Strange IP resolution issue

hogspogs · January 20, 2021, 12:56am

Hi, I’m unable to connect to several databases I use at work and am unable to determine the issue.

MySQL: port 3306
Flask Webserver: port 5000
MongoDB: port 27017

All of these work fine when I’m tethered to my phone or on a local wifi. I attached a screenshot of the firewall settings from WebAdmin, everything is wide open (unless there’s another place to check).

I saw this thread about port 22 being blocked on ATT for someone, I can ssh on 22 just fine into all of my servers.

I have a strange issue where my public IP is different whether I retrieve it from a browser or on the command line.

If I go to https://ifconfig.me/ I get a different IP than if I run the following terminal command
> curl ifconfig.me

I tried the same with https://ipecho.net/ and get different IPs from a browser or the curl request.

For the AWS instances, I have been using whitelisted IPs for the time being. I temporarily opened a few machines up to the whole internet (0.0.0.0) and that still did not work.

Any advice would be much appreciated, I’m pretty stuck on what to look for next.

Thanks,

Jeff

Model: Pepwave MAX Transit
Firmware: 8.0.2 build 4407
Carrier: ATT
MacOS Catalina 10.15.6

hogspogs · January 20, 2021, 1:02am

Hi,

I looked at this some more and found out that it’s not an issue with ports at all, it’s that my public IP is either coming back incorrect or is changing.

I’m able to access the port on another server just fine.

nc -v portquiz.net 27017
Connection to portquiz.net port 27017 [tcp/*] succeeded!

It turns out that when I thought I had opened up my EC2 instance to the world I didn’t (I had too many security groups active). When I do open the machine up to 0.0.0.0/0, I’m able to connect. If I open it up to only the public IP I get from any sites that tell you your public IP, I get a network socket timeout. Somehow these sites that are telling me my public IP are incorrect.

Is this an issue with the Peplink Transit Max or an ATT (carrier) issue or maybe combination thereof? Any ideas would be very helpful.

Thanks!

AskTim · January 20, 2021, 4:36am

Hi Jeff, ATT is not providing you with a publically routable IP address as much as you are thinking so (unless you are subscribed to and paying for a static IP address).

Rather they deploy CGNAT or carrier-grade-NAT.

hogspogs · January 20, 2021, 7:28am

Oh wow, I didn’t realize this was happening, what a bummer. The internet is a giant ball of duct tape. Thanks for pointing this out Tim.

fsarabia · June 9, 2021, 10:54pm

Thanks Tim for pointing out this thread.

yes, I’m trying to connect to the Pepwave going through a cellular connection.

Same as Jeff, I see two different Ip’s. Is there any way to solve it other than paying for a static IP ?

I have configured a second access point using “SpeedFusion Cloud” (vpn), when using it I get only one IP but I still have a similar traceroute result

traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
1 192.168.50.1 (192.168.50.1) 29.031 ms 3.422 ms 3.352 ms
2 10.118.0.4 (10.118.0.4) 242.480 ms 256.476 ms 514.242 ms
3 *

I’m able to use the AP (w/SpeedFusion Cloud) to ssh into IP restricted servers (previously whitelisting my IP at that time).

However, when I try to useAP (w/SpeedFusion Cloud) to connect to aws vpn, I cannot reach anything ( but I can connect “successfully” to the vpn itself) . I’m not sure what the difference is in this case.

hogspogs · June 9, 2021, 11:24pm

Hi, Jeff here.

I was unable to find a solution to the CGNAT issue. I only had problems with hitting non-ssh ports on AWS, don’t know why it was only specific ports that I opened through security groups. I was able to hit aws ports (22, 80, 443) just fine. I did not have this issue when tethering through my phone (verizon), just through my ATT sim in my peplink device. Maybe this is carrier specific. You could try to call your carrier and see if they will route you traditionally. FYI, I was not using SpeedFusion Clound and don’t really have any knowledge of that.

I ended up getting my own VPN (surfshark) for other reasons, but that ended up fixing this issue entirely.

It was a very frustrating experience, so happy to answer any other questions you might have about this or things I tried.

MartinLangmaid · June 10, 2021, 8:32am

Two IPs is fine when using SFC since the only place NAT happens is in SFC not the hops before.
The issue I think you have if you’re using AWS VPN which is IPSEC is that it expects to use port 4500 inbound and not only will SFC already be using this (for the SpeedFusion VPN), but even if it wasn’t you have no admin rights to forward that back to your device.

If you got a SIM with a public IP and then set the SpeedFusion VPN service on your device to use a different port then with NAT-Traversal configured you should be fine.

The other approach that would be worth testing is to host your own fusionhub so you only have a single NAT hop and see if the issue goes away. I have a video here showing how to do that on vultr.

fsarabia · June 16, 2021, 5:27am

Hi Martin,

Just to clarify I have 2 IPs without using SpeedFusion Cloud but only one IP when using SpeedFusion Cloud.

I saw the “warning” in the aws site about the port 4500 so I tried installing Fusion hub as you suggested and it works!

Thank you very much for the instructional video and your helpful pointers here, it has been a very difficult and frustrating issue to troubleshoot.

MartinLangmaid · June 16, 2021, 9:23am

Bravo - really glad that worked out for you!