can´t do port forwarding like you used to indeed.
But there are likely other alternative methods to get it to work.

1 Like

Oh man you’re right, it’s the day lite thing we get a public IPV6 but a CGNAT IPV4 it’s a pain to setup external services just wanted to be a bit more privacy minded

Yup I tried that once with the ISP they flatly refused, hey I know I’m no tech genius but even I could have setup a offense firewall. The ISP blatantly said we do not allow third party Devices connected to our ONT due to security hey I don’t blame them.

Well I’m off trying tailscale lord help me.

Well maybe they only support full dual stack for business type clients.
But like already mentioned above maybe Tailscale might work.

I personally view thises as more band-aids to what could be a self hosted solution. thats me though…

Dual stack isnt really needed. CGNAT can be made transparent whats occuring here is his ISP has it in their ToS that he is NOT allowed to host ANYTHING out of his HOME connection. Those are keywords there. Violating or getting caught violating that results in termination of service.

Try again. Wireguard is useful. Here man

Ive written all of these. The reason wireguard wont ping is because their documentation doesnt discuss the necessary IPtables and firewall rules. It also doesnt discuss setting up proper static routes

Good luck!

Disclaimer: I, being PLL or L1T, am/are not responsible for breakage. YMMV. Support on guides offered on a per my own free time basis. I am also not responsible for termination of ISP provided services in case you are circumventing their TOS.

Depends on how you handle it tbch.

You can let it run network wide. Provide static routes or have a router force all through if thats your goal

LOTS of ways to set it up that few people actually see because their docs aint great

if it fails try wg again. self host its worth controlling your endpoint security

Ah well yeah, then they likely won’t be cooperative with anything i guess. :slight_smile:

1 Like

6 can be NAT’d by the way. Its called NAT64 and NAT 66… lol

Any how… yeah he needs to be aware of the ToS (terms of service) before venturing into solutions

There is a selfhosted tailscale server called headscale. And tailscale does run on top of wireguard.


Interesting … its seems to be a software defined VPN of sorts. (might not be the correct word for it)

1 Like

Software defined WAN

1 Like

I would like to thank PhaseLockedLoop for his immensely helpful guides, you helped me setup Wireguard successfully and now I can share with my family my Jellyfin Server. Also thanks to other forum members with their constructive suggestions.


Now I’m getting curious…

… I saw Headscale mentioned in the Self-Hosted 54: Ultimate Off-Site Setup show notes, and it got me wondering what different setups people have.

1 Like

I’m currently using a wireguard setup through linode to access my services.

1 Like

So in your setup, (I’m guessing), Linode is just acting as a router or a VPN concentrator in corp-speek. … it might be a SPoF (single point of failure), but since it’s on linode that makes it fairly reliable and you don’t care much?

I like the idea of Tailscale (or Headscale) building a “mesh” or, direct VPN tunnels between each two nodes, and also working its own way around NATs…

… Tailscale apparently allows for using a “github community” for family / household type use cases… and I think their “free” tier now allows for more stuff than it did 6 months ago.

… this is why I’m curious.

Yes got a few VMs on Proxmox and a few docker containers on Unraid essentially are Jellyfin, Nextcloud and a few others. Yes Linode is pretty good with uptime well better than AWS. Mainly use this way so my friends and family as well as I can use a domain instead of everyone installing or wrangling with non-tech people on setting up Tailscale.