Local Thai ISP: IP number inconsistency, server unreachable

[Morakot]

I am using 3BB (a regular ASDL package) and until last week everything worked OK.

I run a small web server and VPN server and the incoming traffic is minimal. For the last few days, all incoming traffic appears to be blocked and no connections from outside are possible. Accessing the Internet from my home networks works as normal.

The public (dynamic) IP number that my router displays connects me to my own server from within my home network (my dynamic forwarder address also resolves to the same IP number) . However I get a completely different IP number to what my router says when I do check at various sites like whatismyip.com and network-tools.com

When I try look up the canonical name of the IP number my router gives me, I am utterly puzzled to get this reading:

"Lookup failed: 100.xy.yx.yx No data 100.xy.yx.yx is from European Union (EU) in region Western Europe [...] Trace aborted."

Whereas the IP number I get from whatismyip.com shows as expected a 3BB canonical name.

Either way both IP numbers seem to be blocked and don't resolve to my server, when I connecting from outside via another ISP.

What is going on here? Any idea?

[Lannig]

I'll try a wild guess: 3BB is somehow doing another layer of NAT (network address translation) within their own network beyond your router.

So your computer's IP address gets translated two times: once by your router and a second time within 3BB's network before reaching the Internet.

That's a really dirty trick I think they could resort to as en emergency measure because they ran out of IPV4 addresses and they can't be bothered to move to IPV6 yet (not many ISPs do, actually, it's quite a hassle)

If the "real" IP shown by your router actually shows as 100.x.x.x that's even dirtier because this range of addresses isn't supposed to be used for private IP networks. Using them as such (so easy to type, eh?) could effectively cut you off from any entity legitimately using these addresses as real addresses, presumably somewhere in Europe since this block is assigned to EU.

Again, just a wild guess but seems to fit well to me, knowing a bit about the horrors Thai ISPs are capable of (been there, worked in such a company) and due to the current shortage of IPV4 addresses. ISPs are finding it harder and harder to get new blocks assigned to them when their networks grow.

[sunnyjim5]

Has the web server been identified as a Spam server ?

[Morakot]

Has the web server been identified as a Spam server ?

No, I don't think so. It is hosts an instance of Friendica and has minimal traffic for small private community use.

Edited March 16, 2016 by Morakot

[Morakot]

I'll try a wild guess: 3BB is somehow doing another layer of NAT (network address translation) within their own network beyond your router.

So your computer's IP address gets translated two times: once by your router and a second time within 3BB's network before reaching the Internet.

That's a really dirty trick I think they could resort to as en emergency measure because they ran out of IPV4 addresses and they can't be bothered to move to IPV6 yet (not many ISPs do, actually, it's quite a hassle)

Well, if this is really the case than other customers would be affected too. Running out of numbers and than assigning two numbers each... 555 Fair play, quite wild your guess though. Thanks!

Edited March 16, 2016 by Morakot

[innerspace]

Lannig is half right but some gaps in answer.

It is carrier grade Nat.

It's not a dirty trick, it's an essential method due to the world ignoring the impending doom of IP addresses running out (although known for ages!) and not upgrading to decade old ipv6 in time.

Carrier grade Nat is a known, accepted, standardised solution although it will make any kind of Port forwarding or public servers impossible.

Normal use (connections started by you, then response) unaffected but inbound initiated connections fail.

Saying that 100.*.*.* is dirty as not supposed to be for private connections is true and false. It's not for private but not being used for private so that's fine. It is however the officially allocated carrier grade Nat range. The allocated address block is100.64.0.0/10. You can confirm that the second number is above 64 to know carrier grade Nat for sure.

No this block is not assigned to Europe, wrong.

Don't blame it as a Thai dirty trick either, happening like this all over the world and will until everything upgrades to ipv6.

There's the answer, but solutions are better. Call 3bb. Heard reports but not needed to act yet with 3bb yet but know firsthand that true can and will disable Nat from required accounts, believe 3bb will do same.

They have ips just not enough, will happily give to those who need and complain.

With true at least took several calls to get past the support staff who talk **** and don't know what they are talking about, reach the technician's and they know the issue and fix quickly.

[TheCruncher]

I'll try a wild guess: 3BB is somehow doing another layer of NAT (network address translation) within their own network beyond your router.

So your computer's IP address gets translated two times: once by your router and a second time within 3BB's network before reaching the Internet.

That's a really dirty trick I think they could resort to as en emergency measure because they ran out of IPV4 addresses and they can't be bothered to move to IPV6 yet (not many ISPs do, actually, it's quite a hassle)

If the "real" IP shown by your router actually shows as 100.x.x.x that's even dirtier because this range of addresses isn't supposed to be used for private IP networks. Using them as such (so easy to type, eh?) could effectively cut you off from any entity legitimately using these addresses as real addresses, presumably somewhere in Europe since this block is assigned to EU.

Again, just a wild guess but seems to fit well to me, knowing a bit about the horrors Thai ISPs are capable of (been there, worked in such a company) and due to the current shortage of IPV4 addresses. ISPs are finding it harder and harder to get new blocks assigned to them when their networks grow.

There is no IPV6 in Thailand.

[Lannig]

I stand corrected. Didn't know about these carrier NAT blocks, thanks for enlightening me, Innerspace.

Oh well, I'm more a system than network guy anyway. Always have.

