-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
772b7da
commit aa27612
Showing
10 changed files
with
327 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,97 @@ | ||
| # What CG-NAT is, how to detect it, why it is bad, what can you do about it | ||
|
|
||
| ## How to test if you suffer from CG-NAT | ||
| For these tests you have to be in your home network. | ||
| Also make sure that you are not using a VPN or something like iCloud private realy on macOS or iOS or something like DoH in Firefox. | ||
|
|
||
| ### Test1: Based on your IP | ||
| To check what your IP is, you can use sites like https://www.whatismyip.com or https://whatismyipaddress.com or | ||
| https://www.wieistmeineip.de and look for your IPv4. | ||
| If your IP is between 100.64.0.0 - 100.127.255.255 you have CG-NAT. | ||
| Beware, just because your IP is not in that range, does not mean that you don't have CG-NAT! | ||
| You also need to run test2 to rule that out. | ||
|
|
||
| ### Test2: Based on hops | ||
| You can also check if you have CG-NAT based on how many hops it takes to reach your IPv4. | ||
| If it takes one hop, you don't have CG-NAT. | ||
| If it takes two hops, you have CG-NAG. | ||
|
|
||
| Use one of the pages above to find out what your IPv4 is. | ||
|
|
||
| On Windows, start PowerShell and insert the command "tracert -4" followed by your IPv4. | ||
| Linux or macOS can use "traceroute -I" instead. | ||
| So if for example your IPv4 is 215.84.156.8 you issue the command: | ||
| tracert -4 215.84.156.8 | ||
|
|
||
| Sometimes your router also gets included in these hops. If your first hop is something like 192.168.X.X or 172.16.X.X, ignore that line and don't count it as a hop! | ||
|
|
||
| ## Why should I care? | ||
| If you don't have a public IPv4 but a CG-NAT IPv4, you can't host any services over IPv4. No VPN, no webserver nothing. | ||
| Games will sometimes show something like "NAT strict". | ||
| When using a CG-NAT IPv4 you share the same IP with other people. If someone from with the same IPv4 gets blocked or rate limted, it will also apply to you, because you have the same IPv4 as the other random person. | ||
|
|
||
| ## What is NAT? | ||
| To better understand what CG-NAT is, it helps to first understand what NAT is. | ||
|
|
||
| This picture is an internet connection without CG-NAT. | ||
| The public IPv4 is 215.84.156.8 and the local IP of your router probablly is 192.168.1.1. | ||
| Your router has a built in DHCP server, that serves IPs to your PC, Playstation and NAS. | ||
| In your example this is 192.168.1.2, 192.168.1.3, 192.168.1.4. | ||
| But these IPs are only internal! If any of these devices connect to the internet, from the outside they all have the IP IPv4 215.84.156.8. | ||
| No matter if you play a game on PSN or visit reddit on your PC. | ||
|
|
||
|  | ||
|
|
||
|
|
||
|
|
||
| Now, imagine that you want to setup OpenVPN Server on your NAS. OpenVPN uses by default port 1194. | ||
| So you are now on the road with your moblie and want to establish a VPN connection. On your OpenVPN Client on your phone, you set the target to be your public IPv4. | ||
| In this example that would be 215.84.156.8. Your connection goes from your phone to your router that has your public IPv4. | ||
| Your router can't know that you want to redirect that traffic to your NAS on 192.168.1.4. Here is where NAT steps in. | ||
| You create a NAT rule on your router, that every traffic that arrives on port 1194 should be redirected to 192.168.1.4. | ||
| That way your phone can establish a VPN connection to your NAS. | ||
|
|
||
| This has some technical limitation. The only way for your router to know where to route incoming traffic is by port. So you can't have two services on port 1194. | ||
