First thing that comes to mind is why you didn't attempt to use ipv6 addresses to create the ipsec vpn? I know comcast/xfinity supports ipv6, and I'd have to imagine anyone deploying CGNAT for ipv4 is providing a public ipv6 address, thus negating any of the issues described.
Typically these ipsec vpn sessions are in tunnel mode which means they can transport both ipv4 and ipv6 packets, even if the public ips being used are only ipv4.
Maybe ubiquiti doesn't support this in their UI for some reason? The underlying system should be capable of this though (strongswan afaik).
"I'd have to imagine anyone deploying CGNAT for ipv4 is providing a public ipv6 address"
Sadly, such a sane and customer-oriented approach remains firmly in your imagination for the vast majority of ISP CGNAT deployments. Most commonly, IPv6 will just not be available at all.
Airtel does provide an IPv6 address with their CGNAT configuration. Sadly, there is no IPv6 support on the Comcast front over here in the US, and Ubiquiti doesn't support IPv6 in their VPN configuration either (at least from the web UI perspective).
I was amused to see that the IPv6 post I was contemplating was ninja-ed before birth by the very first post.
I suspect the reason Ganesh isn't seeing IPv6 is his "ancient cable modem". Very likely it's not DOCSIS 3.0 or later and doesn't do IPv6. The DOCSIS 3.0 standard was released in 2006, 3.1 in 2013. Upgrade, already!
Also: Comcast was one of the major leaders and instigators of "World IPv6 Day". That was back in January 2012. As I recall, somewhere around 50% of their customers were IPv6-enabled then.
Why? They were running out of IPv4 addresses to give to customers, which also explains why Ganesh is seeing CGNAT now.
My ISP had (and probably still has) IPv4 addresses in reserve. They haven't enabled IPv6 for consumer internet service yet.
with my ISP over in Germany, you can use both IPv4 with CGNAT and IPv6, but you only get an IPv6 address if you already have an IPv4 one. Ridiculous, I can't imagine a technical reason for that.
IPv6 was made for ultra-nerd and it's difficult to understand.
I mean, IPv4 still is a learning curve, but at least it's easier to understand. Most people don't know how to segment a network (/23 , /24) or do custom routes, but that's fine you can use it even if you don't understand all the concept.
IPv6 by contrast, no. a course is needed to understand that. they could have just added a few Bytes to the standard 4 Bytes scheme (ie 255.255.255.255.255.255 for exemple) But nooo let use hexadecimal, something than only computers and ultra nerds understand !
Right! In facing the challenge to post on AT, I learned how to read through my messages to check them for spelling mistakes because there is no edit button. ;)
Sure, let's add another layer of abstraction/complexity to the Internet protocol suite (TCP/IP stack) . That's a great idea. ipv4 and ipv6 is not something one expects nor do most consumer deal with. They are however one of the more if not the simplest bit of said suite/stack.
Especially if you don't have the controller and java updated and the hardware adopted in the database. It's overcomplicated to the point I wonder why they set out to find a solution looking for a problem that didn't exist.
Wow I thought it was just me being overly dramatic about the update process on my dream machine, glad I’m not the only one that thinks this. I love the uptime on my dream machine but the update process feels like a jump to light speed without a nav computer.
For what it's worth, 'plain' Wireguard is supposedly available on the Dream Router, Dream Wall, and Dream Machine Pro SE (anything with OS 3.0). My regular Dream Machine Pro is still awaiting that update though, so I can't say for sure how well it works.
I use UniFi switches and AP's, but I wouldn't touch their routers except for only the most basic consumer-level stuff that for some reason required remote management. (I run a USG at my mom's house.) Their camera systems are good, too, but they have a habit of pulling the rug out from existing users in their non-network product lines like phones and NVRs.
I have their switches, APs and the Dream Machine and you’re right; the APs and switches are awesome but the router has some strange limitations. The uptime has been a lot better than most of the other consumer gear I’ve had though. if anyone has any better suggestion for a router, I’m all ears.
There's no point in even talking about Ubiquiti, you can't buy most of their products. Some of them have been out of stock in the entire channel for months.
Entire parts and lines of products gone. You can't buy them. One breaks? You're screwed. Need to upgrade the firewall? Tough.
I actually went down a similar path as you did. Years ago, when I moved out, I needed away to troubleshoot my parents network remotely when I inevitably get the dreaded phone call "internet is not working".
My requirements for this setup are as follows: 1. Bidirectional encrypted tunnel(s) - preferably peer-to-peer 2. No third-party cloud services 3. Each site access internet through their its own ISP 4. Router at each site will handle the VPN connection - no additional hardware
After attempting and investigating multiple methods, I eventually settled on "tinc" based on the suggestion from the openwrt forums.
