Anyone know networking enough to help me here? I have a router/modem from my ISP...

Sure they do. You know those 'CableWiFi' things around? Where do you think they come from? Maybe if they're nice or OP begs, but they can straight up not do it and OP should check that out before buying his own equipment.

Small mom-and-pop ISPs maybe yes. Large corporate ISPs, not really.

After I got through to more technical support people, they were pretty cool about bridging it. I just can't tell if the bridge mode on that router isn't fully transparent and I'm SOL or if they need to change some more settings. So damn frustrating though. The weird part is, the private IP that it gives my router begins 100.73.x.x, which you'd think is publicly routable, but it's definitely just a subnet on the bridge. On the routing table for my router, it shows my router's local ip as 'br0' while their router is vlan2, part of the bridge worked it appears

>they won't let me configure it.
your parents?

the isp, as I had said.

>100.73.x.x, which you'd think is publicly routable
Uh, it's supposed to be. Can you give more information on the gateway?

Also if they're cool about it you might want to call them up and make sure you talk to someone who knows something so you can ask if that's expected behavior.

does the ISP really have any way of knowing what sort of modem a customer is using, though? can't you just clone the mac address of the ISP provided modem?

wasn't an issue with comcast when i was still using them

I only pay for 1 address, and the gateway has it's own public address that is 74.xxx. maybe they are both public, but I can't reach the 100.xx one or any ports opened from the internet at all, so i'm a bit confused. There's no markings whatsoever on the router, it's an arris but I dont know the model number, and I'm not sure how to find it without a marking of any kind, it doesn't even say arris, i only know from when I found out they set the password for it when I was trying to login to configure the damn thing.

>does the ISP really have any way of knowing what sort of modem a customer is using
Yes. It has to be provisioned. Unprovisioned equipment doesn't function.
That's really bizarre. Honestly the only thing you can do is call them. Maybe there's an error in the provisioning.

yeah i'm hoping I can get back in touch with someone who's cool and knows what they're talking about but we'll see when i call them tomorrow. I wasn't sure if i needed to set something on my router or not. I have a port forwarded on my router, but when trying to check if its open using that 100.xxx address it reports that it's closed, so it's either private, or public but still behind double nat, which confuses me even more.

>Yes. It has to be provisioned. Unprovisioned equipment doesn't function.

do you actually have any understanding of networking or are you bullshitting

>do you actually have any understanding of networking
I know about DOCSIS, yes, and I have self installed modems. Do you seriously think they have no way to control who has access to their network?

>The weird part is, the private IP that it gives my router begins 100.73.x.x, which you'd think is publicly routable

This is not a private IP, it's a public IP and it's perfectly routable on the internet.

>On the routing table for my router, it shows my router's local ip as 'br0' while their router is vlan2, part of the bridge worked it appears

br0 is an internal BVI on your router. Essentially you have one physical ethernet interface (eth0) and one physical wireless interface (eth1). On eth0, you have a trunk to the built-in switch with subinterfaces (vlan2 is the subinterface connected to the WAN port). The other subinterface of the trunk is bridged with eth1 so that the LAN ports on the built-in switch are on the same layer 2 network and on the same subnet. That's why effectively br0 is your routed LAN interface, while vlan2 is your routed WAN interface.

>Large corporate ISPs, not really.
Comcast and RCN, the two cable cos in my area both let you.

Also why the fuck does OP even care that much? I'm behind 2 to 3 routers at home, with 1 and 3 both doing NAT.

You have to get them to provision your modem so yes they will know.

he does, youre just retarded

>so that the LAN ports on the built-in switch are on the same layer 2 network and on the same subnet.

Missed a part here, what I meant is that the wired LAN subinterface of the trunk on eth0 (it's either vlan0 or vlan1) is bridged to eth1 so that the wired LAN and the wiress LAN are the same network/subnet.

thank you for the explanation

I care because I want to configure my own gateway, but they won't let me do anything to theirs. So I can configure my own router behind their gateway all I want, but If its behind another layer of NAT, I can't get ports forwarded through to the second router.

>I care because I want to configure my own gateway,
what do you plan on doing? or is this just to satisfy your autism?

>but If its behind another layer of NAT, I can't get ports forwarded through to the second router.
UPNP proxy

partially, yes, I like to learn things and do things. But also, I had remote desktop set up and a simple vpn when I had my old ISP, but I can't do that since I switched and can't configure this router.

