Jump to content

Recommended Posts

Posted

I'm confused.

According to my router my IP address is 100.66.218.202 - which doesn't show up as belonging to anyone on an IP check

According to a number of sites my IP address is 1.10.216.55 - correctly putting me with TOT in CNX

Is my router (a Thomson TG585 v7) telling me lies - it never used to - or is something more sinister afoot?

And is any of this linked to my inability to log onto my VPN service?

Posted (edited)

"100.66.218.202 is part of a special address block (100.64.0.0/10) that is reserved for private networks using carrier-grade NAT."

See RFC 6598 for more information.

Edited by Chicog
Posted (edited)

Thanks Chicog -

Tried tracert:

to 100.66.218.202, what my router reports as my IP, one hop in <1ms

to 1.10.216.55, what everyone reports my IP address to be, it gets 2 hops, first to the modem (on 192.168.1.252) then to 172.17.21.154 and times out. This last IP address should be part of a private network.

I checked, tracert works to the likes of the BBC all OK, but ping does not work to any site, always times out even when I increase the wait time.

Forgot, the document is far to far over my head to understand!

I'm using 192.168.1.xxx for internal IP addresses

Edited by briley
Posted

if you just don't know what Chicog is talking about basically your ISP is doing the same thing you do at your home.

Your home have 192.168.1.xxx IP address right? anyone outside your home can't reach device in your home with this IP address because it is private IP address.

100.66.218.202 is kind of private IP address of ISP. Anyone outside their network don't see this IP address.

This is kind of IP address sharing called NAT.

first your ISP split (NAT) 1.10.216.55 to lots of IP address

then your router NAT private IP address from ISP (100.66.218.202) to another bunch of private IP addresses (192.168.1.xxx) used at your home.

Posted (edited)

Thanks Chicog -

Tried tracert:

to 100.66.218.202, what my router reports as my IP, one hop in <1ms

to 1.10.216.55, what everyone reports my IP address to be, it gets 2 hops, first to the modem (on 192.168.1.252) then to 172.17.21.154 and times out. This last IP address should be part of a private network.

I checked, tracert works to the likes of the BBC all OK, but ping does not work to any site, always times out even when I increase the wait time.

Forgot, the document is far to far over my head to understand!

I'm using 192.168.1.xxx for internal IP addresses

Many servers now block certain types of traffic for enhanced security. When you see the tracert failing, then you've either reached the endpoint itself or are hitting a firewall very close to the endpoint.

Regarding your IP addresses...

Could it be that the ISP is (effectively) deploying single IPv4 addresses to multiple customers... by using this carrier grade NAT between their "endpoint" and your home router ?

This would explain why VPN is not working for you.

Change of router (CPE?) might solve it.

Edited by RandomSand
Posted

The Internet has virtually run out of regular IP addresses. What ISPs were supposed to do is migrate to IPv6 which supports vastly more addresses. However, this move is costly and few ISPs have gone down that route. Carrier Grade NAT is a cheaper alternative, allowing multiple users to share a single old-style IP address. However, this immediately creates problems for any peer-to-peer applications such as online gaming, peer-to-peer messaging, torrenting and even FTP. It's quite probable that the VPN problem is caused by a poor installation of Carrier Grade NAT by the OP's ISP.

Posted

Thanks for the comments,

WhatIsMyIP gives me the 1.10.216.55 - not the 100.66.218.202 in my router.

I've look further into Carrier Grade NAT and this seems to be exactly what TOT is doing - and it is causing the problems that have been mentioned on other website.

  1. VPN is no longer working at all for any VPN site I try.
  2. Skype is having problems, connection often do not make when answering a call and I am finding any call from my computer does not connect even though I get the 'ringing' tone. And the quality is much worse than previously.
  3. 'Ping' times have increased, the problem appears to be in the TOT network just before it steps out into the outside world - I'm getting 600+ most of the time. (I'm not a gamer so not too worried about that.)

My question now becomes, can I do anything about it or do I have to wait for TOT to adopt IPv6?

Randomsand suggested a new router - but why would that make a difference if TOT does not support IPv6?

Posted

I don't think you can do much about it.

Don't expect TOT IPv6 adoption for consumer product soon. (Simply don't wait; try other provider if you have a chance.)

Regarding Skype

NAT don't break outgoing connections

and as far as I know Skype has TURN fallback connection in case everything else doesn't work.

http://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT

NAT is sharing IP address by simply sharing 65k ports available per IP address

thus ports available per customer can be very limited

in your case you probably hit the limit or it may be something not directly related to NAT.

Posted

NAT is sharing IP address by simply sharing 65k ports available per IP address

thus ports available per customer can be very limited

in your case you probably hit the limit or it may be something not directly related to NAT.

I'm no expert, but even to me this seems wrong.

The core of the technology is a table which maps an external IP address and port number with an internal IP address and port number. An inbound request is then relayed to the appropriate recipient by using the mapping table (and vice versa); multiple external IP addresses can share the same port number and still be routed correctly.

From a CISCO document:

"Theoretically, there is no limit on the number of mappings that the NAT table can hold. Practically, memory and CPU or the boundaries of the available addresses or ports place a limit on the number of entries."

So, to assert "ports available per customer can be very limited" is a nonsense.

Posted

I'm no expert, but even to me this seems wrong.