On the other hand I recall while working at a major Thai ISP in the early 2000s seeing real IPs being used where private ones where due. And since 100.x.x.x looks like a nice roundish randomly chosen number, I assumed that it could have been the same.

I can see a major drawback to using such carrier NAT though: doesn't it make completely impossible for a customer to run something visible from the Internet such as a small web server, NAS or whatever?

Edited March 16, 2016 by Lannig

[Morakot]

Thanks very much!!

The allocated address block is100.64.0.0/10. You can confirm that the second number is above 64 to know carrier grade Nat for sure.

Yup, that exactly what it is, above 64!

Call 3bb [...]

With true at least took several calls to get past the support staff who talk **** and don't know what they are talking about, reach the technician's and they know the issue and fix quickly.

That's what have been fearing. Talking to someone who reads out a script to give standard answers without knowing what's going.

Thanks everyone here on

Edited March 16, 2016 by Morakot

[Morakot]

There is no IPV6 in Thailand.

When will there be?

[innerspace]

I stand corrected. Didn't know about these carrier NAT blocks, thanks for enlightening me, Innerspace.

Oh well, I'm more a system than network guy anyway. Always have.

I can see a major drawback to using such carrier NAT though: doesn't it make completely impossible for a customer to run something visible from the Internet such as a small web server, NAS or whatever?

Glad to have helped, and you were half right in your post, only fine details clarified.

Second part is exactly the issue with carrier Nat and exactly the op issue. Webservers, VPN, nas etc are impossible.

To the op, fight through first line support, demand to reach technicians and will be ok. Quote your IP, Port forwarding and carrier grade Nat until they get tired of talking to you (or your helpful thai) and finally someone will realise the easy way to shut up the annoying customer! Worked for me with true!

Running a dozen webcams that need external ips I have had to deal with this a few times over last 6 months. True is most common but 3bb certainly starting too.

[Lannig]

Humm... hope that TOT isn't using carrier NAT yet.

I depend on my home-made PPP-over-SSH VPN when I'm in Thailand to connect to my employer's network when I'm called for support.

The connection is issued from a box at work so I need a reachable public IP address (I use dynamic DNS and port forwarding on the TOT fibre router)

That would pretty much defeat this

Next time in Thailand will be around Sorgn Karn so I'd expect proper support being almost impossible to reach during that period.

Oh... and there is IPv6 in Thailand for sure. At least on the academic networks. However I'm not sure that any of the commercial ISPs has really engaged into this yet.

[WhizBang]

The internet in Thailand is totally f*cked due to this IPV4 vs IPV6 issue.

[awcode]

The internet in Thailand is totally f*cked due to this IPV4 vs IPV6 issue.

Not just Thailand.

Had to disable ipv6 on a top global webhost (rackspace) since it was giving me routing problems to composer.org (highly technical company supporting developers around the world).

Problem could have been either end or anywhere in between but that is the problem ipv6 faces, until global support and reliability improves ISPs and businesses will be forced to continue using ipv4 as well.

Hence carrier grade NAT going to become more common.

To the OP and other recent poster, not ideal but possible to work around with a VPN if you run a private VPS somewhere with a fixed IP.

[Morakot]

Just to follow up on this: I contacted 3BB on there regular helpline.

The operator I spoke to this morning did not fully understand the issue, but I instructed her to tell their technical staff these keywords:

"CGN problem" "Blocked IP" "turn off LSN"

The operator phoned back in less than five minutes and informed me the service is reconfigured.

From my off-site location, I saw that my home router had rebooted and my server was reachable again.

Nice!

[Lannig]

Wow, I'm impressed that you've actually managed to reach someone who had a clue about this issue so quickly. Congratulations!

A friend of mine who's close to the folks at APNIC told me that the shortage of IPv4 address is not that much of an issue in the Asia-Pacific region yet. They still have many blocks available for allocation and prices haven't gone up like in other regions of the world.

Well, maybe 3BB is just being proactive... or greedy here. Or just addressing (no pun intended) an emergency situation because no one cared to request new blocks of IP and they've run out internally. Sounds more plausible from what I know

Edited March 17, 2016 by Lannig

[gessi2000]

Same here in Pattay/Jomtien with 3BB... I lost remote access around 3 weeks ago and saw today this thread and called them up at 1530 and told them "No Remote Access to IP".

They immediately reset my connection, I received a new public IP and access works now again! No restart of the router required, the lady on the phone can do this right away.

[Morakot]

3BB is really useless now.

Second time in three days now that I have to phone them up and ask them for a real IP.

Each time I asked them to make a note NOT to revert my account to LSN. First time the operator suggested I should get a static IP and the second operator pretended not understanding what it meant.

Anyone else experiencing this?

[pol123]

True : I jsut call them (I speak thai) and ask them to remove me from their NAT. All fine now.

[Morakot]

True : I jsut call them (I speak thai) and ask them to remove me from their NAT. All fine now.

First time?

[manarak]

On 14.7.2016 at 9:49 AM, pol123 said:

True : I jsut call them (I speak thai) and ask them to remove me from their NAT. All fine now.

 

the lady at the call center said she can remove customers from the CGNAT, but she said it is only a temporary fix, because the problem will come back after some time.

[Morakot]

21 hours ago, manarak said:

 

the lady at the call center said she can remove customers from the CGNAT, but she said it is only a temporary fix, because the problem will come back after some time.

 

It looks like they run out of IP numbers and only have a limited number of direct IPs.

 

Lately I had no problems, but there where times when I had to phone them every fortnight...