RT-AC86U strict NAT

roundpar

New Around Here
Hello,

I've been banging my head against this strict NAT I've been having for a long time and I hope someone here can help me sort it out. First, I have a RT-AC86U with Asuswrt Merlin 386.4 connected to an ISP provided EG8120L. My issue is that whatever I do, I can't get anything other than a strict NAT. I've been browsing the forum for answers but everything other people had tried does not seem to work for me. Currently I'm testing in my Windows workstation with a wired connection. I've tried:

* Enabling UPnP: I read that in some routers it can be spotty, but I've confirmed that requested ports by applications appear under System Log > Port Forwarding > UPNP
* Disabling DMZ (never had it enabled)
* Switching Fullcone/Symmetric NAT type, none work
* Forwarding ports via OpenNAT
* Manually forwarding ports

I've also read that sometimes it's up to the ISP to enable this on their side, so I called them and they told me they've enabled CGNAT for me, but other than that they can't do anything because I'm in "Bridge" mode as I've got my own router. I though that perhaps it's a matter of my "WAN Connection Type" being automatic, but I don't even know what to put if I were to set it manually.

1649268003078.png


I'm currently testing my NAT type by using the "Xbox Networking" panel on the Windows Settings:
1649268082519.png


And sometimes I use the game For Honor as it has a clear NAT display to help players, but so far I have no idea what can I do to have an open NAT. Any ideas?

Thanks.
 

ColinTaylor

Part of the Furniture
I've also read that sometimes it's up to the ISP to enable this on their side, so I called them and they told me they've enabled CGNAT for me,
If your router is behind a CGNAT connection that will be your problem. You can confirm this by looking at the router's WAN IP address. If the first octet is 100 and the next octet is from 64 to 127 you have CGNAT.
 

roundpar

New Around Here
If your router is behind a CGNAT connection that will be your problem. You can confirm this by looking at the router's WAN IP address. If the first octet is 100 and the next octet is from 64 to 127 you have CGNAT.
Thank you for the response, yes my WAN IP does match exactly those parameters. What can I do then to fix my strict NAT?
 

ColinTaylor

Part of the Furniture
Thank you for the response, yes my WAN IP does match exactly those parameters. What can I do then to fix my strict NAT?
The only thing you can do is contact your ISP and ask them to give you a public IP address instead of a CGNAT address.
 

roundpar

New Around Here
My ISP has told me that they have either a "Public CGNAT address" or a "Static IP" option that costs extra. The part that confused me is that they say that the public one is the CGNAT one, which doesn't make much sense to me. Is this perhaps the one I need? They also mentioned the CGNAT address is safer, is there really any drawbacks from having a static IP?
 

ColinTaylor

Part of the Furniture
My ISP has told me that they have either a "Public CGNAT address" or a "Static IP" option that costs extra. The part that confused me is that they say that the public one is the CGNAT one, which doesn't make much sense to me. Is this perhaps the one I need? They also mentioned the CGNAT address is safer, is there really any drawbacks from having a static IP?
AFAIK there's no such thing as a "public CGNAT address". It's probably just their way of saying they employ CGNAT on their public addresses. In any case you want the static IP option. It's not that unusual for ISPs to charge extra for this.

Is CGNAT safer? Well yes I suppose you could say that because it prevents unsolicited connections from the internet. Which is precisely the thing you're trying to do by getting rid of strict NAT.
 

charlie2alpha

Senior Member
My ISP has told me that they have either a "Public CGNAT address" or a "Static IP" option that costs extra. The part that confused me is that they say that the public one is the CGNAT one, which doesn't make much sense to me. Is this perhaps the one I need? They also mentioned the CGNAT address is safer, is there really any drawbacks from having a static IP?
CGNAT = Carrier Grade NAT. By definition that means you're behind NAT, one that's controlled by your ISP. In which case there's nothing you can do with your own equipment to change the NAT type, also you're getting a double NAT type of connection, one by your ISP and one by your own router, very suboptimal.

