AIS Fibre: Port Forwarding / Carrier Grade NAT?

[SooKee]

Am contemplating switching to AIS Fibre and been reading up as much as I can on their service.  By accident I came across a few posts that indicate that AIS use Carrier Grade NAT (CGN) which effectively will give you a double NAT for any public facing services.  One application I use (Plex) requires the use of port forwarding and it will not work if there is a double NAT.  I see from the AIS info that you can set up port forwarding via THDDNS but I have a feeling this will still give a double NAT and will not work the same as with an ISP that is not using CGN where port forwarding can be set on the router.  I'm not sure of this but I think that even using AISs DDNS service the public facing IP address of the router will not match the IP address visible using DDNS.  

 

I'm not sure if AIS fibre modems can be used in bridge mode but I also use an Airport Extreme router which I'd rather have handle the DHCP/NAT but can only do so if the iSP modem can be bridged.  Not a showstopper BUT I also see from the AIS website that they use dual-stack for their IPv6 connectivity and the AEBS doesn't support dual-stack.  I'm not sure if there will be problems if I limit the AEBS to 'Local Only' for IPv6 or if that will fix the AEBS issues and allow me to use its wifi instead of the AIS solution.

 

Guess I'm not TOO bothered about the AEBS issues (particularly as Apple seems set to abandon the line) given that I might take up the AIS D-LINK DIR-895L promo at 9,900 baht for a $300 router.  The CGN and double NAT issues bother me more though.

 

Anybody confirm the above and/or faced problems with CGN / DDNS a la AIS?  The other two options I have for ISP with fibre will be TOT and True but the AIS combined package is very appealing (10% off if switching to an AIS mobile number plus free Playbox).

 

 

 

 

[mtls2005]

I have AIS Fiber Home so have double-NAT, have set up their free DDNS service, it works fine for my applications.

 

I've seen reports of AIS enabling bridge mode on their fiber modem, upon request - they have to do this as their firmware is custom and does not allow this via the UI.

 

Maybe review your technical requirements with AIS, or on Thai networking forums, or go with another provider, or try for a more "pro"-like package which offers a IP4 or fixed IP.

 

[SooKee]

Thanks. Yeah I'll have a chat to them next week. It may be that the benefits of going with AIS will outweigh the disadvantages of forgoing port forwarding with Plex. Or I might be able to find a way to get Plex to work with CGN. I've posted to the Plex forums and also to a couple of the Thai tech boards so I'll see what comes back.


Sent using Tapatalk

[maxpower]

After jumping through a few hoops all will be fine with AIS port forwarding. I suggest you Google Carrier Grade NAT and IPv6 + IPV4. Its a messy business.

[mtls2005]

Describes the port forwarding process: https://www.thddns.net/assets/manuals/en/ONU_HW_8245_8045_PortForwarding.pdf

 

Registration: http://www.ais.co.th/fibre/pdf/THDDNS_register_manual_en.pdf

 

Overview: https://www.thddns.net/assets/manuals/en/คู่มือการลงทะเบียน THDDNS.pdf

 

It was actually easier to set up than I was expecting, have done it for a few customers, and myself, mainly for remote access, NAS, servers and cameras.

[SooKee]

Yah, cheers.  I've Googled it all a lot for sure.  Real messy.  I'm sure setting it up won't be difficult.  I'm just concerned whether the way AIS does port forwarding will work with the way Plex expects it to work.

[Greenside]

I'm using AIS Fibre and just ran into this CGN issue after spending countless hours wondering why port forwarding wouldn't work.  AIS supplied me with a ZTE F660 modem/router which is pretty poorly featured and can't be configured as a bridge at the user end so I finally had them switch it to Bridge Mode (call the service centre to do that, by the way) but of course nobody mentions that the new setup will affect port forwarding - it was only the fact that my own Asus router showed a different public IP to one of those "They Know Where You Are!  Get Our VPN Before The FBI Comes Knocking" ads that prompted me to suspect NAT.

 

For those interested, the AIS Fibre service has been consistently up to the advertised speeds and with almost no down time for the last year.  I believe they just dropped the prices so it's a good deal. 

