Tata Sky -- CGNAT? DHCP or PPPoE?

  • Thread starter raj2021
  • Start date
  • Replies 14
  • Views 4,177
R

raj2021

Messages
8
Location
Mumbai
ISP
Tata Sky Broadband
My parents live in Mumbai and they have the Tata Sky connection. I wanted to provide them with a OPNsense firewall. I was hoping to set up a site-to-site VPN between my home and theirs.

However, I am not sure of two things:
  1. Does Tata Sky use DHCP or PPPoE? If PPPoE, do they provide the credentials to the customers or do the "service engineers" come in and put that info in? Will I require that information in Opnsense or will the ONT device handle that?
  2. Does Tata Sky uses CGNAT aka Double NAT and if so how would I circumvent that in order to set up the Site-to-Site VPN connection?
Explaining this to my parents so that they can ask their customer rep is like breaking my head on the wall. So here I am... trying to find out as I am not local to Mumbai.

Secondly, they have been provided with the ONT + Router -- a Nokia G-140W-C. Obviously I will have to have that changed to just a regular ONT without the routing capabilities. Have any of you had experience with Tata Sky reps about how easy or difficult it is to have the device changed over to just an ONT instead of the so called "Smart Router" ? In other words, when I visit, what should I tell the rep -- so that they understand quickly rather than me having to explain entire networking architecture to them?

Thanks,
 
nerdseeder

nerdseeder

Messages
61
Location
Bengaluru
ISP
Airtel FTTH - 1GBPS, Tata Sky Broadband - 300MBPS
1. Tata Sky usage PPPoE. You will receive username/password via SMS.
2, They use CGNAT. They can allocate static IPv6 free of cost.
3. For me they have provided a dumb ONT/Modem - Nokia G-010G-Q work only in bridge mode.
4. Dealing with TTSB field engineer/customer care is such a pain. Better to go with Airtel if possible.
Airtel has much better customer care and competent Network operations team. I struggle a lot to get my bridge mode working via TTSB team. Got same done with Airtel and static public IPv4 in 3 days without any followup.
 
R

raj2021

Messages
8
Location
Mumbai
ISP
Tata Sky Broadband
Crap, this is exactly what I was afraid of. CGNAT !! Now will have to either get VPS or a public IPV6 address -- but that would mean IPv4 to IPv6 translation as I solely use IPv4. Dammit !

You wouldn't know if Tata Sky supports PCP --- would you?

My parents already have the Tata Sky account. Apparently Airtel doesn't service the area where my parents live. I'll ask them and see if they have other options.
 
manu1991

manu1991

Ancient Philospher
Messages
8,523
Location
London
ISP
Hyperoptic
Why don't you use ZeroTier to bypass the CGNAT? Would it not work in this scenario?
 
R

raj2021

Messages
8
Location
Mumbai
ISP
Tata Sky Broadband
have never used ZeroTier, but wouldn't it be similar to using a VPS that hosts a VPN server and all the sites connecting to it as clients?

Would you be able to point me to some articles that indicate the advantages of ZeroTier vs a VPS with OpenVPN? I have been googling, but haven't found anything other than people saynig that ZeroTier is much less configuration. I am more concerned with security and such rather than configuration Also, it could just be the fear of the unknown on my part.

Is all my data passing through the ZeroTier's servers? Is the data encrypted and does it follow the Zero Trust model?
 
Last edited:
JB701

JB701

🎉 🎉 🎉 🎉 🎉
Messages
2,197
Location
Delhi
ISP
..
With ZeroTier data (encrypted) will initially go through ZT "Moons" which are their relays. After a minute or so, direct connection is established between two devices using UDP Hole punching and this is much faster (latency and speed wise) and no more data is relayed.


Source


Source
 


manu1991

manu1991

Ancient Philospher
Messages
8,523
Location
London
ISP
Hyperoptic
have never used ZeroTier, but wouldn't it be similar to using a VPS that hosts a VPN server and all the sites connecting to it as clients?