| If you have a VPN server on 192.168.1.2 and 192.168.1.4 and there is incoming traffic on port 1194, your router does not know where to route it. | ||
|
|
||
| You also need to set a static IPv4 to your NAS so that the local IP never changes and that NAT rule all of a sudden routes to your Playstation, because your Playstation randomly got the IP 192.168.1.4. | ||
|
|
||
| Some devices like the PlayStation will try to use your routers UPnP, to automatically create NAT rules for you. Since UPnP is a security concern, lots of routers have it disabled by default. | ||
|
|
||
| NAT can behave pretty wonky on consumer routers. | ||
|
|
||
| NAT is a workaround for an old problem. In the beginning of the internet, you only had one single computer that was directly connected to your modem. Or maybe you did not even had an external modem, because your Laptop or PC had in integrated modem. There was no need for multiple IPs. When people started to have multiple devices in their homes, ISPs did not start handing out multiple IPv4. Instead you we put all devices behind one single IPv4, behind a router that does NAT if needed. | ||
|
|
||
| BTW: That problem is solved with IPv6. Instead of getting only a single IPv4 from your ISP for all your devices, you get IPv6 prefix. Prefixes can be of different sizes but even the smallest /64 prefix offers you billions of IPs. | ||
| That way every device can get its own public IPv6. | ||
|
|
||
|
|
||
| ## What is CG-NAT? | ||
| Instead of you only getting one real and public IPv4, you share a IPv4 with many other customers. | ||
| Your ISP basically installs an additional router and puts you and many other customers behind that. | ||
| Behind that router, you get the IPv4 100.64.34.34 and your neighbor 100.64.34.33. But from an outside internet perspective you both have the IP 215.84.156.8. | ||
| So you and your neighbor and many others are all sharing that one single IPv4 215.84.156.8. | ||
| That is why you have two hops to 215.84.156.8 and not one. | ||
|
|
||
| With CG-NAT VPN Server is impossible. Imagine your phone trying to connect to 215.84.156.8 on port 1194. The router of your ISP has no idea where to route that. To you? Or your neighbor? Unless your ISP assigns a specific port just to you (I never heard of an ISP actually doing that) the traffic stops there. That is what is often called double NAT, since there is NAT on your ISPs routers and on your router before the traffic could potentially reach you. | ||
|
|
||
|  | ||
|
|
||
| ## What can you do about it? | ||
|
|
||
| ### Ask your ISP | ||
| Ask your ISP about a real, public IPv4. Some ISPs call that a "NAS IP" or "gaming IP". | ||
|
|
||
| ### Get a VPN | ||
| Some VPNs offer portforwarding. A VPN has a negative performance impact, privacy implications and probably isn't for free. | ||
|
|
||
| ### Use IPv6 | ||
| IPv6 does not need NAT, since all devices can get their own IP. But then you only support IPv6. If you setup your OpenVPN server on IPv6 your phone carrier has to support IPv6 too. Otherwise you can't reach you server. | ||
| IPv6 also can offer better privacy and security by obsurity. Most devices use some kind of SLAAC with privacy extension to randomly generate and use a new IPv6 inside your prefix. | ||
| It is also is less prone to port scanning, because there are to many IPs for attackers to randomly scan. | ||
|
|
||
| ### Dual Stack | ||
| Best solution is to get dual stack. Dual stack is a real, none CG-NAT IPv4 plus an IPv6 Prefix. Then you can connect to your OpenVPN server, no matter what your device on the road is connected to. | ||
|
|
||
|
|
||
|
|
File renamed without changes.
File renamed without changes.
File renamed without changes.
Binary file not shown.
