Cogent (ISP/Spain): I can't solve my multiple NAT problem and am running out of ideas

Keep troubleshooting with fing as that is a good network discovery tool… but I just wanted to quickly say.

On the “LAN” side of your router is a DHCP Server handing out addresses in the 192.168.0 range

On the WAN or Internet side of your router is a DHCP Client which is requesting an address. The only thing that will respond to this is a DHCP Server which usually lives on another router. The fact that the Internet side of your router is getting an address in the non-routable range of 192.168.100 means your obtaining an address from the LAN side of another router.

Start unplugging things. We need to get to a point your router obtains a routable address on the Internet side. Especially since that’s what your ISP expects as well. If you plug nothing into your router except your POE adapter off your aerial into the WAN port of the router and 1 machine (so you can access the router) and reboot what Internet address does it get?

aerial → WAN – Router – LAN – One hardwired machine

Unplug all your powerline adapters as well. I’m not convinced these are not causing some kind of issue as well.

Those routing tables look like CGNAT. This may not be as simple as removing devices as the NATs are external.

OK, here is the LAN report from fing:

OK, I have been playing. I have reset my router to factory defaults. I have powered everything off and on again. I have set manual port forwarding to point port 55000 at the Roon home NUC. I have set the NUC as having a fixed local IP address (based on its MAC address). The error message from Roon is now:
{
“connectivity”: {“status”:“NetworkError”,“status_code”:502,“error”:“error: Error: connect ECONNREFUSED 82.aaa.bbb.ccc:55000, response code: undefined, body: undefined”},
“external_ip”: {“actual_external_ip”:“82.aaa.bbb.ccc”,“router_external_ip”:“null”},
“natpmp_autoconfig”: {“status”:“NotFound”},
“upnp_autoconfig”: {“server_ip”:“192.168.0.1”,“found_upnp”:true,“error”:"<s:Envelope xmlns:s=[“http://schemas.xmlsoap.org/soap/envelope/\”](http://schemas.xmlsoap.org/soap/envelope/\) s:encodingStyle=[“http://schemas.xmlsoap.org/soap/encoding/\”](http://schemas.xmlsoap.org/soap/encoding/\)>\n<s:Body>\n<s:Fault>\ns:Client\nUPnPError\n\n<UPnPError xmlns=[“urn:schemas-upnp-org:control-1-0"](urn:schemas-upnp-org:control-1-0%5C)>\n718\nConflictInMappingEntry\n\n\n</s:Fault>\n</s:Body>\n</s:Envelope>\n”}
}
Which is no different from what I posted above.

So now to tackle the recent suggestions…

On the “LAN” side of your router is a DHCP Server handing out addresses in the 192.168.0 range

Yes, i agree.

We need to get to a point your router obtains a routable address on the Internet side. Especially since that’s what your ISP expects as well. If you plug nothing into your router except your POE adapter off your aerial into the WAN port of the router and 1 machine (so you can access the router) and reboot what Internet address does it get?

OK, I powered down the router, and the microwave dish, unplugged EVERYTHING. Plugged the Roon NUC into the back of the router, plugged the router into the WAN dish, powered up the dish, powered up the router and powered up the NUC.

Thus I ended up with:

Then I used fing on my phone to find out the following…

And the roon error message is:

So to my blurry, tear streaked eyes, it looked like nothing changed. I think that whatever is wrong is not in my house. So this comment gave me some hope:

What can I do about that?

I would now connect directly to the NUC router and number its IP to 192.168.0.100 ( for example)

also check the gateway in roon. it should be 192.168.0.1

@Rols
It seems that you have two ISPs involved.

Once Cogent:

and second:
http://www.isrcomunicaciones.es/
Which, I suspect, further distributes the data coming from cogent:

and from which, I assume, the NAT layer stored in front of your own router comes.
Which @Martin_Webster had noted earlier:

Well, you could try and contact Cogent to confirm:

Maybe your ISP from ISR Communications doesn’t even know exactly what’s going on.

There is no box between me and my ISP other than my archer router and a microwave link. Honestly. I know everyone thinks there must be but there really is not.

Yes, I think my one man ISP is starting to worry that he might be part of this.

I would like to show two traceroutes from fing, that confuse me. The first is from my iMac to my public IP:

The second is from my iMac to a cogent server, that is sitting 100Km away from me:

Am I right that the first trace is going via my router out to my ISP? While the second trace involves further journeys in the internet? Or is that first jump within my router?

My router seems to think its public IP is 192.168.100.254. Do I understand that correctly?

If I try to log into my public IP of 82.129.6.1, I get this screen, which looks like a router log in screen to me, the sort of thing that might have a NAT in it?

None of this is making any sense to me. But will keep trying.

Well, yes, he could well be. You said a while back:

So, on the assumption that you are not sharing your home network with your neighbours (you are not seeing any of their devices in your network, are you?), then the logical conclusion is that your man is setting up individual home networks, each of which is connected back to him with their own microwave link. And if there is a single external IP address (from Cogent) that he has, then it sounds as though he’s doing the parcelling out of that to your individual home networks. Which leads to the conclusion that he is doing the Network Address Translation required in some fashion.