UPNP proxy, isn't that still something I would need access to their router to set up?

He's entirely correct, a cable modem is not CPE (customer premises equipment), it must be under the ISPs control so they can control your connection parameters. If the modem was all yours you could configure an arbitrary connection speed amongst other things.

so, the router gives my router a 100.73.x.x address, with a subnet mask of 255.255.252.0, and the default gateway is 100.73.y.y. It just created subnets and put itself at the beginning, and the second router on a different subnet. But I don't think it's publicly routing any of that, even though it's not using a private IP range. Really it makes no sense, I'm no expert, but I know enough to be confused.

wouldn't it be weird if cable modems were something you could buy on amazon? wouldn't it be weird if you could hack a customer-bought cable modem to use the provisioned modem's mac address?

you can, but I don't want to buy a damn modem, and I don't want to incur the wrath of my new isp which has gigabit internet, and have to go back to paying more for time warner's shitty 15down/1up

You're really a moron.

>partially, yes, I like to learn things and do things.
For anything you'll want to do with a router, it wont matter if it behind NAT. Your ISP isnt going to allow you to run BGP at home.

>but I can't do that since I switched and can't configure this router.
I'm sure they'll setup PAT maps for you, or use UPNP port forwarding

>UPNP proxy, isn't that still something I would need access to their router to set up?
No because pretty much any consumer grade router they'll give you will support UPNP port forwarding, and i seriously doubt they'll disable it. Because people love IP cameras and they dont want to deal with service calls.

no i'm just not stupid enough to think cable modems work using indecipherable magic

NAT is necessary, double NAT is not. I tried to get port forwarding to work on the secondary router, I couldn't, not sure if upnp port forwarding is set up or not on theirs, but it doesn't look like anything gets through

It's not indecipherable, you just don't know what you're talking about.

It looks fine really from the looks of it. The 100.73.y.y gateway shouldn't be the ISPs device that's in your home but something further up (such as the CMTS you're connected to). Have you tried to do a traceroute from your network to a public server, and a traceroute from a host outside of your LAN to your WAN address (i.e. 100.73.x.x)? That way you should get an idea of what routers are between you and the internet, and where a connection problem occurs. The ISPs router also has virtual IP addresses which are active even if it's in bridge mode (they serve for maintenance/configuration connections, most cable modems have 192.168.100.1 active on the customer side and another one on the ISP side), these addresses should be private and have nothing to do with the actual routing. Are you sure that your own router doesn't have filtering which might prevent connections, does it have the port(s) in question correctly forwarded, and is there an active service on your LAN on the IP that is being forwarded to?

They don't, read the DOCSIS documentation to find out how they do. If you can easily trick an ISP into provisioning some random modem just by faking the old one's MAC address, they have shit practices in place. They can pull all sorts of info from the modem and should figure out easily that they're dealing with an unauthorized device.

what looks weird to me is that, the internet detects my ip as 74.xxx but tracerout goes to my router's local ip, to a hop on 100.xxx which is only incremented by 1 in the last octet from my default gateway, then off to other hops, but the internet detected ip of 74.xxx is not on the hop list at all.
maybe i'm just too dumb to understand

but my router's default gateway of 100.xxx is not on the hop list, one address adjacent to that is though, like the difference between 10.0.0.1 and 10.0.0.2 for example..i'm trying not to give out ip's on Sup Forums

Your Modem is fine.
You're behind Carrier NAT (100.64.0.0/10). ISPs do this to save IPv4 addresses. Nothing you can do, it's not your CPE that's NATting, but the ISP gateway.
You also won't be able to forward ports.
Ask for a proper IP or IPv6.

en.wikipedia.org/wiki/Carrier-grade_NAT

>but my router's default gateway of 100.xxx is not on the hop list
traceroute works by sending packets with increasingly large TTL values to see where the packets drop. Not every router decrements the TTL value, for instance my Cisco ASA 5510 required me to add a line to its config file to do this.

ahh right
i was wondering about that possibility. Can I set up a vpn that would allow me to get through the carrier nat? I know a little about setting up a basic vpn.

>Can I set up a vpn that would allow me to get through the carrier nat?
Yes, but most VPN service providers wont dedicate a IP to a single customer, and often have their customers behind NAT. If you rented a VPS and setup a VPN server on it you could.

I checked again and it turns out that the 100.64.0.0/10 block is indeed reserved for special purposes, and effectively is private:

100.64.0.0/10 100.64.0.0 –
100.127.255.255 4,194,304 Private network Used for communications between a service provider and its subscribers when using a carrier-grade NAT[3]

en.wikipedia.org/wiki/Reserved_IP_addresses

So from that as well from what you're saying it looks like the ISP device in your home isn't really working in bridge mode. You'll need to talk to your ISP again and explain that you want it to be switched into bridge mode so it becomes transparent in both L2 and L3 so that the 73.x.y.z public address is assigned to your WAN port (i.e. the vlan2 subinterface on your router). Once that's done the problem should be solved.

>transparent in both L2 and L3
you dont understand how routers work do you? you really think you're going to be sending ARP packets out on to the internet?

you can use dyndns to deal with this issue

i see, thank you very much for all the help you all provided.
I see that with carrier nat, port control protocol can be used to get port forwarding through. Is that something I can set up or would the isp have to do it?

So it's basically the CMTS that is the last one with a public IP, and which aggregates pools of subscribers on subnets of the 100.64.0.0/10 block? If that's the case, it's indeed unlikely he'll be able to do port forwarding, as he's basically sharing the public IP with who knows how many other subscribers and the ISP certainly won't say "sure, let's make user a special snowflake and forward TCP port xyz to his particular IP".

hmm i had forgotten about that, but that wouldn't solve the problem with getting ports through would it? that just solves the problem of having to change your served applications to the right ip when they change the dynamic one you are assigned correct?

right, that's what i take from that, is that there's no way to get things through, and they're not going to help me. However, if i understand correctly, things like skype won't work without the ports redirecting properly, but skype I can get to work, but I can't however get remote desktop to work, or vnc, or windows built in simple vpn?

well, yes, it just solves the problem of not having a consistent public ip address. if you have blocked off ports somewhere along the line (like the modem), that's still an issue. you can, however, direct traffic through non-standard port numbers that aren't blocked. there isn't anything stopping you from setting up a web server to respond to whatever arbitrary port number you want if incoming on port 80 is blocked on your router

>sending ARP packets out on to the internet
Do you understand what ARP is? It's used to query the hardware address of a node with a given logical (i.e. IP) address on a directly connected L2 network.

Yes and you said you want them to transparently bridge all the L2 and L3 traffic on to the internet thinking this will somehow work.

>inb4 vxlan

Yea, you can kinda hide your router by have it not decrement TTL on the packets it is forwarding. In the old days where ISPs wouldn't allow you to do NAT yourself it was essential to do this when trying to do NAT anyway (success is not guaranteed as there's also other methods as well to detect NAT).

>and they're not going to help me
Have you checked if they offer public/static IPs (probably for a small fee, like 7 bucks a month or something) ?

Wouldn't it not be able to pull configuration data from their TFTP server if you clone the MAC somehow?

I have never heard of a residential ISP doing carrier grade NAT but if they're new I suppose it makes sense.

If you demote a routed interface on a router to a switched one, it will stop being an L2 network endpoint and any arriving frames will be switched instead, won't they. That's exactly what happens with an ISP-provided modem/router when it's set to operate in bridge mode, the segments on both of its sides are now on the same L2 network.

The modem IS in bridging mode. His ISP is doing the carrier nat in their backbone, he's probably sharing the IP with a couple thousand other customers, hence why they can't assign it directly to him.

He probably was behind CGN before but now that his modem is bridging, he's seeing the actually assigned IP address and not the public shared one the websites see.

i don't know for sure, i'll ask them about that.
yeah, this is exactly what it appears is happening. I'm pretty disappointed. I was soooo excited to have gigabit internet, waited years for it to be available here, and now i can't even host my own services accessible from the internet with it, half of the fun possibilities I was looking forward to

At least now i know what to complain about when i talk to them again, even though it's not going to get me anywhere. Hopefully I can get a static IP from them and bypass the whole mess.

Yep, I realized that already (this is what I said soon after).

>I was soooo excited to have gigabit internet

They actually provide 1000Mbps speed right to your home?

Letting customers host services is asking for tons of trouble. For example if they host a mail server that gets compromised, THEIR IP gets blacklisted (and they paid good time for that, we've been through the process of requesting a range from RIPE recently).