64 changes: 64 additions & 0 deletions
64
...ff/Why NAT isn't about security and how IPv6 is superior in every single way.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| IPv4 people have a hard time wrapping their heads around the fact that NAT is not about security but a wonky workaround for an IPv4 weakness. | ||
| There is such much confusion around IPv6, mainly because people try to reimplemented IPv4 stuff onto IPv6. | ||
| Don't try to apply your IPv4 knowledge and wisdom onto IPv6. It won't work. | ||
| In my opinion, the easiest way to understand the topic is by using a simple example. | ||
|
|
||
| **Let’s assume I want to remotely access the webpage of my NAS.** | ||
|
|
||
| Probably not a great idea, since my NAS is probably very insecure, full of bugs, and has no 2FA nor any brute force protection. | ||
| And without certs, there also could be a man in the middle attack without me noticing. | ||
| But still, I wanna access my NAS webpage from remote. | ||
|
|
||
| For IPv4 I have a problem. Since my ISP only gave me one single IPv4, I use that IPv4 for my router. | ||
| I don’t have another IPv4 for my NAS (unless a pay huge amount for business lines with multiple static IPv4). So I need the wonky workaround NAT. | ||
| My router makes DHCPv4 and hands out my NAS the static IP 192.168.1.2. | ||
| I say my router that all the traffic from Port, let’s say 8000, should be redirected to 192.168.1.2. | ||
| That of course also creates the corresponding firewall rule to allow all WAN (on port 8000) to 192.168.1.2 (also on Port 8000). | ||
| This firewall rule is the potentially dangerous part. | ||
| Just to be clear, in theory that should not be a problem! | ||
| It isn’t the firewalls job to protect my NAS. Sure it is nice that I don’t allow incoming traffic to my NAS if I never use that from remote, | ||
| but the devices **themselves** should be secure. | ||
| But of course that is not how it works in reality and because of that firewalls offer added security. | ||
| So with that firewall rule to our NAS, we weakened our security and the NAS is now prone to brute force attacks and exploits. | ||
|
|
||
| Since my IPv4 address probably is not static unless I pay my ISP, I need to setup DynDNS. | ||
| No problem, I get a DynDNS provider and create an A record. | ||
| Now I have access my camera over NAS.mydomain.com:8000. | ||
|
|
||
| Great, there are just a few problems with that. There is now a public DNS record of my NAS. | ||
| Portscanners can also detect that I have opended port 8000 and will try to brute force it. | ||
|
|
||
| Now let’s compare that with IPv6. | ||
| My ISP gives me a static /48 prefix. Lets say 2000:1111:1111:1111:/48 | ||
| My NAS get’s its own IPv6. | ||
| Maybe my NAS has IPv6 privacy extension. If that is the case, we get three IPv6 adresses. | ||
| We use the second IPv6, because that one is (unlike the first one) static and publicly routable (unlike the third one). | ||
| We could also disable privacy extension instead, but I would not recommend it. | ||
| Let’s say the NAS IPv6 is: 2000:1111:1111:1111:7e89:dbf4:972a:b685. | ||
| Now I create a firewall rule that allows all traffic from WAN to 2000:1111:1111:1111:7e89:dbf4:972a:b685. | ||
| Notice how we did not have to bother with DHCP! There is no DHCP server but my NAS will still get always the same IP. | ||
| To access my NAS from remote, I simply use a bookmark in my browser or type [2000:1111:1111:1111:7e89:dbf4:972a:b685]. | ||
| The brackets tell the browser that this is an IPv6. | ||
|
|
||
| Now, comparing that to IPv4, I have no public DNS record! | ||
| There will be no port scans, since that is not feasible for IPv6. | ||
| Even if an attacker knows my static /48 prefix, it has to scan 65536 /64 subnets, each with 18446744073709551616 IPs. Good luck with that. | ||
|
|
||
| So as you can see, there is already a security benefit there. | ||
| That lead some ISPs to even change the default firewall rules. | ||
| Unlike with IPv4, where you by default block ALL incoming connections, these ISPs think it so unlikely that someone does IPv6 attacks, | ||
| the changed the default from “block all incoming IPv6” to “allow all incoming IPv6, | ||
| but just to be safe, don’t allow some very niche pro ports that a normal users probably does not want to be public like SSH or RDP”. | ||
|
|
||
| Don't try to apply your IPv4 knowledge and wisdom onto IPv6. It won't work. | ||
| If you take one of your problems step by step with a fresh mind, you will see that it isn’t that complicated and IPv6 has way less wonky workarounds. | ||
