Welcome to the new FlexRadio Community! Please review the new Community Rules and other important new Community information on the Message Board.
If you are having a problem, please refer to the product documentation or check the Help Center for known solutions.
Need technical support from FlexRadio? It's as simple as Creating a HelpDesk ticket.

Working around CGNAT - is it possible?

Mike-VA3MW
Mike-VA3MW Administrator, FlexRadio Employee, Community Manager, Super Elmer, Moderator admin
edited January 2022 in Networking

If you are looking at this, you may be in a situation where the internet connection provided by your ISP is something called Carrier Graded NAT (CGNAT). StarLink is a CGNAT ISP.

From Wikipedia:

Carrier-grade NAT (CGN or CGNAT), also known as large-scale NAT (LSN), is a type of Network address translation (NAT) for use in IPv4 network design. With CGNAT, end sites, in particular residential networks, are configured with private network addresses that are translated to public IPv4 addresses by middlebox network address translator devices embedded in the network operator's network, permitting the sharing of small pools of public addresses among many end sites. This shifts the NAT function and configuration thereof from the customer premises to the Internet service provider network (though "conventional" NAT on the customer premises will often be used additionally).

Carrier-grade NAT is often used for mitigating IPv4 address exhaustion.[1]

CGNAT techniques were first used in 2000 to accommodate the immediate need for large numbers of IPv4 addresses in General Packet Radio Service (GPRS) deployments of mobile networks. Estimated CGNAT deployments increased from 1200 in 2014 to 3400 in 2016, with 28.85% of the studied deployments appearing to be in mobile operator networks.[3]

In the FlexRadio world CGNAT breaks SmartLink since the user (client) can call the radio (server) directly which gives you a simple connection that is reliable and also has low latency.

In order to get around this, you need both the radio (server) and user (client) to do their initial connections outbound and calling (like phoning) to a common server (Cloud). As I am going to show you, this does work, but there are huge trade-offs.

SmartEther VPN has a feature called VPNAzure. In order to get this to work, you will need to install a VPN Server on the same network (subnet) as your radio. This can be simply done on a Rasberry PI and a model 3 is more than fast enough. You can also run it on a local PC.

The picture below sort of shows the setup. You have the radio (server) on the left side and the user (client) on the right side.

Directions on solutions can be found on the SoftEther web site: https://www.softether.org/4-docs/2-howto/6.VPN_Server_Behind_NAT_or_Firewall/2.VPN_Azure.

The really high level basic steps are:

  1. Install and configure a SoftEther VPN Server on the Radio network https://www.softether.org/4-docs/2-howto/1.VPN_for_On-premise/2.Remote_Access_VPN_to_LAN
  2. Configure it for using the VPN Asure Cloud (you can have normal VPN stuff too) https://www.softether.org/4-docs/2-howto/2.VPN_for_Cloud/3.Cloud_to_LAN_Bridge_VPN
  3. Install SoftEther VPN Client on your Laptop https://www.softether.org/4-docs/2-howto/1.VPN_for_On-premise/2.Remote_Access_VPN_to_LAN#Step_4._Set_up_VPN_Client_on_Each_Member's_PC

With all that completed, you can give it a try.

  1. Make sure the VPN server is running
  2. Start the VPN client on your PC from a 'remote' location, even paired to a cell phone to test and make sure it connects.
  3. Start SmartSDR and you should be able to see your radio. Go ahead and try to connect.

I had to mask out some of my target IP addresses but you see that SmartSDR can actually see both of my remote radios. This shows me that the Layer 2 UDP broadcast packets made it over the VPN and that my remote PC is now on the same SubNet.


Downside

  • It can be complicated to set up if you do not have any networking knowledge. It doesn't take much to learn, so you can do it by asking questions of those that know it already. Give it a try, you can't really break anything if it doesn't work.
  • Latency - when I tested it, the audio on SSB was running over 3-400ms behind reality
  • SmartSDR may crash at times if the latency goes LONG. When we use SmartLink it has different software to handle longer response times. Over a VPN like this, SmartSDR does not think it is on a long haul network

If you got this far, good for you. If you are motivated enough, you may wish to give this a try.