[muratremix]

6 hours ago, Greenside said:

I'm using AIS Fibre and just ran into this CGN issue after spending countless hours wondering why port forwarding wouldn't work.  AIS supplied me with a ZTE F660 modem/router which is pretty poorly featured and can't be configured as a bridge at the user end so I finally had them switch it to Bridge Mode (call the service centre to do that, by the way) but of course nobody mentions that the new setup will affect port forwarding - it was only the fact that my own Asus router showed a different public IP to one of those "They Know Where You Are!  Get Our VPN Before The FBI Comes Knocking" ads that prompted me to suspect NAT.

 

For those interested, the AIS Fibre service has been consistently up to the advertised speeds and with almost no down time for the last year.  I believe they just dropped the prices so it's a good deal. 

THDDNS doesn't work on bridged mode??

[Greenside]

I'm not sure if your telling me or asking!  I'm hoping it will work with the ZTE in bridge mode.  I've registered with THDDNS  but have yet to attempt the configuration. 

[mtls2005]

The ZTE F660 is your primary router? And you have a secondary router?

 

Did AIS already modify your primary router to allow for Bridge Mode?

 

And your DDNS application is ________? 

 

THDDNS should work OK. Not sure how Bridge Mode on the Primary Router helps DDNS? I guess you'd have to configure the THDDNS port mapping into the secondary router? I configured it into my primary router Huawei HG8245H, Forward Rules > Port Mapping Configuration, link local IP (camera, NAS, etc.) to external THDDNS ports (of which you get a maximum of ten (10).

 

There are other methods to interconnect a primary and secondary router which preserve the functionality of the primary router. I'm using a client-bridge connection with the Edimax unit as the secondary router.

 

There are a boatload of Youtube videos...

 

 

Edited May 16, 2017 by mtls2005

[Greenside]

The ZTE F660 is the fibre modem/router and AIS has set it to operate in Bridge Mode because I prefer to use my Asus DSL N55U router which has much better functionality such as Parental Control, Wi-Fi Guest Accounts and a signal that can actually be received outside my office.  I only use the ZTE as a modem and have the Asus set up to accept its output as an Ethernet WAN connection.  This setup works fine for normal internet traffic - it's only when it gets to port forwarding that things get difficult. 

 

Port forwarding is required for a Synology NAS which acts as a backup device for a similar machine in a different location.  I can't make the ports reachable which I'm assuming is the dual NAT issue.  As for how the THDDNS will improve things, I'm assuming it prevents the CGN from fooling around with the IP but my understanding of this stuff is less than perfect.

[mtls2005]

Once you've registered with THDDNS and have your ports, you'll need to set up port forwarding on your Asus router. This will map your local NAS IP (192.168.1.nnn) to a virtual TCP port, which will connect AIS'es changing internal and external IP addresses.

 

I've successfully set up two Synology NASes, but in both cases I've only been dealing with the AIS Fiber Modem/Router.

 

As long as you've successfully set up your old Asus DSL modem/router as a secondary router, it seems like it should be able to accept THDDNS port forwarding?

[Greenside]

I'm stumped!  I have ten ports allocated by THDDNS but when it comes to setting up the Asus DSL-N55U router I seem to have hit a brick wall having having started out with confidence but now tried every combination of settings I can think of and I still open a port from outside (using the Portforwarding.com utility).  I have different IP addresses showing at the 

 

Am I right in thinking that the idea of the THDDNS is that it should allow traffic through the Carrier Grade NAT to arrive at the ports that I've been given?  I assumed that the setting would be:

Source IP  :  192.168.1.1 (the F660 Router in Bridge Mode) or 192.168.1.2 the ASUS Router which is also the Gateway

Port Range:  The 10 Ports that THDDNS have allocated my domain

Local IP :  192.168.1.XXX (the NAS)

Local Port:  The NAS service ports I need to use for rSync etc

 

I attach the unpopulated settings screenshot.  Any idea what I'm doing wrong?

 

Edited May 18, 2017 by Greenside

[muratremix]

Leave source IP empty if in bridge mode. Leave source IP empty again if dmz/static IP option.

Everything else seems to be correct.

