No remote connection to Asus AX88U due to private WAN IP address

[w461]

Hi, I am trying to create a remote connection to my AX88U. However, on the DDNS page of the router GUI it says the router is using a private WAN IP address, possibly due to Multi-NAT, and that this is not supported by DDNS.

iplookup.asus.com provides me an IP address for the DDNS, nevertheless. But when I try to connect via Safari (using ASUS's WAN access via port 8443 - trying this since OpenVPN wasn't successful, either), I get no response using a mobile LTE connection.

The router is connected to a modem of the ISP, who provides me a dynamic IP. I haven't found any further configuration of the ISP settings than what can be managed with the router. Unfortunately it is an Italian ISP and people only speak Italian - hardly got the installation of the antenna managed...

What can I do to trace the problem?

 

[ColinTaylor]

If your router does have a private IP address like the message says then you won't be able to get remote access unless you can bridge the upstream router that's creating the double NAT, or configure port forwarding on that upstream router.

 

[w461]

Thanks. My assumption is, it is the wrong message. How can I check whether the IP is private? The router would then need to be on the ISP side, I only have a small modem upstream

Within the Asus router there is no configuration that could create a double NAT? I was wondering, because in the general WAN configuration, I have „activate NAT“ on (without I have no Internet), and in addition I have the LAN-DHCP server activated. Both seem to do the same thing to my understanding - sorry, I am no router expert, until now it was always plug and play

 

[drinkingbird]

Thanks. My assumption is, it is the wrong message. How can I check whether the IP is private? The router would then need to be on the ISP side, I only have a small modem upstream

Within the Asus router there is no configuration that could create a double NAT? I was wondering, because in the general WAN configuration, I have „activate NAT“ on (without I have no Internet), and in addition I have the LAN-DHCP server activated. Both seem to do the same thing to my understanding - sorry, I am no router expert, until now it was always plug and play

Easiest way to tell is to go to whatsmyip.net and see if the IP reported there matches the WAN IP of the Asus. If not, there is a NAT happening somewhere.

If the IP reported by the asus starts with any of the following it is a private IP:
10.
192.168.
172.16 through 172.31
100.64 through 100.127

If it is one of the first 3, your "modem" is probably actually a router. So you could go in there and do port forwarding or put the asus in DMZ. You may even be able to set it to bridge mode from the management interface. With bridge mode, DDNS will just work as your Asus will now get a real IP. With DMZ or port forwarding you'll still need to work around the DDNS issue. I could have sworn the asus had an option somewhere to check the IP remotely rather than grab it from local WAN interface, but can't find it. But there are clients you can run on a PC, NAS, etc that can do the updates for you based on retrieving the IP from a site like whatsmyip. Won't be as fast to update as looking at the WAN, but it works.

The 4th one is CGNAT so that would mean your modem is a modem and your carrier is doing NAT on their side. Some will let you request a "real" IP, some charge for it, some don't.

If you have any of those, you cannot remotely access your router or anything behind it unless your ISP offers a public IP or possibly a NAT mapping for you. If not, you can see if your ISP supports IPv6, if so it will be a routable IP and you can use that for remote access.

If none of that, then your only option is to use a VPN. Ones that allow you inbound access/port mapping will most likely have a monthly fee though. You must establish the VPN from within your network (behind the private IP) then you will be able to have remote access. If you have a second location, you could create your own VPN from the problematic site to that second site and route the traffic through there.

 

[w461]

Thank you so much, this is very helpful. Indeed, the IP differs between internal and external view. Internally it starts with 100.125, so it is private.

Let‘s see, if the ISP guys can explain me how to access/configure the modem (aka router), so far they Didn‘t leave the best impression

 

[drinkingbird]

Thank you so much, this is very helpful. Indeed, the IP differs between internal and external view. Internally it starts with 100.125, so it is private.

Let‘s see, if the ISP guys can explain me how to access/configure the modem (aka router), so far they Didn‘t leave the best impression

Yes that range is called CGNAT (Carrier Grade NAT) and common for newer/small ISPs (and Wireless ISPs) to use that, then "hide NAT'ing" lots of those IPs behind a single real IP, or a pool of real IPs. Unfortunately inbound connections won't work in that setup unless they specifically offer that as a service (statically mapping ports for you), which is unlikely.

If you're getting a 100.125 then it is likely just a plain modem and you can't do anything to change the IP. That IP is being assigned by their upstream servers. You'd have to ask them if they offer a public IP (possibly for a fee) or IPv6. Or just enable IPv6 on your router and see if it gets an IPv6 IP. Generally I say avoid IPv6 but this is one case where it can be useful. Just make sure the IPv6 firewall is enabled, and hopefully they support "native" mode. But try for a real IPv4 first, that is a bit more fool proof and safer.

Or you have the VPN option too. That will work behind CGNAT in many cases as long as the CGNAT side initiates the connection (VPN client).

 

[Tech9]

Generally I say avoid IPv6 but this is one case where it can be useful.

Indeed.

 

[Michael3421]

Not said here is that Asus does not have a cloud based management system. If it did, the router would phone home to the Asus cloud and there would not be a problem with remote access. Many other router vendors offer cloud based admin systems. TP-Link has two. These systems have their pros and cons of course.

 

[L&LD]

When/if Asus implements cloud-based management, I will look for another router/company.

Cloud managed means not 'me' managed. And that is what I want/require for my routers/networks.

I would hardly call that a benefit. Whenever their cashflows are low, they turn off the server(s) that will give them the most upgrades to fill their coffers again.

The only/most benefit is for the manufacturer, not the customers.

Just look at electric cars; nickel and diming everyone to the poor house. I'm NEVER buying one, for that reason alone. Not to mention how poorly they drive and how hard they are on the replaceables.