Is this the only way? No, but I think it is one of the easier ways with limited customization. Network savvy hams will have many ways to achieve this sort of solution.

If Networks are new to you, you can now see why FlexRadio created SmartLink and why it is so simple to use today. We do all the heavy lifting for you with SmartLink.

If you have an issue working on this, feel free to ask here in the community. Please do not open a support ticket as we won't be able to do this for you, sorry.

73, Mike va3mw

Comments

  • Dave W5UN
    Dave W5UN Member, Unconfirmed ✭✭
    Has anyone had any luck installing a vpn on the iOS system (iPad) that will punch through a cgnat carrier and work foe Flex remote?
  • Mike-VA3MW
    Mike-VA3MW Administrator, FlexRadio Employee, Community Manager, Super Elmer, Moderator admin

    Yes,

    You can do it with SoftEther and their Azure feature. Just as I described above.

    You won't like the latency though. For real-time communications, it is pretty slow.

  • HB9HJQ
    HB9HJQ Member ✭✭

    Yes, I'm using ZeroZier with my shack connected to the internet using 4G/5G and CGNAT. Latency is ok for me.

  • Doug Wilson
    Doug Wilson Member ✭✭

    I have a pc laptop working with the Softether server and client with Starlink. Latency is a problem. Starlink drops every so often and crashes SmartSDR, but it works.

    I'm still having a problem connecting with SmartSDR on an iphone or ipad. When not on the same lan as the radio I select connect and see a Smartlink connection with the IP of the Softether Client. When I look at the information everything looks good except the port shows "-1". When I try to connect that radio I get the message "No response from SmartLink Server" after a about a minute (or nothing happens and I'm back to the tap here to connect screen.

    Any ideas?

  • Mike-VA3MW
    Mike-VA3MW Administrator, FlexRadio Employee, Community Manager, Super Elmer, Moderator admin

    Doug, I opened a support ticket for this, but I might have done it in error.

    If you are running over a VPN, then our support team won't be able to help you as it is out of scope for the support team. If it is a basic SmartLink connection, then they can help you out.

    The -1 usually means the SmartLink setup was not completed and you might want to walk through Section 9 on the manual and redo all the steps.

  • Doug Wilson
    Doug Wilson Member ✭✭

    Ok. Thanks Mike. Yes I'm trying to access Smartlink through a Softether client behind Starlink (cgnat).

    So you can cancel the ticket.

    I'll check out the setup again.

    Thanks,

    Doug

  • Doug Wilson
    Doug Wilson Member ✭✭

    Mike,

    You have experience with Softether. How do I set up Smartlink to work with Softether on IOS. I just can't figure it out.

    Got it working on a pc but not ios.

    I know it's not supported but a guide on ZeroTier or Softether would sure be helpful for cgnat fun many of us are stuck with. By the way your guide on this thread was very helpful in getting it to work on a pc but the ios vpn world is different apparently.

    Thanks again

  • Mike-VA3MW
    Mike-VA3MW Administrator, FlexRadio Employee, Community Manager, Super Elmer, Moderator admin

    Here is the confusion.

    If you are using SmartEther, you have to make sure you do NOT use SmartLink. If you use SmartLink, the SmartLink paths will be all confused and based on on what you are saying, this is what is likely what is happening. What is happening is that your data packets are going via the vpn to home, back out to the outside world and then trying to get back in through the same router and eventually the radio.

    When you are using a VPN such as SmartEther, SmartLink is not required. If you can’t connect to the radio while running SmartEther then you need to review your SoftEther setup.

    A VPN such as SoftEther allows you to operate just like you are on home network.