"tinc" is a peer-to-peer VPN supported by Tomato, Openwrt, and asuswrt-merlin. It doesn't need all sites to have public IP to work. It just need one site to have public IP (I think). To handle dynamic IPs, I use a free DDNS service and assign a domain name to each of the site.
Since then, I have expanded VPN network to include the in-laws and parents' home in Taiwan. It just required the router at each site to have the public key of at least one other site and it'll be able to see all sites. This means that I can be at any of these sites and still see every site.
Some caveats: I am uncertain of the performance. From what I can tell, "tinc" is pretty lightweight but not as performant as wireguard. Because I don't stream anything over tinc tunnels, I can't vouch for how well it works for for that.
Amazing hardware and stability totally ruined by crap software. The controller is trash. Relying on Java is already a red flag but the way the controller database functions is bazaar and totally insecure. Inheriting\adopting hardware into a new instance results in a mandatory config wipe. No fortune 500 or enterprise network would use this so what really separates it from a $100 consumer product? A consumer product that often has more basic functionality; Ubiquiti has to this day failed to implement MAC cloning, axing it from consideration to anybody who has AT&T or Verizon fiber that need to emulate their gateway from the ONT\media converter. Such a basic feature dating back to the Linksys routers of the 90's missing from a $300 prosumer product is embarrassing and should alone put the company underwater. I mean why?
My ISP provides CGNAT by default, but one can pay extra (€1.95/month afair) for a non-fixed but routable address. Which I do. Of course, you have to to know that you can ask, because they don't advertise this feature.
That is cheap. Commercial block IP's are rarely offered in the US to residential subscribers, and even 'business' internet plans find a way to screw you out of $15 minimum for a "usable" static address.
It's worth noting over the years I've seen most IP addresses - even for residential internet - have become statically assigned to subscribers, but they are non-routable.
@Ganesh , why not just contact the ISP and tell them that you were paying for an IP address that is *not* behind CGNAT? I mean, if you're spending the money for the IP you should get it.
Dead? Yeah sure. It's only up to 40% of users now on a global scale and the increase is a steady 5% (of total users) y/y increase, so I'm sure it's about to roll over and go away any time now. Just because your ISP is shielding you so far doesn't mean it's not there.
Don't buy into the hype kids. Ubiquiti's best selling point is that it looks pretty when its sitting on the rear seat of your car as you drive it to the nearest electronics recycling facility.
Both DDWRT and OpenWRT support Wireguard (and of course OpenVPN) it is very easy to setup a site-to-site setup. Runs on relative cheap hardware e.g. NetGear R7800 with WireGuard speeds of about 300 Mb/s
Ubiquiti sadly become a development dumpster fire and been going downhill internally for a while. I really REALLY wouldn't recommend them for a greenfield deployment these days. In particular their gateway/services has sucked badly for a long time and I dumped it for OPNsense a few years ago, now starting the move to Omada for switching/WiFi. Wireguard is excellent and reliable, though a lot of people may find Nebula a better match since while still using Noise it does true meshing. A fixed IP (a small light VPS will work fine) is only necessary to help clients find each other and coordinate, then the clients talk directly after. Still fully self hosted, no 3rd party service needed.
We’ve updated our terms. By continuing to use the site and/or by logging into your account, you agree to the Site’s updated Terms of Use and Privacy Policy.
Facebook
Twitter
RSS
35 Comments
Back to Article
bradh352 - Wednesday, December 21, 2022 - link
First thing that comes to mind is why you didn't attempt to use ipv6 addresses to create the ipsec vpn? I know comcast/xfinity supports ipv6, and I'd have to imagine anyone deploying CGNAT for ipv4 is providing a public ipv6 address, thus negating any of the issues described.Typically these ipsec vpn sessions are in tunnel mode which means they can transport both ipv4 and ipv6 packets, even if the public ips being used are only ipv4.
Maybe ubiquiti doesn't support this in their UI for some reason? The underlying system should be capable of this though (strongswan afaik).
edzieba - Wednesday, December 21, 2022 - link
"I'd have to imagine anyone deploying CGNAT for ipv4 is providing a public ipv6 address"Sadly, such a sane and customer-oriented approach remains firmly in your imagination for the vast majority of ISP CGNAT deployments. Most commonly, IPv6 will just not be available at all.
ganeshts - Wednesday, December 21, 2022 - link
Airtel does provide an IPv6 address with their CGNAT configuration. Sadly, there is no IPv6 support on the Comcast front over here in the US, and Ubiquiti doesn't support IPv6 in their VPN configuration either (at least from the web UI perspective).ViRGE - Wednesday, December 21, 2022 - link
"Sadly, there is no IPv6 support on the Comcast front over here in the US"Huh? Comcast was one of the very first major US ISPs to implement IPv6. They've been running a full dual stack implementation for nearly a decade now.
