Tata Sky -- CGNAT? DHCP or PPPoE?

  • Thread starter Thread starter raj2021
  • Start date Start date
  • Replies Replies 14
  • Views Views 5,905
R

raj2021

Messages
8
Location
Mumbai
ISP
Tata Sky Broadband
My parents live in Mumbai and they have the Tata Sky connection. I wanted to provide them with a OPNsense firewall. I was hoping to set up a site-to-site VPN between my home and theirs.

However, I am not sure of two things:
  1. Does Tata Sky use DHCP or PPPoE? If PPPoE, do they provide the credentials to the customers or do the "service engineers" come in and put that info in? Will I require that information in Opnsense or will the ONT device handle that?
  2. Does Tata Sky uses CGNAT aka Double NAT and if so how would I circumvent that in order to set up the Site-to-Site VPN connection?
Explaining this to my parents so that they can ask their customer rep is like breaking my head on the wall. So here I am... trying to find out as I am not local to Mumbai.

Secondly, they have been provided with the ONT + Router -- a Nokia G-140W-C. Obviously I will have to have that changed to just a regular ONT without the routing capabilities. Have any of you had experience with Tata Sky reps about how easy or difficult it is to have the device changed over to just an ONT instead of the so called "Smart Router" ? In other words, when I visit, what should I tell the rep -- so that they understand quickly rather than me having to explain entire networking architecture to them?

Thanks,
 
1. Tata Sky usage PPPoE. You will receive username/password via SMS.
2, They use CGNAT. They can allocate static IPv6 free of cost.
3. For me they have provided a dumb ONT/Modem - Nokia G-010G-Q work only in bridge mode.
4. Dealing with TTSB field engineer/customer care is such a pain. Better to go with Airtel if possible.
Airtel has much better customer care and competent Network operations team. I struggle a lot to get my bridge mode working via TTSB team. Got same done with Airtel and static public IPv4 in 3 days without any followup.
 
Crap, this is exactly what I was afraid of. CGNAT !! Now will have to either get VPS or a public IPV6 address -- but that would mean IPv4 to IPv6 translation as I solely use IPv4. Dammit !

You wouldn't know if Tata Sky supports PCP --- would you?

My parents already have the Tata Sky account. Apparently Airtel doesn't service the area where my parents live. I'll ask them and see if they have other options.
 
Why don't you use ZeroTier to bypass the CGNAT? Would it not work in this scenario?
 
have never used ZeroTier, but wouldn't it be similar to using a VPS that hosts a VPN server and all the sites connecting to it as clients?

Would you be able to point me to some articles that indicate the advantages of ZeroTier vs a VPS with OpenVPN? I have been googling, but haven't found anything other than people saynig that ZeroTier is much less configuration. I am more concerned with security and such rather than configuration Also, it could just be the fear of the unknown on my part.

Is all my data passing through the ZeroTier's servers? Is the data encrypted and does it follow the Zero Trust model?
 
Last edited:
With ZeroTier data (encrypted) will initially go through ZT "Moons" which are their relays. After a minute or so, direct connection is established between two devices using UDP Hole punching and this is much faster (latency and speed wise) and no more data is relayed.


Source


Source
 

raj2021 said:
have never used ZeroTier, but wouldn't it be similar to using a VPS that hosts a VPN server and all the sites connecting to it as clients?

Would you be able to point me to some articles that indicate the advantages of ZeroTier vs a VPS with OpenVPN? I have been googling, but haven't found anything other than people saynig that ZeroTier is much less configuration. I am more concerned with security and such rather than configuration Also, it could just be the fear of the unknown on my part.

Is all my data passing through the ZeroTier's servers? Is the data encrypted and does it follow the Zero Trust model?
Click to expand...
I have been using it since a few months now, to connect to my Raspberry Pi in a different country.

Its much easier to configure than a VPN since all you need to do is install the client on both devices and connect them. Security wise, you can set to manually approve clients on the network (which is the recommended option I believe) which means no one will be able to join the network unless you explicitly allow them to.
 
Thanks @manu1991 & @JB701

So if I were to install the ZeroTier plugin and install it on both the opnsense instances, will all the devices behind those have access to each other? Or does it mean that I would have to install the ZeroTier client on each and every client on both the LAN networks?
 
You'll need to add a Managed route 192.168.1.0/24 (or whatever your LAN subnet is) via the ZT IP of OPNSense under Advanced Sectiion my.zerotier.com

This makes your internal LAN accessible.


Screenshot-2021-03-18-075421.png
 
Ok great. So it's possible without having to install ZeroTier on each and every client.

I am still leaning towards VPN though because of the fact that you can use your own CA to validate rather than having to use third party relays. I have however never dealt with CGNAT before, so I might have a lot of learning to do before implementing this.
 
In order to do a VPN tunnel, you'll need a port open (not possible on cgnat ipv4) . Maybe you could create a IPv6 tunnel but that'll need both networks to support IPv6.

ZT Creates a direct connection after a minute.
 
I have done some more research into this and it seems that we can create a Peer-2-Peer VPN connection as long as one of the sites has a public IP address.
So the client can be behind the CGNAT but can still call the Server which has a public WAN IP available.

However if both the sites are behind CGNAT, then you have to look at another option like Zerotier or a VPS serving OpenVPN server etc.
 
raj2021 said:
I have done some more research into this and it seems that we can create a Peer-2-Peer VPN connection as long as one of the sites has a public IP address.
So the client can be behind the CGNAT but can still call the Server which has a public WAN IP available.

However if both the sites are behind CGNAT, then you have to look at another option like Zerotier or a VPS serving OpenVPN server etc.
Click to expand...
Yup, as long as one end has a public ip you are good. Simply setup the vpn client behind CGNAT and point it to your public WAN address.
It is fairly easy to setup with pfsense wizards (which i use), should be straightforward with opnsense too.
There is no need to go with VPS or zero tier.
 
varkey said:
There's TailScale as well, which is a bit more refined and has a nicer UI (compared to ZeroTier) Uses Wireguard under the hoods.
Click to expand...
Had never heard of TailScale -- will check them out if only for curiosity.

I will be using OpenVPN to connect my parent's house to mine for now. Once kernel space wireguard modules are more stable in FreeBSD, I might switch over to a Wireguard VPN in a couple of years.
 

Similar threads

M
[Help] Airtel PPPoE on OpnSense
Replies
1
Views
918
Lolita_Magnum
A
Trying to Unlock Nokia g2425ga provided by tata sky fiber.
Replies
6
Views
3,913
Romano.Sniper
S
Airtel Xtreme Static IP to host websites
Replies
2
Views
810
Rajneesh Rana
M
  • Article Article
How to enable bridge mode on Airtel Xstream Fiber?
2 3
Replies
36
Views
4,953
tr1k0N4
Top