NAT punchthrough and dyndns are workarounds for that that the ISP can't block without affecting regular service. Don't expect help from your ISP for this, they'd be shooting themselves.

My ISP is friendly about hosting, I wish more were. That said I don't know why anyone wants to host their own mail server. It's just a pain in the ass.

yep, city wide fiber to the premises.
true, but i had time warner, and they let you do whatever you wanted with their router, forward ports and anything else, they still blocked certain standard ports, like the smtp one to prevent spam, but you could use other ports and do whatever you liked. I just wanted to host a simple vpn and be able to remote desktop while away from home.

fuck off ISP shill

Just telling you the truth

We actually give every customer a static IP

also, with carrier NAT, is it just the ipv4 address that is private, or is the ipv6 address private as well? could I just set my router to use ipv6 and get a public ip outside of carrier nat?

They're probably not assigning IPv6 address, but if they are then (almost?) all IPv6 addresses are routable.

yeah, I'll see if I can get my router to request an ipv6 address, probably not though

Carrier nat is a solution to conserve IP addresses. IPv6 doesn't need that.

You'll have fun with NAT64 then

I have the same situation and put the second router into the dmz...

>For example if they host a mail server that gets compromised

It's any kind of service really. If you host any kind of service by yourself you have to make sure it's not vulnerable. I'm not sure how often people check their firewall logs but I can ensure you that I have thousands of connection attempts on my WAN interface daily from all sorts of bots and noggers all over the world to all kinds of ports (mostly telnet and other usual suspects like ssh or http, but also others, for instance since a week or so all sorts of fuckers have been trying to connect to TCP 7547 like mad - dunno, maybe it's kevinnet in action). If your server implementation is vulnerable then it's only a matter of time until someone subverts it.

i've some Technicolor router that lets me assign the public ip onto a user(router) in my network

its also working fine for me using a mikrotik router

I guess that OP doesn't have the powers to put his own router into his ISP's CGN device's DMZ.

Fuck IPv6. Once they deploy the Worldwide Botnet of Everything, all things will have a fixed IPv6 address. This is not something anyone should desire.

The moral of this thread is depressing in that it seems like in the coming years more and more ISPs will push their subscribers onto IPv6 by first taking their public IPv4 address from them (by using carrier-grade NAT just as in OP's situation) and thus force them to migrate to the IPv6 botnet if they want to have a public address at all.

If I want to talk to an IP address that's on the same subnet as my WAN interface's IP address, then the WAN interface (assuming it's Ethernet) will send out an ARP query to determine what the hardware address of the target is. Whether you'd call it "sending ARP packets out on to the internet" is up to you, but that's how it works.

Networking is so fucking confusing.

...yeah, that's probably coming, however, ip4 is still easily traceable back to you, and even with a public ip6 address, you could still hide behind local nat to avoid exposing your computer directly. Actually, i would assume carrier nat, with all it's negatives, would be slightly harder to trace to individual users, though should still be easy enough, but maybe with a more narrow window in which they'd have to pull logs from.

that still doesn't bypass carrier nat issues though even if they'd do that for me, right?

yeah you're definitely right, I wonder why time warner doesn't give a single fuck about that, at least in my area.

I use the carrier's router for the net that handles the TV service, and the interior one (DMZ) for my home network. Had to do it this way because when I upgraded the service, some of my home machines were locked to the IP addresses due to licensiing lissues. I also have a static IP.

What are they supposed to do, provide a firewall for you? Block what ports exactly? That would generate costs and piss off users who would be hampered by that, and it also would violate the net neutrality principle. Your ISP has no way of knowing whether some Asian IP address trying to connect to your port xyz is some skid or botnet victim, or maybe someone you know who is trying to make a legitimate connection to a service you have set up to listen on that port. There are ways to detect illegitimate scans, but again that's an effort to make, it generates costs both to perform and to deal with disgruntled users who are disadvantaged by implemented blocking/filtering, t's not 100% accurate anyway so some intruders will slip through and some legitimate connections will be blocked, and it would violate net neutrality which assumes that all traffic is to be treated equally (and implies that it's everyone's own job to secure their endpoints).

no i mean, time warner will let you forward whatever ports and host whatever you want, they let you do what you want with their router, I was saying in light of what you said about attacks, I'm surprised they allow the customer to do all of that.