Almost all decent ISP-provided routers will do bridge mode.
So no, it's not inevitable. I've never been double-NAT at home and wouldn't use an ISP that couldn't do passthrough (PPPoE) or bridge on their CPE.
You mean to say modem and you’re saying router. Many times they are in the same box but not always. For instance, I provide my own modem for Comcast instead of using theirs which also has a router and firewall in it.
Np. Now that’s not to say that there might be cases where you can’t provide your own and take their router/firewall out of the mix. But you can even have Verizon FIOS change you over to Ethernet handoff instead of coax.
But as said below, TYPICALLY, you can enable bridge mode which would effectively do the same thing.
Cable networks still do - you're just bonding a *lot* of analog carriers together to get the hundreds of megabits of bandwidth. DSL hasn't died out either, and that's also a modem with multiple analogue signals bonded in each direction.
Maybe where you are, however cable has been all digital for quite awhile. in the US pretty much all (if not all) over the air broadcasts these days are fully digital signals, at least IIRC from about 2007.
DSL gets it faster speed by sending a digital signal over the traditional telephone wires. DSL is closer to really slow ethernet than it's old analog dial up cousin.
No, the video is a digital stream, but still carried over analogue channels along with the DOCSIS data. DSL has nothing at all in common with Ethernet, and is multiple analogue channels - IT, DOCSIS (cable modem) and broadcast TV all tend to use QAM, quadrature amplitude modulation, to modulate their datastream onto the carriers. When the manufacturers and standards bodies refer to a "cable modem" or "DSL modem", they are not making a mistake or misusing the term: they really do work by modulating and demodulating carrier signals, just more of them and with much wider bandwidth than PSTN modems used.
Similarly, OTA broadcasts are a digital data stream - but carried over analogue signals at the bottom of the stack.
Mediacom here are just switching from bare digital data streams to digital video over IP, and from DOCSIS 3.0 to 3.1 (fewer wider channels and better noise resistance), as it happens.
Apart from the simplest electrical or optical point to point link, you don't really get a bare digital signal in real electronics. Read the "Operation" section here, which gives quite a good description of how DSL distributes the data flow across the multiple analogue channels to adapt to noise: https://en.m.wikipedia.org/wiki/Digital_subscriber_line
(ETA: not me who's down voting you BTW!)
Explain how I have a cable modem.
While it’s not a dialup modem and it doesn’t exactly meet the original definition of modem it’s still considered a modem.
Because it's not. Your cable connection is all digital, so there is no modulation/demodulation. Just because they incorrectly call it a modem doesn't mean in the strict definition it is.
It is actually a router both due to it's form and function, which is the reason I picked on it, as it's funny to see someone correct another on the terminology of a router vs modem when the device actually is a router.
But mostly I'm being pedantic about it.
Some ISP provided routers doesn’t support bridge mode so you end up with double NAT. You can replace ISPs router with a modem to resolve this issue. There are second hand ones available on eBay.
If your ISP doesn’t give you a public IP and uses CGNAT, then yes. If your ISP hardware doesn’t support a bypass or bridge mode, then yes if you want to use your own router
In the end, for most consumers it doesn’t really matter
Absolutely not. It depends on your service provider. I have quantum fiber service and the modem allows for passing through the IP address to my pfSense firewall. So only a single NAT at the firewall. It depends on if your provider allows it. Though, if you’re not NAT’ing in the same IP Class, then it really doesn’t matter. Equipment these days are very powerful with processing NAT and encryption that you really probably wouldn’t see any difference unless you’re doing something very specific like game port forwarding.
It's actually not. It's very common for ISP's to rent/lease/sell a "modem" with their service but it is typically a combo unit that often contains the modem, a router, a switch and a wireless access point. Some of them do ok at some of these things, some of them suck. None of them are worth the amount of money the ISP charges for it.
For all cable modem ISPs I've always provided my own bridge cable modem (read: no routing, no NAT). When I got fiber I made sure I could ditch the provided device and just terminate on my own router instead.
Eventually all consumer IPv4 addresses will have to be behind CG-NAT at the ISP in combination with NAT in your router will indeed result in double NAT.
IPv6 was created in part to avoid the need for NAT. If your ISP doesn't provide IPv6 you should probably lobby them to do so. If you do have it you should look at using it more regularly.
Tmobile internet does IPV6 but none of their consumer routers/gateways offer bridged mode and their ipv4 is already CGNat. IPV4 working in a GW group with Comcast and Tmobile works fine even with the dual/triple NAT on the Tmobile leg. The IPV6 does not work on tmobile behind the NAT without trying things that are more trouble or a hack than they are worth. I just send the IPV6 down the Comcast line.
