I've been trying to set up off-site backups from my home (site A) to another person's home (site B).
My home internet (i.e. site A) is provided by Shaw. Site B has internet services provided by Telus, which is provided by Altima Telecom... which is provided by Shaw (as near as I can tell).
Both sites have a server running TrueNAS. In the past I had this setup working, although the internet providers were different at the time. It involved forwarding a port by the router at site B to the destination server within site B. I haven't been able to get this to work since the change in providers. The destination simply doesn't respond no matter what port-forwarding settings I use.
I ran a traceroute from site B to google.ca: Tracing route to www.google.ca [142.251.211.227] over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms router.home [192.168.1.1] 2 10 ms 8 ms 8 ms 50.71.160.1 3 * * * Request timed out. 4 10 ms 9 ms 9 ms rc3sc-be2.wp.shawcable.net [24.244.58.169] 5 35 ms 35 ms 36 ms 104.159.27.13 6 37 ms 34 ms 34 ms 10.70.50.1 7 37 ms 37 ms 36 ms van-b1-link.ip.twelve99.net [62.115.145.124] 8 38 ms 38 ms 40 ms sea-b3-link.ip.twelve99.net [62.115.138.40] 9 47 ms 41 ms 42 ms sea-b1-link.ip.twelve99.net [62.115.132.157] 10 40 ms 39 ms 38 ms 74.125.51.236 11 41 ms 43 ms 42 ms 142.251.70.99 12 40 ms 40 ms 40 ms 216.239.43.121 13 43 ms 41 ms 41 ms sea30s13-in-f3.1e100.net [142.251.211.227]
Trace complete.
From site A to site B, the traceroute shows:
Tracing route to 104.159.x.y over a maximum of 30 hops
1 3 ms 3 ms 2 ms 192.168.1.1 2 7 ms 5 ms 6 ms 10.0.0.1 <site A is double-NATted :-(
3 15 ms 16 ms 17 ms 50.71.160.1 4 19 ms 14 ms 17 ms rc3sc-be101-1.wp.shawcable.net [64.59.179.233] 5 18 ms 17 ms 17 ms 24.244.61.61 6 20 ms 18 ms 21 ms 24.244.58.173 7 18 ms 17 ms 22 ms rc3sc-be2.wp.shawcable.net [24.244.58.169] 8 34 ms 30 ms 28 ms rc3so-be110-1.cg.shawcable.net [66.163.76.61] 9 41 ms 42 ms 45 ms rc1bb-be6-1.vc.shawcable.net [66.163.78.38] 10 * 42 ms 41 ms rd3bb-tge0-3-0-14.vc.shawcable.net [66.163.69.42] 11 49 ms 49 ms 47 ms altimatelecom-ic-369545.ip.twelve99-cust.net [62.115.145.125] 12 50 ms 46 ms 47 ms <WAN IP of site B (104.159.x.y)> 13 79 ms 78 ms 98 ms <WAN IP of site B, again> 14 * * * Request timed out. 15 * * * Request timed out. 16 * * * Request timed out. 17 * * * Request timed out. 18 * * * Request timed out. 19 * * * Request timed out. 20 * * * Request timed out. 21
Can anyone explain what I'm seeing here? E.g. Why does the site B IP address appear twice? Why all the following request timeouts? I've used the WAN IP address of site B as the destination and set up port forwarding from that router to my remote NAS box, but as I said there is never any response.
Does anyone have any suggestions as to what to try next?
As we all know, the world is running out of IPV4 addresses, Without my knowledge, My Provider went ahead and injected our entire area (country fiber service) via RF-Now Inc. out of Virden, Mb. Anyhow they placed the entire area under a router so the entire area only presents as one IP, this caused the EXACT same problem with my offsite camera backups. I had to ask for a "direct connection" heres the funny thing, from before, through the change, and back to the direct connection, only the last Octet changed in my IP address... it sure sounds like one or both of you might need to get your provider to revert you.
Greg
My initial thought was the same as Greg - my family use RFNow and their WAN IP is in the 100.64.0.0/10 CGNAT reserved range https://en.wikipedia.org/wiki/IPv4_shared_address_space rather than an internet routable IP.
