ISP broke node with deploying CGNAT - any suggestions?

Around 5-6 pm today local time my isp seems to have changed my setup and deployed CGNAT. So my node is currently off line. Any suggestions how this could be bypassed except change isp?


It sounds weird, but call them and explain the problem. Except tell them you need to be able to access your IP camera. It’s easier to explain. Tell them you don’t necessarily need a static IP but you need a public one.

In most cases the ISP will actually help you out and reverse the change for your connection.

Always try that first, because the other options are either not easy or have downsides. You would have to either change ISPs or use a VPN that supports port forwarding.


I second that! A few weeks ago I helped a fellow SNO in Romania by phoning in his name at his ISP and explained the situation. I just said I needed some ports forwarded and they said OK


The solutions mentioned above are optimal, but here is another that may be useful - SSH port forwarding. If the other solutions fail, and your node(s) generate enough income / you have an existing VPS (Virtual Private Server), you could grab a VPS with unmetered egress (I think OVH has some for reasonable prices) and forward connections from that VPS, which has a public IP, to your storage node, using SSH.

You can then use that VPS’ IP as your storage node’s IP address, as all connections to that VPS on your specified port will be forwarded to your node.

This does cost more money, and I hope the other solutions work out for you instead, but this may do the trick if they do not.

(I previously wrote that services like localtunnel may work. However, I realised that they may cause trouble in a storage node setup as opposed to simple websites.)

Thanks guys for the advice. I’ll let you know how we go.
We were planning on moving isp anyway as this one is unable to provide the speeds we had previously and my wife wants to return to streaming on twitch which she can’t do at the moment.
If they are unable to help it will just push us to move sooner rather than later.

We had an office reorg today which meant re-running network cabling and that meant I thought I had broken something but then I checked the router WAN ip and the external ip and it was pretty obvious what had happened.


It’s better to use a VPN in this case or sshuttle at least, because a usual ssh port forwarding is going through TCP and do not reconnect, if the connection is lost.

So, like @BrightSilence said it’s better to call to your current ISP first and ask them to give a public IP, the dynamic public IP is fine too - you can use a DDNS services to mitigate this issue.


you can easily fix that using services. I use that as well, rarely have problems.


I’m pleased to advise after my wife argued with the ISP tech support for a number of hours and talking to multiple different people they finally reversed the CGNAT and we are back on line. But the experience only reinforces my view we need to move isp.
Now to repair the damage over time and get back on track!


Gad you get it working with your ISP!

But if there are some situations when it dont:
I dont know what Hardware/System you use for your Storagenode(s), but I have written a guide in german how to user several IPs over VPN on a Synology NAS:

I use this solution for some Storagenodes, works nearly perfect but OpenVPN needs some CPU-Power for encrypting/decrypting the connection.

On Synology its really easy to use :slight_smile:
And even on other Systems i can recommend

1 Like

I use TrueNAS instead of Synology for my main storage but storj runs as an Ubuntu VM on Proxmox on Raid 1 hardware SAS drives. I can add 4 more physical 3.5" drives to that setup in a second bay.
I’ve recently run up a virtual Synology under Proxmox as well so I might give that a try.
The RAID card I have performs badly with SATA drives so I need to stick with SAS.

1 Like

There is another benefit of the VPN-IP:
Because the IP is abstracted from the primary internet connection itself, you can easily apply a failover-setup. For myself I have setup that when my primary Internet Connection (DSL) fails, the VPN simply switches to a backup LTE-Connection. So i can avoid some downtime.

1 Like

Out of interest, who is your ISP? And can they do something as major as deploying CGNAT without any warning?
On that alone I think it’s be wise to give them a wide berth.

At a minimum I have been thinking of dual connecting isp’s via pfsense. Unfortunately the quad port cards i have are not supported by FreeBSD (and by derivation pfsense) so I need for an Intel based card to arrive from China via ebay. My current HP Quad cards will move into the ESXi box to provide more connections for my testing vm’s for work. They work in that environment perfectly fine.

1 Like

Yes they can and it’s unfortunately very common. I think they partially can do this because they can switch you back if you complain about it. That may be part of why they are so likely to help you out if you complain.

But this isn’t a one off thing. Many ISPs are doing this now unfortunately.

I hate them with a passion. In some buildings you may not have a choice of isp. It was certainly the case in our first apartment in Omsk. That was a soviet era apartment and a bad one at that. I can’t recommend highly enough. That was our second and final isp in Omsk in a different apartment and we are currently waiting for them to get connectivity in this new apartment block…
1 Like

At one point I was allocated my own C class range back in Aus. I really should chase up the paperwork to get that formalised again!

1 Like

Of public IP’s!? Somehow I doubt that…

I applied back in the 90’s when it was AARNET. It was also free. I still have the paperwork. :wink:

I well remember getting a phone call from Geoff Houston who was the head honcho for the Internet in Australia back at that time. We chatted for a while and he decided to allocate a range to me. :slight_smile:

Beating in mind how much IPs are worth now, I doubt they’d do it again :wink: