Good idea! My AI CGNAT that allows inbound traffic support

  • DNS Benchmark v2 is Finished and Available!
    Guest:
    That's right. It took an entire year, but the result far more accurate and feature laden than we originally planned. The world now has a universal, multi-protocol, super-accurate, DNS resolver performance-measuring tool. This major second version is not free. But the deal is, purchase it once for $9.95 and you own it — and it's entire future — without ever being asked to pay anything more. For an overview list of features and more, please see The DNS Benchmark page at GRC. If you decide to make it your own, thanks in advance. It's a piece of work I'm proud to offer for sale. And if you should have any questions, many of the people who have been using and testing it throughout the past year often hang out here.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.

  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

P

PeterUK

Active member
Oct 30, 2024
26
3
So I was listening to Steve going on about CGNAT and I hate that we may all need to move to it but I want inbound traffic to work which from what I know IP sharing CGNAT don't do but its not like we all need inbound plus do we really need to put 250 people behind one WAN1 CGNAT?

So my way is a one WAN IP that is shared between two with inbound traffic support by AI
AI%20nat102.png
 

Attachments

  • AI nat102.zip
    240.2 KB · Views: 243
I can't view your png file. It's too tiny to view using any of the tools available to me.

If it's NAT for yourself, it's NAT. CGNAT is when your ISP "imposes" it on you. I say imposes because should you wish to run a service, such as http or smtp, on your gateway exposed to the Internet, you can't.

For example, I run an http (nginx), smtp (postfix), and imap (dovecot for my phone) in jails on my gateway because I have an Internet addressable IP address. Would my ISP use CGNAT, I would not have an Internet addressable IP and I'd need to either use their, Google's or someone elses email and web services, or subscribe to a PaaS service.

If you've configured NAT on your own network, i.e. using a commodity router or using a computer as a firewall/gateway (as I have), we simply call that NAT. The difference between NAT and CGNAT is with NAT you perform NAT yourself while with CGNAT your ISP uses NAT to assign a non-routeable IP address to your network.

This is what Steve was talking about when he said there would be multiple levels of NAT. Your ISP would NAT, called CGNAT, assigning you a single IP. Then you would NAT your multiple IPs to the one CGNATed IP assigned to you.

This is certainly not ideal. I've worked at sites that NAT behind NAT behind NAT, and so on. It's terrible trying to drill down to discover the cause of network problems. The complexity is a source of breakage.

BTW, my ISP does offer a WiFi service I can use to connect my phones or laptops to. It is CGNAT, with a 10.0.0.0/8 address. (Though my IP at home is a routeable IP address.) The thing I notice about the WiFi access they offer is that the MTU is smaller than the normal Ethernet MTU. That suggests their CGNAT is encapsulaed and routed through a tunnel. If your ISP's CGNAT is implemented in this way and your network or computer doesn't properly support PMTU discovery, you will fail to access some sites as well.
 
Last edited:
You can click on the png to expand it

The CGNAT gives out the same WAN IP to two people the key is that the MAC if different allow NAT and sessions to be based on it
 
PeterUK said:
You can click on the png to expand it
Click to expand...
The png downloaded correctly. xv(1) fails to recognize the format. eog(1) does recognize the format but it's tiny. Zooming in results in a larger but fuzzy image; still can't read it.

PeterUK said:
The CGNAT gives out the same WAN IP to two people the key is that the MAC if different allow NAT and sessions to be based on it
Click to expand...
??? If you're saying what I think you're saying, this doesn't make any sense that two people (you mean computers) have the same IP. Maybe we're talking cross purposes. Can you explain, please?
 
cschuber said:
The png downloaded correctly. xv(1) fails to recognize the format. eog(1) does recognize the format but it's tiny. Zooming in results in a larger but fuzzy image; still can't read it.
Click to expand...
Not sure what your problem is displays fine and zooms in

So yes two people from a ISP get the same shared WAN IP (no 10.) by PC or router there MAC's being different allows this to work for the ISP to know where to sent the traffic and building connection sessions based on MAC, IP and port or no port like protocol 50 and allows inbound to work.
 
PeterUK said:
Not sure what your problem is displays fine and zooms in
Click to expand...
Xv is old and EOG will zoom but the resolution is horrible. Using a UNIX-like O/S.

PeterUK said:
So yes two people from a ISP get the same shared WAN IP (no 10.) by PC or router there MAC's being different allows this to work for the ISP to know where to sent the traffic and building connection sessions based on MAC, IP and port or no port like protocol 50 and allows inbound to work.
Click to expand...
Then you must be doing port mirroring for HA.
 
I still don't see why you say the resolution is horrible in Edge you click the image then click it again for 100% view.

The idea I have needs a router to be designed from the ground up for the ISP side.

It is a type of mirroring.

Outgoing for UDP
SRC MAC 1 WAN1 IP port 55555 > DST gateway MAC > 1.1.1.1 port 53
DST MAC 1 WAN1 port 55555 < SRC gateway MAC > 1.1.1.1 port 53

SRC MAC 2 WAN1 IP port 44444 > DST gateway MAC > 1.1.1.1 port 53
DST MAC 2 WAN1 port 55555 < SRC gateway MAC > 1.1.1.1 port 53

and if MAC 2 uses SRC port 55555 the bridge will off set the SRC ports but if the DST IP like 8.8.8.8 with the same SRC port 55555 then thats fine

Inbound for UDP

When the gateway receives a packet not mapped by outbound session this is where AI needs to work out who of the two MACs with the same WAN IP it needs to send the packet too. Now unless someone runs a inbound DNS server then both sides will see what was looked up which I don't see as a problem. A side from that the only way for the router to know is to send the packet to both MAC's on the WAN IP if no reply from both OK no problem and the ISP can put say 10 second block to stop flooding. But when one MAC of the IP replies like

SCR gateway MAC 5.1.1.2 port 500 > DST MAC1 WAN1 IP port 500
SCR gateway MAC 5.1.1.2 port 500 > DST MAC2 WAN1 IP port 500

DST gateway MAC 5.1.1.2 port 500 < SRC MAC1 WAN1 IP port 500

Then router locks that UDP session to MAC1 and MAC2 never receives any more packets for that session. But what If both reply you say.

SRC gateway MAC 5.1.1.2 port 500 > DST MAC1 WAN1 IP port 500
SRC gateway MAC 5.1.1.2 port 500 > DST MAC2 WAN1 IP port 500

DST gateway MAC 5.1.1.2 port 500 < SRC MAC1 WAN1 IP port 500
DST gateway MAC 5.1.1.2 port 500 < SRC MAC2 WAN1 IP port 500

Then the router AI checks its database as to who had the port open by other sessions it sees the longest the MAC with the shortest has a DHCP IP change to another WAN IP due to the lease being 2 minutes which will not mean your IP will change all the time you may have your IP for days on a 2 minute lease only when the ISP router sees a conflict in the same port for inbound will it change.
 
Last edited:
You must log in or register to reply here.

Similar threads

B
Browsers Using AI (incremental power usage?)
Replies
3
Views
433
Security Now Podcast
davidgrouse133
D
D
SN1026 AI "escapes" when told...
Replies
0
Views
679
Security Now Podcast
dusanmal
D
D
SN1011, jailbreaking AI and the real danger of AI
Replies
0
Views
746
Security Now Podcast
dusanmal
D
D
SN1023 We know how AI works
Replies
1
Views
793
Security Now Podcast
PHolder
P
B
SN 1011 Jailbreaking AI
Replies
0
Views
708
Security Now Podcast
Badrod
B
Top Bottom
Back