looking for options for enabling remote access for CGNAT fiber connection

J

JeffCharger

Getting the hang of it
Jul 9, 2015
96
53
Our area is moving to a fiber solution for internet. I was assisting my brother with his installation and we've run into a problem with remote access to cameras.

The problem seems to be due to the ISP is using CGNAT where you don't have a routable IP address (even with a DDNS provider).

Questions:
1) does running Zerotier resolve this? (I am currently doing this, so my implementation would work when I convert to the fiber solution next week)

2) my brother does not run Zerotier, are there other solutions to getting remove access with CGNAT? (e.g. OpenVPN, or others?)

Thanks for some help!
 
bp2008 said:
There are several options.

I wrote a wiki page on this topic a while ago, specifically in the context of Blue Iris, but the same concepts apply to other software as well: Blue Iris Remote Access
Click to expand...

Thanks, I found this before posting my question here. It's provides great direction , and suggests that ZeroTier will resolve the issue when I migrate next week (thankfully). It doesn't seem to directly answer the question as to whether these solutions were specific to CGNAT based networks.

Does it help my brother's situation where he doesn't run a BlueIris solution, but has IP cameras that he uses port forwarding that work with his current ISP. (I know, we don't recommend this, but it's widely used). Are there other options?
 
JeffCharger said:
It doesn't seem to directly answer the question as to whether these solutions were specific to CGNAT based networks.
Click to expand...

If your ISP uses CGNAT, it means you do not have a public IPv4 address. But you probably still get fully functional IPv6 so if you learn how IPv6 works you can use that.

JeffCharger said:
Does it help my brother's situation where he doesn't run a BlueIris solution, but has IP cameras that he uses port forwarding that work with his current ISP. (I know, we don't recommend this, but it's widely used). Are there other options?
Click to expand...

If all the camera remote access is done by connecting directly to cameras or directly to an NVR appliance, then Zerotier will be difficult to use. Because you can't install Zerotier on the cameras or NVR. You'd need a router that supports Zerotier (opnSense for example), and even then the routing could be tricky (I've never tried).

If you learn how IPv6 works, then you can probably use that for the remote access just like you were using IPv4 before. There are two main differences between IPv4 and IPv6: The addresses look very different when written out, and there is no shortage of IPv6 addresses. The idea behind IPv6 is that every internet subscriber gets at least 18,446,744,073,709,551,616 addresses (no exaggeration) to use as they see fit, all of them publicly routable. So you statically assign one of the addresses in your allotted range to whatever device you want, open port(s) in the router's firewall to allow the inbound connections you want to be allowed, and that is that. It is very similar to forwarding a port with IPv4, except you don't have to worry about a distinction between public and private addresses. At least that is how it is in theory. In practice, some routers have shitty IPv6 support. and some ISPs (particularly smaller ones) have shitty or non-existent IPv6 support. So you can run into obstacles.

If the router has VPN server capability, you could use that with the router's IPv6 address (which hopefully doesn't change). Then you connect to the VPN using IPv6, and once connected you can connect to the NVR or cameras using their IPv4 LAN addresses.

Or you could assign the NVR a static IPv6 address and open the necessary port(s) in the router's IPv6 firewall similar to how you port forwarded in the past using IPv4, and connect directly to the NVR using IPv6. You still take on the risk of the NVR's cybersecurity problems this way, but you also don't have to deal with a VPN connection so it is a tradeoff.
 
Last edited:
  • Like
Reactions: JeffCharger, looney2ns, Mike A. and 1 other person
bp2008 said:
If your ISP uses CGNAT, it means you do not have a public IPv4 address. But you probably still get fully functional IPv6 so if you learn how IPv6 works you can use that.



If all the camera remote access is done by connecting directly to cameras or directly to an NVR appliance, then Zerotier will be difficult to use. Because you can't install Zerotier on the cameras or NVR. You'd need a router that supports Zerotier (opnSense for example), and even then the routing could be tricky (I've never tried).