The core of the technology is a table which maps an external IP address and port number with an internal IP address and port number. An inbound request is then relayed to the appropriate recipient by using the mapping table (and vice versa); multiple external IP addresses can share the same port number and still be routed correctly.

From a CISCO document:

"Theoretically, there is no limit on the number of mappings that the NAT table can hold. Practically, memory and CPU or the boundaries of the available addresses or ports place a limit on the number of entries."

So, to assert "ports available per customer can be very limited" is a nonsense.

I never code NAT device myself but I'm pretty familiar with data relay system. (I code bunch of network proxy and reverse proxy for website.)

What I know is somewhat like top Answer of this thread at serverfault

http://serverfault.com/questions/57878/how-many-valid-nat-mappings-can-a-common-nat-support

You can put as many mapping rows to NAT table as many as you like but that hasn't change the nature of 16-bit ports available per IP address.

To make it more visually let says you have this 2 entries in your NAT table

Public IP address:port / Private IP address:port

12.34.56.789:1234 / 192.168.1.55:1234

12.34.56.789:1234 / 192.168.1.44:1234

when packet was routed to your public IP address on port 1234

which private IP address you going to route?

192.168.1.55, 192.168.1.44, or both?

So even in your NAT implementation you can put these entry in your table. (it not good implementation though)

you can't make this 2 records simultaneously active.

So which case is make these NAT virtually unlimited?

Since Public IP address:port pair is reusable it will be unlimited as long as it not saturate at some point of time.

You won't hit this type of limit by your home NAT device. (I don't think they can handle this much connections. So the limit was set by resources available on the router.) However, this port limitation is easily hit by Large Scale NAT.

An active torrent client can use up to hundreds of simultaneous connection.

So what ISP do to prevent one subscriber to monopolize public address's ports?

apparently they set ports limit per subscriber

here the CISCO document that sow how to do that on CISCO device:

http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-3/cg_nat/configuration/guide/cgnat_cg43crs/cgc43cgn.html#wp1079335

Feel free to correct me if you think there is something wrong.

Like I said I never code a NAT device myself before some info might be incorrect.

Posted

The IP packet header includes the source and target addresses.

The source address allows the NAT device to work out which internal IP address the packet needs to be sent to.

The ability to limit ports per subscriber is purely an implementation issue. The NAT devices uses up a certain amount of memory for each translation table entry. The device may simply not have enough physical memory to support "greedy" subscribers. There's certainly no 65k hard limit.

Posted

Ports numbers are not symmetrical each end. So let's say that you're receiving www from port:80 - the web server might be serving to you on port:3354 (for example) (in this example you are receiving on 3354).

One thing to check is your MTU settings.

Windows typically does this transparently but the unexpected hop beyond your gateway might be a problem...

Guide to tune MTU size here: http://www.thaivisa.com/forum/topic/617734-need-to-buy-a-new-wireless-adsl-router-any-recommendations/?p=6094103

btw; There's some legacy TCP tuning apps for Windows XP that shouldn't be used on Vista/7/8.

Posted

The source address allows the NAT device to work out which internal IP address the packet needs to be sent to.

This seem plausible but it also introduce more headache in the design.

To do this NAT device will assign same port to multiple user.

What if many users want to visit some popular website at the same time.

What happen with services that many users communicate with the same server.

This approach also make NAT device so stateful. (No problem with that just more complexity added.)

There might have solution to the issues above but in my simple design I just rather simply route data to user by allocate ports to users.

In reality they might do something like you said. (plus some more bad ass solutions)

I just guess for now most NAT devices are likely to has 65k ports limitation.

Posted

Carrier Grade NAT (which is what we're talking about) has to deal with an enormous amount of complexity dealing with session status and state recognition. Not all installations get every aspect of it right, which is why there can be problems with VPNs (as the OP has apparently found) and with other peer-to-peer applications.

Posted

For information:

I have tried a number of Free VPNs, they all connect to the VPN then stick on verify password and username finally timing out and disconnecting.

But Hola is working for most of what I want - mainly the BBC.

Guess I'll have to wait for TOT to catch up to enable the rest to work again.

  • 2 weeks later...
Posted

Further investigation and observation about Carrier Grade NAT,

It means that many hundreds or even thousands of users are presenting the same IP address to the outside world. Over the past three days this has been a problem for me,

First Google refused to do any more searches claiming I had done too many searches and had to wait for some, unstated, time.

Secondly my web site host refused a connection saying they would only accept it from my 'real' IP address and quoted both my IP addresses.

Thirdly uTorrent is finding it hard to connect, downloads sort of, sometimes, work and very few uploads.

I've tried to contact TOT but so far not managed to get through to them - when opting for English getting this number does not exist.

Anyone else with similar problems?

Posted

Further investigation and observation about Carrier Grade NAT,

It means that many hundreds or even thousands of users are presenting the same IP address to the outside world. Over the past three days this has been a problem for me,

First Google refused to do any more searches claiming I had done too many searches and had to wait for some, unstated, time.

Secondly my web site host refused a connection saying they would only accept it from my 'real' IP address and quoted both my IP addresses.

<snip>

What happens when you enable/set Hola to use SINGAPORE or US on your google search page www.google.co.th; www.google.com?

Note: Hola can be set to remember a preferred proxy server associated with a specific url.

Posted

Hola works fine - but it is set to UK and only 'on' when I want to use it.

Didn't try it when Google refused to serve me.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...