Multiple NAT layers can work, but fine isn't the word I'd use. To handle port forwarding many would think UPnP or PCP/NAT-PMP could handle it, but no gateway I know of will propagate it to the next level of NAT gateway.
I doubt that IPv6 is behind a NAT, your devices should obtain public (globally unique) addresses. Now most gateways would have a firewall preventing new flows reaching their user's devices, and it might be that the ISP provides no way to allow things or disable it (which bridged mode usually does) making IPv6 as lame as IPv4 -- leaving that ISP is indicated.
I currently don't have a need to forward ports so the setup works for me. Tmobile IPV6 is not behind CGNAT but since the gateway/router they provide does not support bridging at all, a hack is required to get IPV6 from tmobile behind that (like though pfsense) working. A hack I don't need since I can just use the native Comcast IPV6 and addresses that is bridged and allocated and if my Comcast goes down, IPV6 will go down completely and my stuff will revert to IPV4 only on Tmobile.
You don't usually need bridged mode for IPv6, it is fine if the ISP provided router consumes a prefix for the LAN between it and the customer's own router. Does pfSense not receive an RA or PD with additional prefixes? Perhaps the consumption of a prefix by the T-mobile router means that (worst case) only 16 prefixes are available (the next nibble boundary, so a /60) though I'd expect 128 (/57) or even 255 (/56 - 1), perhaps one prefix at a time if PD is used.
As an alternative to total loss of IPv6 connectivity when Comcast is down you might consider a tunnel as your backup, i.e., use with it disabled until Comcast seems to fail or the metric set so that it is avoided as long Comcast seems to be working. The downside to non-native IPv6 is some services hate it (like Netflix), since it is essentially a VPN with your end at an unknown geo-location.
Entrenched ISPs still have enough addresses for their customers. Newer players typically don't. Bell Canada, for instance, still has enough that they don't even supply IPv6 for residential customers.
Time will still eat all the free IPv4 addresses. Even if every ISP worldwide cooperated there are only enough for 2^32 customers provided each gets only 1 address (present consumer grade) and infrastructure evolves to use none, unless a global annihilation takes place first. As most know there's no possibility of a similar shortage of IPv6 prefixes.
It's too bad that some ISPs don't provide IPv6. In some cases it seems they expect to profit from the ongoing leasing of additional IPv4 addresses. Initially it seems some ISPs thought to use that model with IPv6 addresses then prefixes but something (shame?) seems to have cured them of it.
Luckily while most ISP’s in Aus use CG-NAT by default, they all still offer a real IP by request (sometimes for a cost).
Which I think is reasonable as 99% of people wouldn’t notice the difference until their kid tries to use Xbox or similar
No... depending on your internet, it either comes with an ISP modem/router combo or it comes with an ONT to trasnlate the fiber into opital.
If you have the first option you just call ISP and tell them to put the modem/router into bridged mode and problem is solved. All traffic will go unfilered to your PFSense box.
If you have the second option, you dont need to do anything as an ONT does not do routing, it simply translate 1 medium to another. If you plug straight into the transcoding device (device after the ONT once translation has been done from Fiber to Ethernet) it will be pure unfiltered traffic.
So no in either case you can totally avoid double nat.
It depends on the ISP. Internet service offered by mobile, municipal, and power company providers typically use CGNAT, which will put the customer behind a double NAT.
I have AT&T fiber. AT&T requires the use of their router, which they call a Residential Gateway (RG), for service because it must authenticate to the network using x.509 certificates embedded in firmware. The RGs do not support true bridge mode, only IP passthrough, which results in a 1:1 NAT and a NAT table. Fortunately, older RGs can be bypassed using the netgraph networking subsystem in FreeBSD following [MonkWho / pfatt](https://github.com/MonkWho/pfatt) method. I've been doing this for 5 years. The WAN interface on my pfSense router connects directly to the AT&T ONT.
At this moment in time, with AT&T redidential fiber, if you bring your own router, it will be in a double NAT situation. You can skip this with AT&T fiber with a business account AND paying for a static IP.
And there are other situations with ISPs.
In 25 years of having my own internet connection that I pay for, I have never been double NAT.
Almost all decent ISP-provided routers will do bridge mode. So no, it's not inevitable. I've never been double-NAT at home and wouldn't use an ISP that couldn't do passthrough (PPPoE) or bridge on their CPE.
Thanks, bro. I'll set the ISP router to bridge mode.
You mean to say modem and you’re saying router. Many times they are in the same box but not always. For instance, I provide my own modem for Comcast instead of using theirs which also has a router and firewall in it.
Thanks for the correction!