 

port range: thddns allocated port (1 of ten)

local port: port number service listening to (22 for ssh, etc)

[RichCor]

If the ZTE F660 is in Bridge Mode or DMZ then you need to totally ignore the ZTE F660 from now on as all traffic is being passed through it.

 

Just concentrate on the THDDNS process, and configure your Asus DSL N55U router using the provided data.

[mtls2005]

Not sure about configuring an Asus DSL modem/router as a secondary router but...

 

Enable Port Forwarding

 

Local IP = use the local IP address of your NAS, 192.168.n.n (I assigned a fixed IP address for the NAS)

Port Range = use one of the ten THDDNS port numbers, for example say your range is 1290-1299, so use 1290

Local Port = 5000 (Synology NAS, or whatever yours uses)

Protocol = TCP

 

Add

Apply

re-boot everything Asus, ZTE, NAS, PC

 

 

so this should map your NAS at 192.168.n.n using TCP port 5000 to the THDDNS port (1290), which then can align the constantly frequently changing internal (100.112.n.n.) and external AIS/THDDNS (49.228.n.n) IPs.

 

Then in a browser go to Greenside.thddns.net:1290, log in to your NAS from the interwebs

 

You would give that URL (Greenside.thddns.net:1290) to those third parties who you've created access accounts for, if that's your app.

 

 

 

Edited May 19, 2017 by mtls2005

[Greenside]

Working on it....

 

 

 

 

 

[Greenside]

Thanks for the detailed instructions.  I've done as suggested above but still no luck.

 

 

I tried it with Source IP blank and with both the ZTE's address and the Asus address but still no connection.  The above is just an illustration as there are more ports but the story was the same.

I can't see that there are any mistakes in the settings so I guess I'm going to have to try AIS Fibre Support which will no doubt be an adventure.

 

Incidentally, the Asus is not a secondary router (or not meant to be, anyway) as it's the only one at my end doing any routing with the ZTE acting only as a modem.

[RichCor]

"Source IP :  192.168.1.1 (the F660 Router in Bridge Mode)

  or 192.168.1.2 the ASUS Router which is also the Gateway"

 

If the ZTE is really in Bridge Mode, how is your Asus DSL-N55U configured to act as an Ethernet Router?

 

My understanding is that this device only has a DSL (rj-11 connection) port, or USB Adapter for WAN support.

 

EDIT: OK, I see, you can configure one of the LAN Ports as a Secondary WAN (made primary).  But I think you have the ASUS router misconfigured. I think the way you have it set now is Tripple NAT (with duplicate IP range).

 

It should be set up as DHCP, and request a WAN IP Address directly from your ISP (as the ZTE is in bridge mode and should be essentially invisible). Also, the ASUS DSL-N55U should be configured to that it is on a DIFFERENT LAN Subnet from the quasi-visible ZTE, so possibly 192.168.2.1 and be the primary gateway for all your connected devices.

 

Edited May 19, 2017 by RichCor

[revelstone]

I use AIS Fibre - the PowerPro package, not the PowerHome package. I use an OpenWrt router connected to a Draytek Vigor 130 VDSL modem which runs in bridge mode (you can buy it here in Bangkok). I used to use the AIS supplied router in bridge mode, which it does perfectly well.

 

I do not use their CNAT (by arrangement with AIS) - they supply me directly with an external non-NAT IPv4, although not a static IPv4. I'm not sure if they will do this on the PowerHome package, but it's worth giving them a call and asking. If you don't want to use IPv6 then don't - although mine works very nicely to be fair and speeds to most IPv6 sites are a little faster than IPv4.

[SooKee]

Power Pro gets public ipv4 by default.  They will not provide one for Power Home as it's a paid for Power Pro privelege.

Edited May 23, 2017 by SooKee

[revelstone]

20 minutes ago, SooKee said:

Power Pro gets public ipv4 by default.  They will not provide one for Power Home as it's a paid for Power Pro privelege.

 

When I first got it about a year ago, they were giving me CNAT until I asked them to turn it off. Certainly wasn't on by default....

[SooKee]

Not possible now. Power Home - CGN.  As per their website.