Judging by those traceroutes CGNAT doesn't appear to be the issue though. @Kevin I'm hoping we can have a closer look during tomorrow's meetup, it would be faster to review the configs IRL.
On Mon, Jan 1, 2024 at 5:30 PM Greg Manning a31ford@gmail.com wrote:
As we all know, the world is running out of IPV4 addresses, Without my knowledge, My Provider went ahead and injected our entire area (country fiber service) via RF-Now Inc. out of Virden, Mb. Anyhow they placed the entire area under a router so the entire area only presents as one IP, this caused the EXACT same problem with my offsite camera backups. I had to ask for a "direct connection" heres the funny thing, from before, through the change, and back to the direct connection, only the last Octet changed in my IP address... it sure sounds like one or both of you might need to get your provider to revert you.
Greg _______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable
On 2024-01-01 Kevin McGregor wrote:
I ran a traceroute from site B to google.ca: 1 <1 ms <1 ms <1 ms router.home [192.168.1.1] 2 10 ms 8 ms 8 ms 50.71.160.1
From site A to site B, the traceroute shows: 1 3 ms 3 ms 2 ms 192.168.1.1 2 7 ms 5 ms 6 ms 10.0.0.1 <site A is double-NATted :-(
3 15 ms 16 ms 17 ms 50.71.160.1
If B-out and A-out share 50.71.160.1 along the way then why isn't 50.71.160.1 just directly routing between A & B? Unless I'm missing something, or your labeling of which box is doing what is wrong? Weird.
12 50 ms 46 ms 47 ms <WAN IP of site B (104.159.x.y)> 13 79 ms 78 ms 98 ms <WAN IP of site B, again> 14 * * * Request timed out.
Maybe the tr thinks it can get farther... mtr might give you different results. Sometimes they have to do some guessing and it's all based on TTL tricks and not entirely reliable. It is normal for some hops to not respond, for various reasons. I wouldn't read too much into it.
In fact, you must be wrong on your labeling because you said:
"
From site A to site B, the traceroute shows:
1 3 ms 3 ms 2 ms 192.168.1.1 2 7 ms 5 ms 6 ms 10.0.0.1 <site A is double-NATted "
Yet you've told us you (Kevin) are site A on Shaw and certainly you are not double-NATted? Isn't the problem that the freaky Telus side is doing wacky double-NAT stuff?
In any event, it will be nigh impossible to do anything without the double-NATted side initiating the connections, especially when you don't control a level of the NAT.
So any solution will require you to initiate connections on the silly (Telus) side into the "good" (Shaw) side. If you need it the other way, you'll have to still do it this way and then utilize the connection in reverse.
But I think you've already indicated previously that you're doing that...? So then the only problem becomes a) what ports are the 2 (3? 4?) ISPs blocking, and making sure your "good" side really is port-forwarding properly. If you have access to another remote box that is not NATted, or single-NATed, and has known port-blocking policies, get the solution working on that first, then worry about making it work with the silly connection. That way you know what hop to blame and can try alternative ideas (ports and technologies).
If I were you I'd get rid of the canned router on your end (I'm making assumptions here) and make your own router/firewall, as part of your main linux box or a little extra box in a closet, and then get your ISP to "direct" connect you so you have an external IP, and 100% complete control of at least 1 side of the equation. The best part of that is then you can do packet logs at the lowest level to see where things are falling apart... if you could do that on your canned router right now you'd probably solve this in 5 minutes. And then there should be nothing you cannot achieve.
Then I'd look at doing an always-on linux strongswan ipsec vpn between the 2 boxes so they can talk to each other like they are on the same LAN, even if you're just going to run ssh between them (and you can use firewall rules to limit what can be done). Because of everyone's remote work from home stuff these days there is no ISP that can block VPNs. YMMV and that's just me. Everyone has their own favorite.
Too bad we can't easily replicate your setups to try some things out... I guess I could try to hookup my laptop to my cell as a hotspot and thus should be able to become double-NATted? However, that might be even more portblock-happy than your home-use cell provider example.
Last thing: if you're trying to do ssh for all of this, can the silly host ssh into somewhere (else) external on port 22? If it can't do that, then 22 is blocked on the silly side and you can't use that with finding an open port they don't block.
-
Chris Audet -
Greg Manning -
Kevin McGregor -
Trevor Cordes