Would you be able to point me to some articles that indicate the advantages of ZeroTier vs a VPS with OpenVPN? I have been googling, but haven't found anything other than people saynig that ZeroTier is much less configuration. I am more concerned with security and such rather than configuration Also, it could just be the fear of the unknown on my part.

Is all my data passing through the ZeroTier's servers? Is the data encrypted and does it follow the Zero Trust model?
I have been using it since a few months now, to connect to my Raspberry Pi in a different country.

Its much easier to configure than a VPN since all you need to do is install the client on both devices and connect them. Security wise, you can set to manually approve clients on the network (which is the recommended option I believe) which means no one will be able to join the network unless you explicitly allow them to.
 
R

raj2021

Messages
8
Location
Mumbai
ISP
Tata Sky Broadband
Thanks @manu1991 & @JB701

So if I were to install the ZeroTier plugin and install it on both the opnsense instances, will all the devices behind those have access to each other? Or does it mean that I would have to install the ZeroTier client on each and every client on both the LAN networks?
 
JB701

JB701

🎉 🎉 🎉 🎉 🎉
Messages
2,197
Location
Delhi
ISP
..
You'll need to add a Managed route 192.168.1.0/24 (or whatever your LAN subnet is) via the ZT IP of OPNSense under Advanced Sectiion my.zerotier.com

This makes your internal LAN accessible.


Screenshot-2021-03-18-075421.png
 
R

raj2021

Messages
8
Location
Mumbai
ISP
Tata Sky Broadband
Ok great. So it's possible without having to install ZeroTier on each and every client.

I am still leaning towards VPN though because of the fact that you can use your own CA to validate rather than having to use third party relays. I have however never dealt with CGNAT before, so I might have a lot of learning to do before implementing this.
 
JB701

JB701

🎉 🎉 🎉 🎉 🎉
Messages
2,197
Location
Delhi
ISP
..
In order to do a VPN tunnel, you'll need a port open (not possible on cgnat ipv4) . Maybe you could create a IPv6 tunnel but that'll need both networks to support IPv6.

ZT Creates a direct connection after a minute.
 
R

raj2021

Messages
8
Location
Mumbai
ISP
Tata Sky Broadband
I have done some more research into this and it seems that we can create a Peer-2-Peer VPN connection as long as one of the sites has a public IP address.
So the client can be behind the CGNAT but can still call the Server which has a public WAN IP available.

However if both the sites are behind CGNAT, then you have to look at another option like Zerotier or a VPS serving OpenVPN server etc.
 
varkey

varkey

I got banned!
Messages
3,082
Location
Bangalore | Ernakulam
ISP
Excitel | BSNL
There's TailScale as well, which is a bit more refined and has a nicer UI (compared to ZeroTier) Uses Wireguard under the hoods.
 
R

rajil.s

Messages
539
Location
Lucknow
ISP
BSNL
I have done some more research into this and it seems that we can create a Peer-2-Peer VPN connection as long as one of the sites has a public IP address.
So the client can be behind the CGNAT but can still call the Server which has a public WAN IP available.

However if both the sites are behind CGNAT, then you have to look at another option like Zerotier or a VPS serving OpenVPN server etc.
Yup, as long as one end has a public ip you are good. Simply setup the vpn client behind CGNAT and point it to your public WAN address.
It is fairly easy to setup with pfsense wizards (which i use), should be straightforward with opnsense too.
There is no need to go with VPS or zero tier.
 
R

raj2021

Messages
8
Location
Mumbai
ISP
Tata Sky Broadband
There's TailScale as well, which is a bit more refined and has a nicer UI (compared to ZeroTier) Uses Wireguard under the hoods.
Had never heard of TailScale -- will check them out if only for curiosity.

I will be using OpenVPN to connect my parent's house to mine for now. Once kernel space wireguard modules are more stable in FreeBSD, I might switch over to a Wireguard VPN in a couple of years.
 

Similar threads