https://web.archive.org/web/20160329232139/http://...
cgull.at - Wednesday, December 21, 2022 - link
I was amused to see that the IPv6 post I was contemplating was ninja-ed before birth by the very first post.I suspect the reason Ganesh isn't seeing IPv6 is his "ancient cable modem". Very likely it's not DOCSIS 3.0 or later and doesn't do IPv6. The DOCSIS 3.0 standard was released in 2006, 3.1 in 2013. Upgrade, already!
cgull.at - Thursday, December 22, 2022 - link
Also: Comcast was one of the major leaders and instigators of "World IPv6 Day". That was back in January 2012. As I recall, somewhere around 50% of their customers were IPv6-enabled then.Why? They were running out of IPv4 addresses to give to customers, which also explains why Ganesh is seeing CGNAT now.
My ISP had (and probably still has) IPv4 addresses in reserve. They haven't enabled IPv6 for consumer internet service yet.
dersteffeneilers - Saturday, December 24, 2022 - link
with my ISP over in Germany, you can use both IPv4 with CGNAT and IPv6, but you only get an IPv6 address if you already have an IPv4 one. Ridiculous, I can't imagine a technical reason for that.Leeea - Thursday, December 22, 2022 - link
Nobody in their right mind uses ipv6 unless they absolutely have to.They really should come up with another standard that is less ideologically pure and way more practical.
ballsystemlord - Thursday, December 22, 2022 - link
Could you expand on that a bit more Leeea?It's unclear to me why an IP addressing scheme would be impractical as a result of ideological purity.
jack21159 - Thursday, December 22, 2022 - link
IPv6 was made for ultra-nerd and it's difficult to understand.I mean, IPv4 still is a learning curve, but at least it's easier to understand. Most people don't know how to segment a network (/23 , /24) or do custom routes, but that's fine you can use it even if you don't understand all the concept.
IPv6 by contrast, no. a course is needed to understand that.
they could have just added a few Bytes to the standard 4 Bytes scheme (ie 255.255.255.255.255.255 for exemple) But nooo let use hexadecimal, something than only computers and ultra nerds understand !
Notmyusualid - Friday, December 23, 2022 - link
Ridiculous comment.IPv6 is the bomb.
Just because you have to learn something new, doesn't detract from its usefulness.
ballsystemlord - Saturday, December 24, 2022 - link
Right! In facing the challenge to post on AT, I learned how to read through my messages to check them for spelling mistakes because there is no edit button. ;)Skeptical123 - Thursday, December 22, 2022 - link
Sure, let's add another layer of abstraction/complexity to the Internet protocol suite (TCP/IP stack) . That's a great idea. ipv4 and ipv6 is not something one expects nor do most consumer deal with. They are however one of the more if not the simplest bit of said suite/stack.lalagon - Wednesday, December 21, 2022 - link
Updating the firmware on a ubiquiti product it's like trying a lottery ticket...at_clucks - Thursday, December 22, 2022 - link
Oh you can say that again... I only update when I can afford to lose the connectivity :D.Samus - Thursday, December 22, 2022 - link
Especially if you don't have the controller and java updated and the hardware adopted in the database. It's overcomplicated to the point I wonder why they set out to find a solution looking for a problem that didn't exist.Seraphimcaduto - Sunday, December 25, 2022 - link
Wow I thought it was just me being overly dramatic about the update process on my dream machine, glad I’m not the only one that thinks this. I love the uptime on my dream machine but the update process feels like a jump to light speed without a nav computer.jhoff80 - Wednesday, December 21, 2022 - link
For what it's worth, 'plain' Wireguard is supposedly available on the Dream Router, Dream Wall, and Dream Machine Pro SE (anything with OS 3.0). My regular Dream Machine Pro is still awaiting that update though, so I can't say for sure how well it works.Maltz - Wednesday, December 21, 2022 - link
I use UniFi switches and AP's, but I wouldn't touch their routers except for only the most basic consumer-level stuff that for some reason required remote management. (I run a USG at my mom's house.) Their camera systems are good, too, but they have a habit of pulling the rug out from existing users in their non-network product lines like phones and NVRs.Seraphimcaduto - Sunday, December 25, 2022 - link
I have their switches, APs and the Dream Machine and you’re right; the APs and switches are awesome but the router has some strange limitations. The uptime has been a lot better than most of the other consumer gear I’ve had though. if anyone has any better suggestion for a router, I’m all ears.prophet001 - Wednesday, December 21, 2022 - link
Not really a ubiquiti fan.Threska - Wednesday, December 21, 2022 - link
Ubiquiti vacuum.OddballSix - Wednesday, December 21, 2022 - link
There's no point in even talking about Ubiquiti, you can't buy most of their products. Some of them have been out of stock in the entire channel for months.Entire parts and lines of products gone. You can't buy them. One breaks? You're screwed. Need to upgrade the firewall? Tough.
