Cogent (ISP/Spain): I can't solve my multiple NAT problem and am running out of ideas

Hi Roland,

Without an overview of the topology used at your premises and the infrastructure used to connect the radio links to the internet, it is difficult to formulate an answer.
But i will try!

Based on the above and guessing:
Your own network range at your premises is 192.168.0.0/24
Behind your router is the radio link network range for your (own) connection 192.168.100.0/24 to the ISP.
At the ISP your external IP is 82.192.6.1 which is your ISP’s external internet facing address.

If you check the WAN interface on your home router, you may find the network information for the link to the ISP infrastructure.
The IP range is most certainly the range 192.168.100.0/24 with your WAN interface address being 192.168.100.254.
Thus having double NAT!

192.168.0.0/24 -[ NAT1 ]- 192.168.100.0/24 -[ NAT2 ]- Maybe 82.192.6.1 or more (non) route able networks?

Above is just guessing based on provided information and might not be correct at all!

The isp’s website is in Spanish so not a good resource for me.

It is possible to investigate what the topology to the internet might be like with tools, but YMMV.
How to come to a working solution is a different story.

Good luck!

Without an overview of the topology used at your premises and the infrastructure used to connect the radio links to the internet, it is difficult to formulate an answer.

I really am motivated to give you the topology. I have described it in text several times and do not what else I can say. What more can I tell you? I want to be helpful. Perhaps give me an example.

Your own network range at your premises is 192.168.0.0/24

Hmmm… I do not understand. My subnet mask is the normal 255.255.255. The WAN interface is set to Dynamic IP with an IP address of 192.168.100.254
All my internal IP addresses seem to start with 192.168.0.

Behind your router is the radio link network range for your (own) connection 192.168.100.0/24 to the ISP.

Yes: my router thinks its default gateway is 192.168.100.1
“Get IP using Unicast DHCP” is not set

At the ISP your external IP is 82.192.6.1 which is your ISP’s external internet facing address.

Yes, correct. My ISP has set that as my fixed IP number after I started complaining about having a double NAT.

If you check the WAN interface on your home router, you may find the network information for the link to the ISP infrastructure.
The IP range is most certainly the range 192.168.100.0/24 with your WAN interface address being 192.168.100.254.

Please see above. Your numbers are not quite what I am seeing.

Thus having double NAT!

… and there you lose me!

192.168.0.0/24 -[ NAT1 ]- 192.168.100.0/24 -[ NAT2 ]- Maybe 82.192.6.1 or more (non) route able networks?

… sorry I do not understand.

Above is just guessing based on provided information and might not be correct at all!
The isp’s website is in Spanish so not a good resource for me.

Nor me!

It is possible to investigate what the topology to the internet might be like with tools, but YMMV.

If you suggest tools I will try them.

I have tried traceroute (the macos command) which lists 2 hops to the internet:
1: 192.168.0.1
2: 82.129.6.1

The WAN IP is 82.129.xxx.xxx, not 192.168.100.254. This is essentially the cause of your woes. This means there is a router between the public IP and 192.168.100.0 and another between this and 192.168.0.0, which is the cause of double NAT.

Earlier, you said…

Is that the “little box”, or something else? Please confirm, thanks.

Otherwise, if there are no other devices between the microwave dish/antenna and the Archer, then the ISP will need to resolve this since there is nothing you can do.

Once you had the static IP assigned from your isp, did you reboot their modem? This would be necessary and might explain why you still have a 192 subnet for your gateway IP.

Another thing you can do is download a free program call “fing” to your phone/tablet/pc and run a network scan across your lan to help identify where the double nat is coming from.

I use Fing as well, nice program.
Download link below.

Connect your NUC directly to the router. without devolo. check the effects.

Maxxim

Yes I had tried that (twice). The double NAT problem remained.

Set the router as a bridge. or number the router with a fixed IP address on the output side of the wan. (external IP address)

Maxxim

OK, I have downloaded Fing to my desktop and to my phone and had a play. Lots of data, but what can I show you guys that would help?

How about this: its a Trace of me to google, the first 4 hops:

image1568×820 61.7 KB

192.168. xxx is obviously me. These look like my local IP addresses.

I am worried that the iP addresses seem to move from 192.168.0.XXX to 192.168.100.XXX to 192.168.201.XXX. That seems to all be happening inside my one router, and it looks to my ignorant eyes as two NATs.

So I have reached out to the router manufacturer asking if their router might do NAT twice.

This is what my router set up screen looks like:

image654×1346 57.3 KB

I have tried editing the IP address from 192.168.100.254 to 192.168.0.254 (this is me flailing around in the dark) but get an error message from the router:

image1240×186 15.6 KB

I can see a “RoonMobile_broker” uPnP service sitting on 192.168.0.XXX

… and then there is this, which I flat out do not understand:

image1416×532 39.4 KB

And one last aside…

After all of the stuff described above, including many resets, many off/ons, this is what Roon is now saying about ARC:

{
“connectivity”: {“status”:“NetworkError”,“status_code”:502,“error”:“error: Error: connect ECONNREFUSED 82.aaa.bbb.ccc:55000, response code: undefined, body: undefined”},
“external_ip”: {“actual_external_ip”:“82.aaa.bbb.ccc”,“router_external_ip”:“null”},
“natpmp_autoconfig”: {“status”:“NotFound”},
“upnp_autoconfig”: {“server_ip”:“192.168.0.1”,“found_upnp”:true,“error”:“<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/\” s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/\“>\n<s:Body>\n<s:Fault>\ns:Client\nUPnPError\n\n<UPnPError xmlns="urn:schemas-upnp-org:control-1-0">\n718\nConflictInMappingEntry\n\n\n</s:Fault>\n</s:Body>\n</s:Envelope>\n”}
}

Er… which does not seem to mention double NAT.

