dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1929
share rss forum feed

senseotech

join:2011-12-12

[HSI] Double NATing?

Noticed a few weeks ago that I was having issues with some services that required uPNP and NAT-PMP, that had worked just fine before. Finally tracked down that somehow both my connection at home, and at the girlfriend's are somehow double NAT'ed. Traceroutes hit the router at each location, then go to another private IP, 10.214.96.1 for both locations, then hit the charter network and internet at large. Many services I've set up to port forward manually at each location work, but some that do automatic setup are failing due to this double NAT situation. Anyone else been having similar weird issues, specifically in my case in regards to Back to My Mac?



cablegeek01

join:2003-05-13
USA
kudos:1


What IP address range is your router getting from the modem?

You're not likely double NAT'd by charter unless your modem has a built in router and is doing NAT, and you have another router behind that router.

That 10.x.x.x IP address is the bundle interface on the CMTS.
Your traffic isn't actually being NAT'd at that point, it's just the IP that the CMTS is reporting.

(This gets a little complicated, so bear with me and I'll try and explain as best I can)

On a CMTS (cable modem termination system), there is a "bundle interface" that is used to assign IP addresses to cable modems and computers behind the modems.
There are two IP address ranges in a bundle. The "primary IP" which is usually a private IP address (10.214.96.1 in your case) is used to manage the cable modem (commonly known as a CM management IP address -cable modems have their own IP address on the cable/RF side).
The "secondary IP" is the gateway IP address that your PC or router uses to connect to the internet.
The CMTS responds to ICMP/trace route requests with the primary IP address, even though your router is actually using the secondary IP address to access the internet.

Here's an example of a CMTS bundle interface configuration:

interface Bundle 1
description residential modems - provisioned
ip address 96.34.20.1 255.255.252.0 secondary
ip address 10.214.96.1 255.255.252.0
no ip unreachables
no ip proxy-arp
cable helper-address 24.30.120.215

If you were connecting your cable modem to this CMTS (and running your traffic through it to the internet), your cable modem would get an IP address of say 10.214.96.10 (which you can't see since it's on the CM management/RF side and is only used by the cable company).
Your PC or router behind the modem would get an IP address of 96.34.20.100 with a mask of 255.255.252.0, and a default gateway of 96.34.20.1.
Now when you went to do a traceroute, the program will report 10.214.96.1 as the first or second hop (since it's the primary address on the bundle, the cmts will report that as the IP), even though your traffic is actually using 96.34.20.1 to get to the internet.

Hope this helps!


senseotech

join:2011-12-12

That makes perfect sense (well, it makes enough sense with the somewhat limited networking knowledge I possess), but doesn't help to explain why the ports I need, 4500, 5353, and 5354, are being stealth'ed despite explicitly opening them on the routers on either end



cablegeek01

join:2003-05-13
USA
kudos:1

said by senseotech:

That makes perfect sense (well, it makes enough sense with the somewhat limited networking knowledge I possess), but doesn't help to explain why the ports I need, 4500, 5353, and 5354, are being stealth'ed despite explicitly opening them on the routers on either end

What make/model of modem do you have on each end?

senseotech

join:2011-12-12

A belkin N300 on one end, with the ports mapped to the correct machine, and an Airport Extreme on the other, also mapped correctly. This was working just fine until a few weeks ago; now, the ports are showing as stealthed on both ends when I run a port scan (Shield's Up! specifically).



cablegeek01

join:2003-05-13
USA
kudos:1

Those are the routers. Do you know what the make and model of the cable modems that are connected to the routers are? (this will help determine if the modem is capable of performing NAT, or if not, whether the problem may lay with charter, or a firewall issue somewhere).


senseotech

join:2011-12-12

My bad, read modem as router One end has a Ubee Docsis 3 modem which I confirmed has no NAT/routing abilities, and the other end is a Motorola SB6121, which upon further inspection, appears to allow for DHCP/NAT? The more and more I'm thinking, I'm beginning to suspect its something on this end with the belkin/Moto combo, as I've had success connecting from other locations to the UBee/Airport location.



cablegeek01

join:2003-05-13
USA
kudos:1

A Motorola SB6121 is a bridging only modem (No NAT capability), so it can't do NAT. It has built in DHCP, but that only works if the RF (coaxial cable) is disconnected, so I wouldn't worry about it.
My first guess would be a router issue (either the firewall is blocking the connection, or it is not in fact performing port forwarding, even though it's configured for it). After that would be a possible firewall issue on the PC/Mac (a software update may have changed the firewall settings). After both of those possibilities were exhausted, I would contact Charter and ask if they could verify that the ports were not blocked.
Part of that may be connecting a computer directly to the modem and seeing if your program works okay with the router removed from the equation.

Good luck!



mmainprize

join:2001-12-06
Houghton Lake, MI
Reviews:
·Charter
reply to senseotech

These other programs that are Using uPNP are they using IPv6 ?
You could try and disable IPv6 for a while and see if it makes any difference.

Also check the PC's NIC setting, are they DHCP or static address, verifty the gateway address is correct. If it is DHCP then check the address in the router for DHCP settings.

Also Routers can block uPNP, make sure it is enabled


hillbilly

join:2009-12-11
reply to senseotech

Watch out for the new uPnP security flaw while you're at it.
»www.us-cert.gov/current/#cert_re···advisory


senseotech

join:2011-12-12
reply to mmainprize

IPv6 isn't at play here, so thats a no go. Trust me when i say its not DHCP errors, not my first networking rodeo, so the same on uPNP being turned on for both routers. I think I have it narrowed down to a (second) borked Belkin Router on one end; it works just fine with an ancient Linksys router. I guess I get what I pay for, so I have another Airport coming to hopefully rectify the situation, and even if it doesn't it'll beat the poor performance of this dog I'm using here now. Hopefully I'll be posting later this week to say its fixed!


senseotech

join:2011-12-12

As I suspected, the new router works perfectly; the connection is made almost instantly. That makes two Belkin routers in a row that were duds