[Greenside]

Richcor:  I appreciate your thoughts on this but don't really understand them!

 

The N55U has a specific port for a WAN connection which can be configured to accept ADSL (ATM) or USB Modem as well as Ethernet WAN which is the way mine is set, see attached (old picture - I don't leave UPnP enabled as I understand it has security risks.)

 

 

After a fruitless half hour on the phone with someone at AIS Fibre who sadly didn't seem to understand what a NAS was and kept referring me to the instructions for setting up IP cameras and an NVR, I've sent the support department a very detailed (but simple) email begging for help.  It seems like their CGN policy is catching a lot of people out and they must be fielding loads of questions from people like me who thought getting a couple of devices to talk to each other securely online would take an hour or two rather than the days I seem to have wasted on it.  As SooKee says, a public IP only starts to become available on the Pro package and above and that's about double the cost of the one I'm using.  I wouldn't mind paying a moderate monthly fee for a public IP (or better still a static one), but an extra 600 baht is a big jump when this isn't for business.

 

I'll let you know how it goes.

 

 

Edited May 24, 2017 by Greenside

[RichCor]

1 hour ago, Greenside said:

Richcor:  I appreciate your thoughts on this but don't really understand them!

 

The N55U has a specific port for a WAN connection which can be configured to accept ADSL (ATM) or USB Modem as well as Ethernet WAN which is the way mine is set

 

The setting should be fine.  So, is your Asus Router status page showing your WAN interface getting an IP Address direct from your ISP, or instead a local LAN IP from your ZTE router.  

 

In most instances you lose the ability to connect to the ISP modem/router (the ZTE) when it's placed in Bridge Mode, as everything gets passed along and there's no interface to talk to.

 

If the ASUS WAN IP address is in the 100.64.0.0 – 100.127.255.255 range then you're receiving a CG-NAT from your ISP and should be good to go.

 

But if the WAN IP address is in the 192.168.x,x range then it's just getting a client address from the ZTE and your connection is now Triple-NAT because the ZTE router is now yet another device doing another round of IP Address translation: (1.ISP Carrier Grade router, 2.ZTE router, 3.Asus router).

 

Edited May 24, 2017 by RichCor

[Greenside]

Yes, the Asus is showing the private WAN IP from AIS but no amount of port forwarding has given me a connection so far.  The ZTE is definitely not contributing another layer of NAT or any DHCP address complications!

[RichCor]

15 minutes ago, Greenside said:

Yes, the Asus is showing the private WAN IP from AIS but no amount of port forwarding has given me a connection so far.  The ZTE is definitely not contributing another layer of NAT or any DHCP address complications!

As a diagnostic test I would try either

- Enabling UPnP on both the router and your NAS

... or ...

- Enable DMZ on your router pointing to your NAS

 

...to see if it's just a configuration issue with your ASUS or NAS.  And, yes, using these settings open small and huge security risks.

[Greenside]

No response from AIS yet.....

[mtls2005]

I still don't understand the network configuration you're using, nor am I requesting additional information but...

 

It seems obvious the Asus is contributing to your challenges.

 

I'd probably return the AIS ZTE Fiber modem/router to its' original (non-bridged) configuration, and attached the NAS directly to that, and get the THDDSN working. That should be a simple, straight-forward process.

 

Then (assuming the Asus DSL modem/router has the proper firmware) I'd connect that via ethernet and use a separate sub-net. It seems like some people are using this Asus DSL-55 device successfully as a wired secondary device, when using some beta firmware from Asus. 

 

 

https://vip.asus.com/forum/view.aspx?SLanguage=en-us&id=20130121031718225&board_id=11&model=DSL-N55U&page=2&count=13

 

 

 

[Disinto]

Hi guys, just wanted to drop a line and thank you for the great info I found on this thread. I just got AIS fiber (well, FTTB + VDSL2 to my home) in my condo today, replacing an old TrueMove DOCSIS connection, and didn't realize I'd run into such troubles for port forwarding to access my Synology NAS from outside...  Anyway, long story short: converting my FiberHome ONT into bridge mode + subscribing to the THDDNS service + adapting my port forwarding rules did the trick!