| Most of the time, you don't even need to configure anything in IPv6 and it will work just out of the box. | ||
| Here are some services that are most of the time no longer needed in IPv6: | ||
| - A DHCP server: In IPv6 devices can self assign an IP so they don't need DHCP | ||
| - A static DHCP leases or manually setting a static IPv4 on the device: In IPv6, devices already have two static IPv6s | ||
| - NAT: That was just a wonky workaround because you only got one IPv4 | ||
| - The security nightmare UPNP: No longer needed, since we don't do NAT | ||
|
|
||
|
|
||
| Not all software is ready for a changing prefix. pfSense is not ready, OPNsense is. | ||
| All none shite ISPs will give at least at least a /56 static prefix. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,68 @@ | ||
| Wi-Fi is a wonky construct, full of bugs and badly written firmware. You wonder how bad it is? Well, [even companies like Google struggle with Wi-Fi](https://www.reuters.com/technology/googles-newest-office-has-ai-designers-toiling-wi-fi-desert-2024-03-07/). | ||
| There are millions of combinations between devices and access points and what OS they are currently running. Because of this, the best way to troubleshoot Wi-Fi and eliminate potential pitfalls is to reduce complexity. | ||
|
|
||
| **These are my recommended settings:** | ||
|
|
||
| Split your Network into two. One network is for old clients or IoT stuff like your Ring doorbell or your fridge. The other network is for your "real" devices that need performance, | ||
| like phones, laptops, smart TVs, and so on. | ||
| So assuming we name your Wi-Fi "SunnyGarden" we will create two SSIDs with these settings: | ||
|
|
||
| SSID: SunnyGardenIoT | ||
| - 2,4GHz only | ||
| - WPA2 | ||
| - 20MHz channel width | ||
| - SSID: SunnyGarden | ||
|
|
||
| SSID: SunnyGarden | ||
| - 5GHz only | ||
| - WPA3 only | ||
| - If WPA3 only is not possible, WPA2 only. | ||
| - No WPA2/3 mixed mode! | ||
|
|
||
| channel settings for SunnyGarden if you expirience problems: | ||
| - channel width will be selected based on how busy your neighborhood is. But in general, if you don't need a lot of bandwidth, like sending huge files from your Laptop to your NAS, choose 20MHz. | ||
| - Channels should be automatically selected, based on your neighbors Wifi. If the channels 38 or 46 are not busy, you can select one of these channels with 20MHz. These are the only two channels that don't need DFS to detect radar. I saw some buggy firmeware implementations for DFS from AVM. By not using DFS, you can rule out these errors. | ||
|
|
||
| Not every AP will allow you to configure all of these settings. | ||
| These settings are not written in stone and are mostly valid for Wi-Fi 6. They could change over time. | ||
| For example, Wi-Fi 7 should solve some problems like bandsteering, since it can be connected to 2,4 and 5GHz at the same time. | ||
|
|
||
| **FAQ** | ||
|
|
||
| *In theory, feature X should not be a problem. X is also backward compatible!* | ||
|
|
||
| In theory, a lot of things are true. But remember, Wi-Fi is a mess. In theory, HomePod Minis should be able to connect to both WPA2 and WPA3. | ||
| But in practice, HomePods will sometimes not connect to a WPA2/3 mixed mode Wi-Fi from vendors like AVM FritzBOX. | ||
|
|
||
| *Why not use WPA2/3 mixed mode?* | ||
|
|
||
| See above | ||
|
|
||
| *Why not use 2,4GHz and 5GHz combined?* | ||
|
|
||
| Band steering is an added layer of complexity that sometimes does not work well. | ||
| My rather controversial opinion is that if I can't get 5GHz, I rather have no connection at all. 2,4GHz has bad latency and so many interfering Wi-Fis, that it is mostly useless besides IoT devices. | ||
| It is also not great for VoIP, because it takes some time to switch between bands. If I leave my house on a call, I rather want my phone to switch to cellular directly without connecting to 2,4 in between. Wi-Fi 7 should address that issue, by allowing clients to simultaneously connect to both bands. | ||
|
|
||
| *But the 5GHz-only network does not reach my garden!* | ||
|
|
||
| The higher the bandwidth, the smaller the range and object penetration. That is physics. There are two solutions to this problem. You could either install another cable(!) connected extender to expand your range, or you could manually switch to your SunnyGardenIoT and set your device to NOT auto-connect to that Wi-Fi. Otherwise, your device may connect to the slow Wi-Fi inside your home. | ||