If you learn how IPv6 works, then you can probably use that for the remote access just like you were using IPv4 before. There are two main differences between IPv4 and IPv6: The addresses look very different when written out, and there is no shortage of IPv6 addresses. The idea behind IPv6 is that every internet subscriber gets at least 18,446,744,073,709,551,616 addresses (no exaggeration) to use as they see fit, all of them publicly routable. So you statically assign one of the addresses in your allotted range to whatever device you want, open port(s) in the router's firewall to allow the inbound connections you want to be allowed, and that is that. It is very similar to forwarding a port with IPv4, except you don't have to worry about a distinction between public and private addresses. At least that is how it is in theory. In practice, some routers have shitty IPv6 support. and some ISPs (particularly smaller ones) have shitty or non-existent IPv6 support. So you can run into obstacles.

If the router has VPN server capability, you could use that with the router's IPv6 address (which hopefully doesn't change). Then you connect to the VPN using IPv6, and once connected you can connect to the NVR or cameras using their IPv4 LAN addresses.

Or you could assign the NVR a static IPv6 address and open the necessary port(s) in the router's IPv6 firewall similar to how you port forwarded in the past using IPv4, and connect directly to the NVR using IPv6. You still take on the risk of the NVR's cybersecurity problems this way, but you also don't have to deal with a VPN connection so it is a tradeoff.
Click to expand...
Many thanks for the suggestions and ideas. We will pursue these.

I don't believe that the ISP has IPV6 available. We will work with these suggestions and hopefully have some discussions with the tech support team at the vendor.

Many thanks!
 
  • Like
Reactions: looney2ns
thanks for the ngrok suggestion. We are in the process of setting up a Zerotier solution. The site is remote, so we are only there sporadically to work on it!
 
  • Like
Reactions: pyspilf
Maybe a better idea. I only start ngrok when I am away and need to access (a bit of a convoluted way, but it works for me: I use Alexa on my phone to run a home automation event in Homeseer which starts ngrok), and usually stop if afterwards for security concerns... I have never tried running it long term, so I can't say how stable the connection would be, but I think it has the ability to reconnect. In any case, with your scenario, I would guess the more robust the solution, the better :)
 
  • Like
Reactions: JeffCharger
ZeroTier relies on the device you're accessing being online and running the ZeroTier software unless you're setting it up as a proxy. Do you have a plan for what to do if anything goes wrong with the ZeroTier host (like a failed update)? Would it be possible to configure ZeroTier on multiple local devices, or have a router or other reliable piece of equipment attempt at startup to make an outbound VPN connection to a VPN server you control?
 
Look at Tailscale MESH VPN. I installed on my pfSense firewall so I can access my entire network. It will traverse multiple levels of NAT, including CGNAT.

tailscale.com

Tailscale · Best VPN Service for Secure Networks

Securely connect to anything on the internet with Tailscale. Deploy a WireGuard®-based VPN to achieve point-to-point connectivity that enforces least privilege.
tailscale.com tailscale.com

They have a free tier with up to 100 devices. Even a primate like me can set it up. Works automatically!
 
Last edited:
  • Like
Reactions: TonyR
Thank you for mentioning Tailscale. I'm buried behind AT&T CGNAT on my rural hotspot. Just set up Tailscale and am thrilled to be able to see my cameras remotely finally!
 
  • Like
Reactions: elvisimprsntr
I really don't trust Tailscale personally

I just have a VPS with a site-to-site Wireguard VPN tunnel

I don't have CGNAT, but I have that setup to allow for my redundant WAN to be easier with remote access for LPR
 
ZeroTier has worked very well for me. I’m personally not familiar with Tailscale, since my ZT setup has worked so well, but I believe that they are similar upon function.
ZT allows me to use windows Remote Desktop. The combination has worked very well.
 
  • Like
Reactions: looney2ns
You could us a Mikrotik, pfSesne, etc and do a tunnel to something like Core Transit. They will lease you a single (or multiple) public IP's you can then just connect over the tunnel as you normally would with a static IP address.
 
You must log in or register to reply here.
Top Bottom