Sigh.

Please scan your lan with fing so we can try figuring out what is going on. Your trace route shows 4 different private subnets.

Keep troubleshooting with fing as that is a good network discovery tool… but I just wanted to quickly say.

On the “LAN” side of your router is a DHCP Server handing out addresses in the 192.168.0 range

On the WAN or Internet side of your router is a DHCP Client which is requesting an address. The only thing that will respond to this is a DHCP Server which usually lives on another router. The fact that the Internet side of your router is getting an address in the non-routable range of 192.168.100 means your obtaining an address from the LAN side of another router.

Start unplugging things. We need to get to a point your router obtains a routable address on the Internet side. Especially since that’s what your ISP expects as well. If you plug nothing into your router except your POE adapter off your aerial into the WAN port of the router and 1 machine (so you can access the router) and reboot what Internet address does it get?

aerial → WAN – Router – LAN – One hardwired machine

Unplug all your powerline adapters as well. I’m not convinced these are not causing some kind of issue as well.

Those routing tables look like CGNAT. This may not be as simple as removing devices as the NATs are external.

OK, here is the LAN report from fing:

image1740×522 54.3 KB

OK, I have been playing. I have reset my router to factory defaults. I have powered everything off and on again. I have set manual port forwarding to point port 55000 at the Roon home NUC. I have set the NUC as having a fixed local IP address (based on its MAC address). The error message from Roon is now:
{
“connectivity”: {“status”:“NetworkError”,“status_code”:502,“error”:“error: Error: connect ECONNREFUSED 82.aaa.bbb.ccc:55000, response code: undefined, body: undefined”},
“external_ip”: {“actual_external_ip”:“82.aaa.bbb.ccc”,“router_external_ip”:“null”},
“natpmp_autoconfig”: {“status”:“NotFound”},
“upnp_autoconfig”: {“server_ip”:“192.168.0.1”,“found_upnp”:true,“error”:"<s:Envelope xmlns:s=[“http://schemas.xmlsoap.org/soap/envelope/\”](http://schemas.xmlsoap.org/soap/envelope/\) s:encodingStyle=[“http://schemas.xmlsoap.org/soap/encoding/\”](http://schemas.xmlsoap.org/soap/encoding/\)>\n<s:Body>\n<s:Fault>\ns:Client\nUPnPError\n\n<UPnPError xmlns=[“urn:schemas-upnp-org:control-1-0"](urn:schemas-upnp-org:control-1-0%5C)>\n718\nConflictInMappingEntry\n\n\n</s:Fault>\n</s:Body>\n</s:Envelope>\n”}
}
Which is no different from what I posted above.

So now to tackle the recent suggestions…

On the “LAN” side of your router is a DHCP Server handing out addresses in the 192.168.0 range

Yes, i agree.

We need to get to a point your router obtains a routable address on the Internet side. Especially since that’s what your ISP expects as well. If you plug nothing into your router except your POE adapter off your aerial into the WAN port of the router and 1 machine (so you can access the router) and reboot what Internet address does it get?

OK, I powered down the router, and the microwave dish, unplugged EVERYTHING. Plugged the Roon NUC into the back of the router, plugged the router into the WAN dish, powered up the dish, powered up the router and powered up the NUC.

Thus I ended up with:

Then I used fing on my phone to find out the following…

image1080×424 30.9 KB

image1084×584 48.9 KB

And the roon error message is:

image912×888 63.5 KB

So to my blurry, tear streaked eyes, it looked like nothing changed. I think that whatever is wrong is not in my house. So this comment gave me some hope:

What can I do about that?

I would now connect directly to the NUC router and number its IP to 192.168.0.100 ( for example)

also check the gateway in roon. it should be 192.168.0.1

@Rols
It seems that you have two ISPs involved.

image1740×522 54.3 KB

Once Cogent:

and second:
http://www.isrcomunicaciones.es/
Which, I suspect, further distributes the data coming from cogent:

and from which, I assume, the NAT layer stored in front of your own router comes.
Which @Martin_Webster had noted earlier:

Well, you could try and contact Cogent to confirm:

Maybe your ISP from ISR Communications doesn’t even know exactly what’s going on.

There is no box between me and my ISP other than my archer router and a microwave link. Honestly. I know everyone thinks there must be but there really is not.

Yes, I think my one man ISP is starting to worry that he might be part of this.

I would like to show two traceroutes from fing, that confuse me. The first is from my iMac to my public IP:

image1132×656 39.1 KB

The second is from my iMac to a cogent server, that is sitting 100Km away from me:

image1616×980 83.4 KB

Am I right that the first trace is going via my router out to my ISP? While the second trace involves further journeys in the internet? Or is that first jump within my router?

My router seems to think its public IP is 192.168.100.254. Do I understand that correctly?

image670×1374 57.9 KB

If I try to log into my public IP of 82.129.6.1, I get this screen, which looks like a router log in screen to me, the sort of thing that might have a NAT in it?

image1694×494 65 KB

None of this is making any sense to me. But will keep trying.

Well, yes, he could well be. You said a while back:

So, on the assumption that you are not sharing your home network with your neighbours (you are not seeing any of their devices in your network, are you?), then the logical conclusion is that your man is setting up individual home networks, each of which is connected back to him with their own microwave link. And if there is a single external IP address (from Cogent) that he has, then it sounds as though he’s doing the parcelling out of that to your individual home networks. Which leads to the conclusion that he is doing the Network Address Translation required in some fashion.