2 Likes

No.
I try to explain it. But you will have to deal with it yourself in order to understand it.

The crucial difference between a public and private IP address is that the public IP can be seen by other devices on the Internet, while the private IP cannot.
Therefore, public IPs are used to interact and communicate online, while private IPs operate within a local network.
A public IP address is an outward-facing IP address used to access the Internet. Public IP addresses are provided by an ISP and assigned to the router. It is a unique IP address on the Internet.

Yes.

I think that this MikroTik router is connected to the internet through Cogent, so a gateway, and it is NOT WITH YOU. But probably with your “ISP” from “ISR Communications”, who is not an ISP at all, just someone who distributes and redistributes data that he received elsewhere (from Cogent). And who will NEVER be able to give you a public IP because he ONLY has ONE himself. And he needs it himself to split the data received from Cogent with his MikroTik router and forward it to different customers in a PRIVATE non-public network behind his MikroTik router.
Everything behind it is PRIVATE, including your home network, and CANNOT be accessed from the Internet. So your core cannot be reached via ARC either.
Here is some more explanation so you can compare and see that there is only ONE public ip address involved: 82.192.6.1
ALL OTHER addresses belong to a PRIVATE non-public network, hosted by ISR Communications’ MikroTik Router.



UPDATE:

I had previously written:

But you can’t tell from a distance.
You wrote before:

Maybe your man actually got a public ip for you via Cogent - or he could still do it - and just doesn’t know if and how he can pass it on to you.
He could possibly try to get help with this from Cogent customer service.

1 Like

Thanks for this. It makes sense.

I have put your points to my “ISP” who has gone very quiet. I will give him a few days, but I am thinking that I need to find a proper ISP. It will have to be via 4G, which might come with its own problems but I feel now ready to be an informed buyer.

Thanks all for your endless patience.

Once I get this sorted, I will post a wrap up of how it turns out, just in case someone googles a similar problem in the future.

Cheers.

3 Likes

Just in case, you should make sure you get a public dynamic ip for cellular.
It is not self-evident that a provider offers this possibility, but rather rarely.
Good luck!

You need to avoid Carrier-grade NAT, so ask the question. Otherwise, you will have the same problem.

This indeed is what you need.

Sorry I’ve been absent. A few random comments. Your ISP is cool. People who do this WISP stuff are cool :slight_smile:
Although… there are a ton of different configurations and weird ways of building a WISP. From the original answer it really did sound like the guy was assigning you a public routable IP (needed for ARC). But, with all your troubleshooting it looks more and more like this isn’t the case. Something is a miss.

Try asking him the following: “I have a server on my network that needs to accept and respond to unsolicited TCP connection requests. All testing shows no client attempts are getting to the 82.128.6 network you said was my public IP.”

MikroTik is a router manufacturer that is well respected. They are quickly gaining popularity now the Ubiquity Edgerouters are almost not a thing. I don’t have any first hand experience with them because the one I want to play with seems to be perpetually out of stock.

I have no idea why your ISP wouldn’t have a firewall rule to block access to their router BTW. Maybe that’s concerning.

Cogent… good people… interesting company :slight_smile:

Anyway, if your ISP can’t answer questions / help with this then it will continue to be a mystery.

Before switching ISPs have you tried one of the VPN solutions like tailscale?

If you followed my suggestion of 1 hardwired machine fing should not have worked :slight_smile:
But, this config does help to verify that you might actually have a public routed IP. You need to login to your router to verify though and rely on external tools to “discover” your topology.

1 Like

If he was willing, he could set-up the port forwarding to fix ARC on behalf of his customer but we need to ask the right questions. But, yes, there is some unanswered topology questions here.

Most cellular service is via a CGNat, an automatic double Nat situation and pretty much the same place you are now.

You need a public facing IP and not CGNat, so, I would ask the 4g service a lot of hard questions before going that route.

Otherwise you might just have to setup a VPN via tailscale to run ARC.

See this post

Hi @Rols,

A routine check of automated diagnostics from your ARC account suggests that you might still be up against the port forwarding issue.

Cogent operate a significant portion of the domestic and international network connections in Spain, rivaling Orange’s OpenTransit and several other players for market share, and doubtless implement some form of carrier-grade NAT for most of their residential-tier accounts.

If you’re considering switching providers, several customers in Spain have found success with other mainstream providers, including the basic residential modem/router package from Orange ES (the Livebox+).

Please let us know if you’re having continued issues, and the tech support team is watching this read to promptly assist.

Hi.

Thanks for watching.

Yes, I tried 4g and yes it did not work.

I have tried Vodafone at another address and everything worked instantly and automatically.

Cogent itself got in contact with me to tell me all was well. It was not and I managed to convince them it was a problem at their end thanks mostly to the help I got from this thread. I sent the IP address of their router that was the second NAT. They went “ah, fair point, we will get back to you”. That was a week ago.

I will post here if they ever do.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.