The static IP sold by your ISP will be normally a public IPv4 address, no ISP NAT applied. You'll be in full control, but as a consequence of the global IPv4 address exhaustion you'll have to pay extra to get a real IPv4 these days.
 

qzip

Occasional Visitor
This is one of most interesting threads ive came across on this site.
I will definitely be watching this thread.
Best of luck to you OP!
 

roundpar

New Around Here
As an update, my ISP is a very small local company here and I'm not even sure they fully understand me either. I bought the static IP from them, turns out it was a static IP within the CGNAT as it was 100.x.x.x, so I had it refunded, the person I spoke with didn't know what IPv6 was and it seems that's the only person I can talk to. They tried "taking me out of the CGNAT" but that did nothing.

Finally a technician within their company relayed the message that my two options were either I let them know what ports I want open every time and they'll open it from their side or I set up a DMZ. I'm not sure what are the pros/cons of a DMZ though.
 

ColinTaylor

Part of the Furniture
... or I set up a DMZ. I'm not sure what are the pros/cons of a DMZ though.
This makes no sense. You can put one of your devices in the router's DMZ (WAN > DMZ) but that doesn't solve the problem. They would need to put your router's WAN IP address in their DMZ for it to be of any benefit. You'd still have a double NAT situation but it would be slightly better than what you have currently. It might not help at all with Xbox games, but that depends on how clever the network code is for a particular game.
 

edel79

New Around Here
The only thing you can do is contact your ISP and ask them to give you a public IP address instead of a CGNAT address.
Hello there, I'm a newbie on this forum, I own an Asus RT-AX58U router under Merlin (latest version).
I'm replying this post because in France where I live, I had the same problem with my ISP. Suddenly I got transfered on a CGNAT network. And my router was then unable to connect to the internet : it got the private IP address but not the public one (internet status was "not connected").

But, I also got the ISP's box and the box was OK, I got internet through it.

On a static public IPv4 configuration, I just had to specify a string under the DHCP option 60 to replace the ISP's box and to get a public IPv4 address and access to the internet.
Having read many threads about GCNAT, I asked my provider to rollback the change and since then I have a native IP v4 adress again, so the router is fully operating right now.

But I have 2 questions :
- since my ISP's box is operating normally under the CGNAT network, I guess something is missing on the Merlin firmware to be able to operate under that type of network. Does somebody here would know what is missing ?
- I tried to reach my NAS whith the IPv6 network my ISP gave to my router, as I also (and still) have the IPv6 connectivity in addition to the IPv4 one: that did work. So, why not trying to reach my asus router with it's IPv6 adddress ? No luck, it says "connexion refused". Is it / would it be one day possible to do that ?

Thanks in advance for any reply.
 

ColinTaylor

Part of the Furniture
Suddenly I got transfered on a CGNAT network. And my router was then unable to connect to the internet : it got the private IP address but not the public one (internet status was "not connected").
This is not the same as the issue discussed in this thread. CGNAT does not prevent you from connecting to the internet.

- since my ISP's box is operating normally under the CGNAT network, I guess something is missing on the Merlin firmware to be able to operate under that type of network. Does somebody here would know what is missing ?
You'll have to ask your ISP what has changes are required. For example, do you still need DHCP option 60 or should you remove that?

- I tried to reach my NAS whith the IPv6 network my ISP gave to my router, as I also (and still) have the IPv6 connectivity in addition to the IPv4 one: that did work. So, why not trying to reach my asus router with it's IPv6 adddress ? No luck, it says "connexion refused". Is it / would it be one day possible to do that ?
I suggest you create a new thread about IPv6 issues as it is unrelated to this thread.
 

edel79

New Around Here
You'll have to ask your ISP what has changes are required. For example, do you still need DHCP option 60 or should you remove that?
Hello, in France we have only 4 major ISP's and I am a client of one of them, so I doubt it would tell me the good settings to make my router work with it's CGNat network. Guess he would just have said : "just use the box we provide."
And anyway, I have been able to get back to a native public IPv4 address so I don't have the problem anymore.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top