|
|
||
| *Why does an extender have to be connected by cable?* | ||
|
|
||
| There will be a cable either way because the Mesh or AP needs power from somewhere. In my opinion, it is in many cases easier to connect an AP or mesh node by PoE (LAN cable that also transmits power from a PoE-capable switch) than by a wall outlet. | ||
| What most people have a hard time understanding, is that an AP or a mesh node is just a repeater. It can only repeat what it received previously. Bad input = bad output. | ||
| Remember that I think that 2,4 is mostly useless? Well, some manufacturers like Unifi or AVM think so too. That is why they won't offer the repeater getting 2,4GHz as input, only 5GHz. But that gets us to another problem, 5GHz has a pretty limited range. So you have to place it pretty close to your router or use multiple repeaters. | ||
| If possible, always use a cable connection. | ||
|
|
||
| *Where should I place my repeater?* | ||
|
|
||
| Let us look at the typical errors I see when people install a mesh node. For simplicity, we leave out 2,4GHz. | ||
|
|
||
|  | ||
|
|
||
| What we see is the router on the left and how good the signal quality is in other rooms. | ||
| Now if we install a repeater in the room3, the signal the repeater gets would be poor. But since the iPhone in the garden is one wall away from that repeater, it would show a good signal. | ||
| Which is true, it has good signal, but to a repeater that receives poor signal. So in the end how have a poor expirience but your iPhone will show everything is great. | ||
| So if we really can't use a cable connection for the repeater we should place it in room 2 or even better in room 1 and another one in room 2 and 3. That way you get good signal everywhere and ok signal in the garden. Or you could save a lot of money and energy by just installing a wired repeater in room 3 and get good signal everywhere including the garden. | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| # Why speedtest.net is almost meaningless | ||
|
|
||
| ## How does speedtest.net work? | ||
| One of the most common tools measure network performance is iPerf3. | ||
| The Speedtest webpage or App is basically an iPerf3 speedtest from your PC (or tablet or smartphone or whatever), to your modem/router, to some iPerf server in your ISPs core network. | ||
| This looks something like this: | ||
|  | ||
| So the only thing you are measuring is the speed from you device to you router, how fast you router can handle traffic, and how fast your connection to some server in your ISPs network is. | ||
|
|
||
| **The most immportant thing cant be measured by speedtest; peering!** | ||
|
|
||
| ## What speedtest.net can't measure | ||
| Speedtest can't measure how good over good your connection to Netflix is. | ||
| Speedtest can't measure how good ping from your PC to the Call of Duty multiplayer server is. | ||
| Speedtest can't measure how fast you can download a game on steam or the new iOS Update from Apple. | ||
| Speedtest can't measure overbooking from your ISP. You can read more about overbooking here: | ||
| https://blog.init7.net/en/overbooking-how-providers-divide-up-the-bandwidth | ||
| Speedtest also can't measure how good the peering to someone else is. If you make a video call with someone else, a lot of software will use peer to peer (P2P) for that. So you have a direct connection from your PC to someone elses PC. | ||
|
|
||
| This could look something like this: | ||
|
|
||
|  | ||
|
|
||
|
|
||
| Compare that with the picture above and you will see how many dotted "connection lines" are not measured in a simple speedtest.net benchmark. | ||
|
|
||
| **That is why you can't differeantiate an ISP with good peering from an ISP with bad peering just by using speedtest.net results.** | ||
|
|
||
| I have seen 1GBit lines not being able the stream a 15MBit video from Netflix, 10Gbit lines being slower in downloading Cyberpunk 2077 at launch than a 50Mbit line, or employess being unable to establish a stable VPN connection to their office. | ||
|
|
||
|
|
||
| Side note: | ||
| ISPs can install cache servers in their network, have direct peering with other ISPs and use public peering exchange points to offer you a better "Internet". | ||
| There are also content delivery networks (CDN) that try to alleviate the performance bottlenecks of the Internet. | ||
| Unfortunatly, the internet is a lot less decentralized than some people think it is. | ||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
Oops, something went wrong.