Double NAT with Comcast fiber modem preventing VPN server for BI remote access

[Dustin Mustangs]

We are part of a small test bed for a new fiber into the home internet service from Comcast / Xfinity. I am trying to setup a VPN server on my Asus RTAC68U router for blue iris but am getting an invalid IP address error during the DDNS step in this video. It gives me a note of "This router may be in the multiple-NAT environment and DDNS service cannot work in this environment." once the initial ip address error is closed.

The fiber modem, as comcast calls it, is acting as a router as well which is obviously what is leading to the double NAT. It does have a bridge mode but my TV service is run through the same device and enabling bridge mode knocks out all the TVs. I found a thread here with a similar problem and solution but disabling DHCP on the Asus did not help and switching the cable from my WAN port on the Asus to a LAN port cut off all internet access (except for google?).

The VPN primer for noobs thread is pretty clear that forwarding ports is not a good idea. Is this my only option at this point? Any other ideas to try?? I am at the absolute limit of my networking ability with this and not sure which direction to go...

 

[bp2008]

Double-NAT configurations are easy to deal with once you understand the concept of how a NAT works, and specifically what a port forwarding rule does.

Basically, the first router (Comcast modem/router combo) needs to forward a port to your Asus router (probably port 1194 for the UDP protocol only, if that matches your VPN config in the Asus router). Then the Asus router's VPN server should work fine.

I am not sure what DDNS step you are talking about, but there are a lot of ways to update a DDNS service. The Comcast router may provide this functionality, or your DDNS provider may have a windows service you can install on the BI server. Or Blue Iris Tools may be able to act as the DDNS update client (ipcamtalk provides free DDNS through this program too if you want).

 

[Mike A.]

Yes, the Asus DDNS service balks with that message if it sees double-NAT. But as bp2008 says there are lots of other ways to do the DDNS client. All you need is one running somewhere to point to the WAN address of the gateway to your net. Doesn't need to be on the router.

In addition to those mentioned No-ip's DUC, which I think does work with double-NAT, is here:
Dynamic DNS Update Client (DUC) for Windows - No-IP

Not sure how Comcast's fiber works but FIOS has a similar deal with their TV services where you need one of their routers (or some other MoCA bridge) to provide connectivity to the set top boxes. What I do to avoid double NAT is put my Asus up front as a primary and one of their routers behind it to serve as the bridge. Theirs doesn't care if behind double-NAT, just needs access to the Internet. But don't know whether that's possible with Comcast. Is there a separate ONT device other than the modem/router? FIOS makes it easy since their ONT just hands you a DHCP address on their network and you can plug pretty much anything into it.

 

[Dustin Mustangs]

Thanks a ton for the ideas, I will play around with this later. There is only one device, nothing before or after it, and it connects to an actual fiber line that my router can not accept as far as I know.

 

[Dustin Mustangs]

A follow up incase anyone else battles this...

I set up a port forward through the Xfinity router using this guide, set up the openvpn server on my Asus router, and I can now connect remotely using my Xfinity dynamic public ip in the vpn config file. The ddns function on my Asus router is still giving me an error but I found info claiming Comcast / Xfinity use a ‘sticky’ dynamic public ip which does not change much, if ever. So I am going to roll with it like this for now.