158
edits
Changes
Draft:Overcoming Carrier-Grade NAT limitations (view source)
Revision as of 14:12, 7 November 2022
, 14:12, 7 November 2022Created page with "==Summary== Back in the older days, accessing an internet-connected device remotely was as simple as typing its IP address into a browser’s URL bar. Since around the early 2..."
==Summary==
Back in the older days, accessing an internet-connected device remotely was as simple as typing its IP address into a browser’s URL bar. Since around the early 2010s, carriers started using NAT (network address translation) solutions to overcome the IPv4 address shortage. One of the most often used solution is '''CG-NAT''' (Carrier-Grade NAT).
This has many disadvantages, but the main ones are:
* It breaks the end-to-end principle of the internet – this means you’ll not be able to access your device by simply typing the device’s external IP into a browser bar, as it will be in the private address range, which is not routable on the internet.
* It increases latency – naturally, adding more layers between two devices will result in higher latency.
* Carriers in some countries often charge a fortune for a plan with a public IP address.
==Identifying CG-NAT address==
On your Teltonika router or gateway navigate to “Network” -> “Interfaces”. From there, under the WAN interface currently in use (''WAN for wired WAN, MOB1S1A1/ MOB1S2A1 for Mobile WAN''), you should see the “IP:” field. If the IP address is in between ranges:
* '''10.0.0.0 - 10.255.255.255'''
* '''100.64. 0.0 - 100.127. 255.255'''
* '''172.16.0.0 - 172.31.255.255'''
* '''192.168.0.0 to 192.168.255.255'''
This means your carrier is most likely using one of the NAT solutions.
==Solutions==
===RMS===
----
With the help of our '''Remote Management System''' (RMS), it is possible to access both – the router and the end devices. To reach the end devices, the most convenient option is to use RMS Connect, which allows access to the end devices using convenient WebUI-based interfaces.<br>
Another option would be to set up an RMS VPN Hub, which would allow end-device access via your preferred remote-control solution. This feature works by assigning a virtual IP address to all of the devices on remote networks, thus allowing you to manage multiple remote devices (even from completely different networks) using the same VPN tunnel.
===Using an IPv6 address===
----
IPv6 can be used instead of IPv4 in the same way as IPv4 addresses were used to access remote devices. This option may require a little more research on the IPv6 capabilities of your carrier (for example they may be using NAT64 or a similar solution, in which case this example will not work). Please refer to '''[[IPv6_addressing|this]]''' article to make sure your IPv6 address is routable.<br>
Note: to access an IPv6 address using your browser, the address needs to be entered in square brackets, as demonstrated in the example:
[[File:Networking_RutOS_FAQ_Overcoming_CG-NAT_limitations_IPv6_example_v1.PNG|border|class=tlt-border]]
===Requesting a public IP address===
----
* '''Dynamic public IP''' - If only dynamic public IP is available (they also tend to be cheaper), then a third-party DDNS (Dynamic DNS) server may be used. This service offers IP address resolving capabilities and can be used to acquire a device’s IP address every time it changes. For the most popular DDNS configuration examples, please refer to '''[[DDNS_Configuration_Examples|this]]''' Wiki page.
* If there is a possibility to get a '''static public IP''', this would be the easiest option. Accessing the router will be as simple as entering the public IP address of the router into the URL field on your favorite browser.
'''Note''': To access the router using options 2 and 3, remote access must be enabled on the router. This can be done by going to System -> Administration -> Access Control and enabling remote HTTP or HTTPS access. We also recommend configuring remote access with suggestions from [[Security_guidelines|'''this''']] page.
Back in the older days, accessing an internet-connected device remotely was as simple as typing its IP address into a browser’s URL bar. Since around the early 2010s, carriers started using NAT (network address translation) solutions to overcome the IPv4 address shortage. One of the most often used solution is '''CG-NAT''' (Carrier-Grade NAT).
This has many disadvantages, but the main ones are:
* It breaks the end-to-end principle of the internet – this means you’ll not be able to access your device by simply typing the device’s external IP into a browser bar, as it will be in the private address range, which is not routable on the internet.
* It increases latency – naturally, adding more layers between two devices will result in higher latency.
* Carriers in some countries often charge a fortune for a plan with a public IP address.
==Identifying CG-NAT address==
On your Teltonika router or gateway navigate to “Network” -> “Interfaces”. From there, under the WAN interface currently in use (''WAN for wired WAN, MOB1S1A1/ MOB1S2A1 for Mobile WAN''), you should see the “IP:” field. If the IP address is in between ranges:
* '''10.0.0.0 - 10.255.255.255'''
* '''100.64. 0.0 - 100.127. 255.255'''
* '''172.16.0.0 - 172.31.255.255'''
* '''192.168.0.0 to 192.168.255.255'''
This means your carrier is most likely using one of the NAT solutions.
==Solutions==
===RMS===
----
With the help of our '''Remote Management System''' (RMS), it is possible to access both – the router and the end devices. To reach the end devices, the most convenient option is to use RMS Connect, which allows access to the end devices using convenient WebUI-based interfaces.<br>
Another option would be to set up an RMS VPN Hub, which would allow end-device access via your preferred remote-control solution. This feature works by assigning a virtual IP address to all of the devices on remote networks, thus allowing you to manage multiple remote devices (even from completely different networks) using the same VPN tunnel.
===Using an IPv6 address===
----
IPv6 can be used instead of IPv4 in the same way as IPv4 addresses were used to access remote devices. This option may require a little more research on the IPv6 capabilities of your carrier (for example they may be using NAT64 or a similar solution, in which case this example will not work). Please refer to '''[[IPv6_addressing|this]]''' article to make sure your IPv6 address is routable.<br>
Note: to access an IPv6 address using your browser, the address needs to be entered in square brackets, as demonstrated in the example:
[[File:Networking_RutOS_FAQ_Overcoming_CG-NAT_limitations_IPv6_example_v1.PNG|border|class=tlt-border]]
===Requesting a public IP address===
----
* '''Dynamic public IP''' - If only dynamic public IP is available (they also tend to be cheaper), then a third-party DDNS (Dynamic DNS) server may be used. This service offers IP address resolving capabilities and can be used to acquire a device’s IP address every time it changes. For the most popular DDNS configuration examples, please refer to '''[[DDNS_Configuration_Examples|this]]''' Wiki page.
* If there is a possibility to get a '''static public IP''', this would be the easiest option. Accessing the router will be as simple as entering the public IP address of the router into the URL field on your favorite browser.
'''Note''': To access the router using options 2 and 3, remote access must be enabled on the router. This can be done by going to System -> Administration -> Access Control and enabling remote HTTP or HTTPS access. We also recommend configuring remote access with suggestions from [[Security_guidelines|'''this''']] page.