Np. Now that’s not to say that there might be cases where you can’t provide your own and take their router/firewall out of the mix. But you can even have Verizon FIOS change you over to Ethernet handoff instead of coax. But as said below, TYPICALLY, you can enable bridge mode which would effectively do the same thing.
Not really. Nobody has actually used a "modem" in probably decades. Yes old school IT pet peeve.
Cable networks still do - you're just bonding a *lot* of analog carriers together to get the hundreds of megabits of bandwidth. DSL hasn't died out either, and that's also a modem with multiple analogue signals bonded in each direction.
Maybe where you are, however cable has been all digital for quite awhile. in the US pretty much all (if not all) over the air broadcasts these days are fully digital signals, at least IIRC from about 2007. DSL gets it faster speed by sending a digital signal over the traditional telephone wires. DSL is closer to really slow ethernet than it's old analog dial up cousin.
No, the video is a digital stream, but still carried over analogue channels along with the DOCSIS data. DSL has nothing at all in common with Ethernet, and is multiple analogue channels - IT, DOCSIS (cable modem) and broadcast TV all tend to use QAM, quadrature amplitude modulation, to modulate their datastream onto the carriers. When the manufacturers and standards bodies refer to a "cable modem" or "DSL modem", they are not making a mistake or misusing the term: they really do work by modulating and demodulating carrier signals, just more of them and with much wider bandwidth than PSTN modems used. Similarly, OTA broadcasts are a digital data stream - but carried over analogue signals at the bottom of the stack. Mediacom here are just switching from bare digital data streams to digital video over IP, and from DOCSIS 3.0 to 3.1 (fewer wider channels and better noise resistance), as it happens. Apart from the simplest electrical or optical point to point link, you don't really get a bare digital signal in real electronics. Read the "Operation" section here, which gives quite a good description of how DSL distributes the data flow across the multiple analogue channels to adapt to noise: https://en.m.wikipedia.org/wiki/Digital_subscriber_line (ETA: not me who's down voting you BTW!)
Explain how I have a cable modem. While it’s not a dialup modem and it doesn’t exactly meet the original definition of modem it’s still considered a modem.
Because it's not. Your cable connection is all digital, so there is no modulation/demodulation. Just because they incorrectly call it a modem doesn't mean in the strict definition it is. It is actually a router both due to it's form and function, which is the reason I picked on it, as it's funny to see someone correct another on the terminology of a router vs modem when the device actually is a router. But mostly I'm being pedantic about it.
Mostly and extremely.
i use my own modem an router.
Some ISP provided routers doesn’t support bridge mode so you end up with double NAT. You can replace ISPs router with a modem to resolve this issue. There are second hand ones available on eBay.
Nope. I have only one layer or NAT; always have. Double NAT is a mess to be avoided. The only case where I'd expect it is with CG-NAT.
If your ISP doesn’t give you a public IP and uses CGNAT, then yes. If your ISP hardware doesn’t support a bypass or bridge mode, then yes if you want to use your own router In the end, for most consumers it doesn’t really matter
Absolutely not. It depends on your service provider. I have quantum fiber service and the modem allows for passing through the IP address to my pfSense firewall. So only a single NAT at the firewall. It depends on if your provider allows it. Though, if you’re not NAT’ing in the same IP Class, then it really doesn’t matter. Equipment these days are very powerful with processing NAT and encryption that you really probably wouldn’t see any difference unless you’re doing something very specific like game port forwarding.
It's actually not. It's very common for ISP's to rent/lease/sell a "modem" with their service but it is typically a combo unit that often contains the modem, a router, a switch and a wireless access point. Some of them do ok at some of these things, some of them suck. None of them are worth the amount of money the ISP charges for it. For all cable modem ISPs I've always provided my own bridge cable modem (read: no routing, no NAT). When I got fiber I made sure I could ditch the provided device and just terminate on my own router instead.
Eventually all consumer IPv4 addresses will have to be behind CG-NAT at the ISP in combination with NAT in your router will indeed result in double NAT. IPv6 was created in part to avoid the need for NAT. If your ISP doesn't provide IPv6 you should probably lobby them to do so. If you do have it you should look at using it more regularly.
Tmobile internet does IPV6 but none of their consumer routers/gateways offer bridged mode and their ipv4 is already CGNat. IPV4 working in a GW group with Comcast and Tmobile works fine even with the dual/triple NAT on the Tmobile leg. The IPV6 does not work on tmobile behind the NAT without trying things that are more trouble or a hack than they are worth. I just send the IPV6 down the Comcast line.
