recent change to cgnat on sonic fiber

[rtisys]

I've been using sonic fiber since it first came into our neighborhood in 2019. I have
specific VPN requirements and tried to get a static IP at that time. Well, they were -
and still are - not available. OK. So, dynamic IP's, which change very slowly, have
worked just fine. I can periodically determine my current dynamic IP address and, if it has changed,
update the DNS server to reflect the changed IP address. So, my second residence - very rural
and served by StarLink - can look it up and establish/reestablish my Cisco-based VPN.

Recently, after a major Sonic Net upgrade, VPN just disappeared. My home router now appears to sit behind
a new Sonic Net CG-NAT gateway that will not allow a routable internet path to my house from the internet.
In short, the configuration I've used over the past years is now broken. Iv'e done the tracert command
and verified the above.

Sadly, the folks at Sonic Net technical support, while they understand the issue, have no idea if such
a change has been made. And, they claim they are not privy to information about network re-configuration
changes. OK

So, is anyone else dealing with similar issues? I could try IPV6, but, tech support could not verify that it's
available - or how to begin a transition. Also, my StarLink connection, which is also CG-NAT'd, may not
yet support IPV6. Third party solutions may be possible, but, I don't want to have to re-engineer everything
again.

Any help or insight would be appreciated.

Regards,
RTISYS

[artakamoose]

Quick question, what do you mean by 'Gateway?' Is your setup like A or B?

A) ONT -> Gateway -> Router
B) ONT -> Router

[rtisys]

Thanks for the question....I don't know and Sonic tech support isn't
being at all helpful. Botton line, as with several other ISPs, my
internet access gets NAT'd twice: once at my home router and
again within the ISP infrastructure. I can specify a hole in my
router-gateway; but I have no ability to create a similar hole at
the ISP (i.e. Sonic) level. So, outside of a pre-existing TCP
mediated session, I don't have a public IP address to direct
server requests to. Thus, can't establish a VPN tunnel between
my systems.

RTISYS

[js9erfan]

Fortunately, I'm not seeing cgnat at a remote location in Santa Rosa that's on Sonic 10g service.

Code: Select all

1  23-93-25-x.fiber.dynamic.sonic.net (23.93.25.x)  0.232 ms  0.127 ms  0.074 ms

I do have ipv6 configured here (Comcast) and there if this changes. You might look into something like ZeroTier as a workaround if Sonic is unwilling to move you off cgnat (assuming they are actually implementing it).

[artakamoose]

Whoops. Sorry, I've been working too much lately and spaced on you mentioning CG-NAT.

The reason I asked about the gateway was because I know Sonic was deploying gateways (Pace 5268s if I recall correctly) with that service. I believe they had a pure passthrough though, unlike the crappy AT&T version of those gateways which have their own NAT table that you can't bypass. Wonderfully (and unlike AT&T), you don't have to use the Sonic provided gateway. You can hook your router directly up to the ONT.

Anyway, if they're doing CG-NAT, that's way beyond my pay grade. Hopefully, one of their higher level techs will see this and respond.

[kgc]

My home router now appears to sit behind a new Sonic Net CG-NAT gateway.

Can you be more explicit why you think you've been put behind CGN? While v4 CGN is an eventuality we are not currently running it anywhere in our network.

[rtisys]

Kelesy, thanks for your note. I also had a Sonic engineer reach out by phone. That was VERY much appreciated.
I was told that, at least for now, Sonic has not implemented CGNAT. That's good enough for me....so, you can skip the
rest of the note if you like. I'll continue - albeit being a bit wordy - so others that find this thread might benefit.

I suspected CGNAT because things had been working reliably for several years before the VPN tunnel failure and also
I understood Sonic had just undergone a major upgrade. I was being a bit paranoid. Since the Starlink node I need to tunnel
to is already on a CGNAT network, I knew that losing my Sonic routable IP address (even though it's a dynamic address)
would put me in a real dilemma.

There are several sites that suggest ways to detect the presence of ISP CGNAT. The one I looked at was:
https://www.purevpn.com/blog/how-to-che ... rms-cgnat/
The tracert test method they suggested (one of three) yielded two hops to get to my public IP address (which was
184.23.xx.xx). The claim is that this indicates the presence of CGNAT. Didn't really understand how that test proved
the presence of CGNAT. So, after a day of thinking it through, I used one of the other tests. I compared the DHCP
address Sonic handed to my router with the public address displayed by one of the web sites that provide public IP
address info (I used http://ipinfo.io). Those two addresses match, so to my knowledge, that proves I am NOT on a CGNAT network - which is exactly what the Sonic engineer I talked with explained.

Although several coincidences suggested otherwise, I believe, at present, the problem is on my end and will dig into
it further. Unfortunately, the Starlink tunnel end is a bit remote and I won't be able to debug on that end
for about a week. But, I will reply to this thread and let you know what I find out.

Regards,
RTYSYS