  • Doug Wilson
    Doug Wilson Member ✭✭

    Thanks Mike,

    Got it. No SmartLink with SoftEther. My SoftEther setup works on a pc but I can't get it to work with IOS apps.

    I've got the LT2P settings correct per instructions but I can't connect to the SoftEther VPN on IOS.

    I've tried the DDNS name and the IP address for the server name on the VPN.

    I'm assuming the account is one fo the users I have set up with the password and the secret

    RSA SecureID and Send all Traffic are off.

    However when off the lan I can see the radio on SmartLink but it wouldn't connect. Now I know why.

    I should be in business if I could connect to the SoftEther VPN. Any thoughts on why it won't connect?

    Thanks,

    Doug

  • Mike-VA3MW
    Mike-VA3MW Administrator, FlexRadio Employee, Community Manager, Super Elmer, Moderator admin

    Once you get the VPN working, you want to see if you can Ping the radio from the remote client. Get that working first.

  • Doug Wilson
    Doug Wilson Member ✭✭

    Ok I can see the server and 4993 and 4994 are open ports. Verified with open port check tool.

  • Mike-VA3MW
    Mike-VA3MW Administrator, FlexRadio Employee, Community Manager, Super Elmer, Moderator admin

    Those ports that are opened are the SmartLink ports. What device are they open on? The radio or the router?

    For a VPN only connection, you need to see ports 4992 on the IP address of the radio.

  • Doug Wilson
    Doug Wilson Member ✭✭

    I'm checking the vpn server with the check tool. I've added 4992 but it's showing closed. I'll keep working on it. I also tried purevpn with a dedicated ip addresss and port forwarding.

  • Mike-VA3MW
    Mike-VA3MW Administrator, FlexRadio Employee, Community Manager, Super Elmer, Moderator admin

    In order to use SmartSDR for Windows on a VPN, the Subnet of the client end must be on the same subnet as the radio. Look at the IP address of the radio and see what it is.

    Assuming it is 192.168.1.101 as example, the IP address of the may have a few IP addresses, but one of them has to start with 192.168.1.****.

    I hope that helps a bit.

  • Doug Wilson
    Doug Wilson Member ✭✭

    Thank you Mike.

    That's another piece of the puzzle for sure. I understand what you're saying but now I've got to figure out how to change the subnet on the vpn client connection.

    I don't see anything obvious on SoftEther or PureVPN. I'll keep searching.

    As stated previously when I followed your SoftEther procedure I was able to successfully run the radio remotely. However I could never connect SoftEther VPN on IOS. I thought PureVPN had a chance because there is a dedicated ip address and port forwarding. I could open 4993 annd 4994 but although I have 4992 turned on it doesn't show up as an open port when tested.

    Who knows what my Starlink router is blocking. I'll keep working on this but I'm at a very basic networking knowledge level. I wish I had other internet options but wishing isn't going to get it done. If I can figure out something that works I'll post it.

    I would like IOS to work but the Softether procedure does work on the PC.

    Thanks for your help,

    Doug

  • Roland HB9VQQ
    Roland HB9VQQ Member ✭✭

    Install Zerotier in bridge Mode on an Rpi and you'll be fine. Your entire LAN available from anywhere.

  • Roland HB9VQQ
    Roland HB9VQQ Member ✭✭

    That's me aboard a Boeing 777 using an IPad and Zerotier SD-WAN to access my Flex at home


  • John KB4DU
    John KB4DU Member ✭✭✭✭

    That is way cool!!

Leave a Comment

Rich Text Editor. To edit a paragraph's style, hit tab to get to the paragraph menu. From there you will be able to pick one style. Nothing defaults to paragraph. An inline formatting menu will show up when you select text. Hit tab to get into that menu. Some elements, such as rich link embeds, images, loading indicators, and error messages may get inserted into the editor. You may navigate to these using the arrow keys inside of the editor and delete them with the delete or backspace key.