HalcyonDays - Wednesday, December 21, 2022 - link
I actually went down a similar path as you did. Years ago, when I moved out, I needed away to troubleshoot my parents network remotely when I inevitably get the dreaded phone call "internet is not working".My requirements for this setup are as follows:
1. Bidirectional encrypted tunnel(s) - preferably peer-to-peer
2. No third-party cloud services
3. Each site access internet through their its own ISP
4. Router at each site will handle the VPN connection - no additional hardware
After attempting and investigating multiple methods, I eventually settled on "tinc" based on the suggestion from the openwrt forums.
"tinc" is a peer-to-peer VPN supported by Tomato, Openwrt, and asuswrt-merlin. It doesn't need all sites to have public IP to work. It just need one site to have public IP (I think). To handle dynamic IPs, I use a free DDNS service and assign a domain name to each of the site.
Since then, I have expanded VPN network to include the in-laws and parents' home in Taiwan. It just required the router at each site to have the public key of at least one other site and it'll be able to see all sites. This means that I can be at any of these sites and still see every site.
Some caveats: I am uncertain of the performance. From what I can tell, "tinc" is pretty lightweight but not as performant as wireguard. Because I don't stream anything over tinc tunnels, I can't vouch for how well it works for for that.
Give it a try.
Samus - Thursday, December 22, 2022 - link
Amazing hardware and stability totally ruined by crap software. The controller is trash. Relying on Java is already a red flag but the way the controller database functions is bazaar and totally insecure. Inheriting\adopting hardware into a new instance results in a mandatory config wipe. No fortune 500 or enterprise network would use this so what really separates it from a $100 consumer product? A consumer product that often has more basic functionality; Ubiquiti has to this day failed to implement MAC cloning, axing it from consideration to anybody who has AT&T or Verizon fiber that need to emulate their gateway from the ONT\media converter. Such a basic feature dating back to the Linksys routers of the 90's missing from a $300 prosumer product is embarrassing and should alone put the company underwater. I mean why?Hamm Burger - Thursday, December 22, 2022 - link
My ISP provides CGNAT by default, but one can pay extra (€1.95/month afair) for a non-fixed but routable address. Which I do. Of course, you have to to know that you can ask, because they don't advertise this feature.Samus - Saturday, December 24, 2022 - link
That is cheap. Commercial block IP's are rarely offered in the US to residential subscribers, and even 'business' internet plans find a way to screw you out of $15 minimum for a "usable" static address.It's worth noting over the years I've seen most IP addresses - even for residential internet - have become statically assigned to subscribers, but they are non-routable.
ballsystemlord - Thursday, December 22, 2022 - link
@Ganesh , why not just contact the ISP and tell them that you were paying for an IP address that is *not* behind CGNAT? I mean, if you're spending the money for the IP you should get it.Jorgp2 - Thursday, December 22, 2022 - link
Yup, or just pay for a /29 or something.coburn_c - Thursday, December 22, 2022 - link
ipv6 is dead and rightly soZoolook - Monday, December 26, 2022 - link
Dead? Yeah sure.It's only up to 40% of users now on a global scale and the increase is a steady 5% (of total users) y/y increase, so I'm sure it's about to roll over and go away any time now.
Just because your ISP is shielding you so far doesn't mean it's not there.
PeachNCream - Monday, December 26, 2022 - link
Don't buy into the hype kids. Ubiquiti's best selling point is that it looks pretty when its sitting on the rear seat of your car as you drive it to the nearest electronics recycling facility.egc - Tuesday, December 27, 2022 - link
Both DDWRT and OpenWRT support Wireguard (and of course OpenVPN) it is very easy to setup a site-to-site setup.Runs on relative cheap hardware e.g. NetGear R7800 with WireGuard speeds of about 300 Mb/s
Threska - Wednesday, December 28, 2022 - link
Asus-merlin does as well. Having a choice helps with different situations.https://www.top10vpn.com/guides/wireguard-vs-openv...
zanon - Saturday, December 31, 2022 - link
Ubiquiti sadly become a development dumpster fire and been going downhill internally for a while. I really REALLY wouldn't recommend them for a greenfield deployment these days. In particular their gateway/services has sucked badly for a long time and I dumped it for OPNsense a few years ago, now starting the move to Omada for switching/WiFi. Wireguard is excellent and reliable, though a lot of people may find Nebula a better match since while still using Noise it does true meshing. A fixed IP (a small light VPS will work fine) is only necessary to help clients find each other and coordinate, then the clients talk directly after. Still fully self hosted, no 3rd party service needed.