Date: Wed, 6 Mar 2024 19:09:35 -0500 From: Kurt Hackenberg <kh@panix.com> To: questions@freebsd.org Subject: Re: Setting up a Wireguard router (with FreeBSD) Message-ID: <ZekFvw6ro9iftrk0@rain.cave> In-Reply-To: <17ae35e240ce2ec5cb414251e4fca43c@airmail.cc> References: <00f7b360407633f787f061b4d15740b9@airmail.cc> <Zejoc-Wj4iPhXYQK@rain.cave> <17ae35e240ce2ec5cb414251e4fca43c@airmail.cc>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 06, 2024 at 10:33:38PM +0000, Christopher Waldbach wrote: >>>I am currently trying to set up a Raspberry Pi 4 (4GB Model) as a >>>VPN-gateway with Wireguard. Since I got fibre channel for my internet >>>connection, I gained bandwidth but lost the public IPv4 address. > >>What? How can you speak IPv4 to the world at all, with no public >>address? What does the ISP give you? > >I should habe known someone would be pedantic. :-) >My ISP does not give me _my own_ public IPv4 address. :-D >My ISP only provides a DS-Lite connection, which in my case means my >router is assigned an IP within the 100.64.0.0/10 realm. Not pedantic, confused, by a major lack of information about your setup. I'd never heard of that shared address space or of DS-Lite. Just looked them up, got the idea. For anybody else reading: 100.64.0.0/10 is quasi-private, used by ISPs internally to provide carrier-grade NAT: <https://www.rfc-editor.org/rfc/rfc6598.html>; DS-Lite is probably Dual-Stack Lite, a way to tunnel IPv4 over IPv6: <https://www.juniper.net/documentation/us/en/software/junos/nat/topics/topic-map/security-ipv6-dual-stack-lite.html#UnderstandingIPv6Dual-StackLite-4C88A7ED>; All this is to squeeze the last drop out of IPv4 public addresses, which ran out in 2011. So, I guess you're putting a tunnel inside an existing tunnel that goes to some faraway IPv4 NAT. And I guess there's another NAT in your router, between your private IPv4 network and a single address on the other side of your router, within 100.64.0.0/10. Is all that right? Complicated. Not surprising there's some trouble. From here, I don't know what the trouble is. I think it needs debugging, with a complete network diagram, including all the NATs and tunnels. It might help to watch network traffic in various places, but I suppose you can't see it beyond your local network. Maybe you could get clues from information in the Pi and your router, and experimentation.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ZekFvw6ro9iftrk0>