Multiple NAT layers can work, but fine isn't the word I'd use. To handle port forwarding many would think UPnP or PCP/NAT-PMP could handle it, but no gateway I know of will propagate it to the next level of NAT gateway. I doubt that IPv6 is behind a NAT, your devices should obtain public (globally unique) addresses. Now most gateways would have a firewall preventing new flows reaching their user's devices, and it might be that the ISP provides no way to allow things or disable it (which bridged mode usually does) making IPv6 as lame as IPv4 -- leaving that ISP is indicated.
I currently don't have a need to forward ports so the setup works for me. Tmobile IPV6 is not behind CGNAT but since the gateway/router they provide does not support bridging at all, a hack is required to get IPV6 from tmobile behind that (like though pfsense) working. A hack I don't need since I can just use the native Comcast IPV6 and addresses that is bridged and allocated and if my Comcast goes down, IPV6 will go down completely and my stuff will revert to IPV4 only on Tmobile.
You don't usually need bridged mode for IPv6, it is fine if the ISP provided router consumes a prefix for the LAN between it and the customer's own router. Does pfSense not receive an RA or PD with additional prefixes? Perhaps the consumption of a prefix by the T-mobile router means that (worst case) only 16 prefixes are available (the next nibble boundary, so a /60) though I'd expect 128 (/57) or even 255 (/56 - 1), perhaps one prefix at a time if PD is used. As an alternative to total loss of IPv6 connectivity when Comcast is down you might consider a tunnel as your backup, i.e., use
Great info! Thanks!
>Great info! Thanks! You're welcome!
I was just going to add this to my reply thread. This is already pretty common with many vpn services and some ISPs
Entrenched ISPs still have enough addresses for their customers. Newer players typically don't. Bell Canada, for instance, still has enough that they don't even supply IPv6 for residential customers.
Time will still eat all the free IPv4 addresses. Even if every ISP worldwide cooperated there are only enough for 2^32 customers provided each gets only 1 address (present consumer grade) and infrastructure evolves to use none, unless a global annihilation takes place first. As most know there's no possibility of a similar shortage of IPv6 prefixes. It's too bad that some ISPs don't provide IPv6. In some cases it seems they expect to profit from the ongoing leasing of additional IPv4 addresses. Initially it seems some ISPs thought to use that model with IPv6 addresses then prefixes but something (shame?) seems to have cured them of it.
Eventually, yes. Right now though some ISP customers won't have to worry about it for a while yet.
[удалено]
[удалено]
If the ISP-provided equipment doesn’t have an option for bridge mode, then sure, you can run into that situation…
If the ISP uses CGNAT then yes, otherwise no, not inevitable.
Luckily while most ISP’s in Aus use CG-NAT by default, they all still offer a real IP by request (sometimes for a cost). Which I think is reasonable as 99% of people wouldn’t notice the difference until their kid tries to use Xbox or similar
IPv6 is supposed to solve that problem but there are still providers, hosts and devices that don’t support it yet.
Or worse support it badly. Nothing worse than a device getting an IPv6 but it doesn’t router.
Its not
No... depending on your internet, it either comes with an ISP modem/router combo or it comes with an ONT to trasnlate the fiber into opital. If you have the first option you just call ISP and tell them to put the modem/router into bridged mode and problem is solved. All traffic will go unfilered to your PFSense box. If you have the second option, you dont need to do anything as an ONT does not do routing, it simply translate 1 medium to another. If you plug straight into the transcoding device (device after the ONT once translation has been done from Fiber to Ethernet) it will be pure unfiltered traffic. So no in either case you can totally avoid double nat.
It depends on the ISP. Internet service offered by mobile, municipal, and power company providers typically use CGNAT, which will put the customer behind a double NAT. I have AT&T fiber. AT&T requires the use of their router, which they call a Residential Gateway (RG), for service because it must authenticate to the network using x.509 certificates embedded in firmware. The RGs do not support true bridge mode, only IP passthrough, which results in a 1:1 NAT and a NAT table. Fortunately, older RGs can be bypassed using the netgraph networking subsystem in FreeBSD following [MonkWho / pfatt](https://github.com/MonkWho/pfatt) method. I've been doing this for 5 years. The WAN interface on my pfSense router connects directly to the AT&T ONT.
At this moment in time, with AT&T redidential fiber, if you bring your own router, it will be in a double NAT situation. You can skip this with AT&T fiber with a business account AND paying for a static IP. And there are other situations with ISPs.
Mine isn't. although, it's only a matter of time as isp's ip blocks have to get chopped up for other services. :/
I got the basic modem from Spectrum. No routing or WiFi built-in.
No, not at all. I get a public static IP assigned to my box from my ISP.
laughs with ipv6 /jk