Beyond the Nat: Cgnat, Bandwidth, and Practical Tunneling

Posted12 days agoActive5d ago

rastrian

27 points

11 comments

blog.rastrian.devTech Discussionstory

informativeneutral

Debate

20/100

CgnatNetworkingTunneling

Key topics

Cgnat

Networking

Tunneling

The woes of Carrier-Grade NAT (CGNAT) and dwindling IPv4 addresses have sparked a lively debate about the practicalities of tunneling and IPv6 adoption. Nostalgic tales of dial-up internet with static IPs and inbound access have surfaced, while others lament the regression to CGNAT by some modern ISPs, citing issues for gamers and those susceptible to rate limiting. As commenters weigh in, a surprising consensus emerges: IPv6 implementation is long overdue, with some organizations having made the switch nearly a decade ago, and those who resist are missing out on reduced attack surfaces. The discussion highlights the tension between technological progress and frustrating ISP limitations.

Snapshot generated from the HN discussion

Discussion Activity

Active discussion

First comment

Peak period

120-132h

Avg / period

Comment distribution21 data points

Loading chart...

Based on 21 loaded comments

Key moments

01Story posted
Dec 27, 2025 at 8:59 AM EST
12 days ago
Step 01
02First comment
Jan 1, 2026 at 11:22 AM EST
5d after posting
Step 02
03Peak activity
19 comments in 120-132h
Hottest window of the conversation
Step 03
04Latest activity
Jan 2, 2026 at 10:15 AM EST
5d ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (11 comments)

Showing 21 comments

teeray

6d ago

2 replies

[delayed]

reincarnate0x14

6d ago

Even on dialup it was common to get a public IPv4 address, depending on what service. The service I had in like 95-98 didn't promise static IPs but I effectively got the same address for weeks at a time, I'm assuming due to whatever logic was mapping accounts to addresses. They also gave you access to a FreeBSD shell if you wanted to read email via elm or pine or the like, one of the first places I saw SSH!

kstrauser

6d ago

I had dialup with a static IP and inbound access to listening ports.

kmbfjr

6d ago

2 replies

New fiber provider across town does CGNAT and no IPv6.

I guess that works for most people except gamers and people who get rate limited because of the actions of others.

Article is correct, IPv4 didn’t die hard.

reincarnate0x14

6d ago

1 reply

It's bizarre to me that there is still so much effort spent on resisting IPv6 implementations, we were converting some industrial control networks to it almost 10 years ago and those organizations are basically defined by ancient equipment. Rather than byzantine v4 NAT coordination we mapped entire plants and substations to V6 addresses and put in 6to4 for the PLCs that were old enough to vote, so that multiple sites that all used the same 10.x.y.z blocks because of course they did could be routed together. Had V6 available from my house to pretty much anywhere I cared about in 2017.

esseph

6d ago

2 replies

[delayed]

immibis

6d ago

1 reply

You're banned from being a federal contractor if you don't. Isn't that pretty important since that's where all the money is?

esseph

6d ago

[delayed]

reincarnate0x14

6d ago

1 reply

re: the attack surface, I will say that I see such a tiny fraction of probe attempts and common exploit scripts hitting V6 spaces that I open some services on V6 only.

At my house I've had SSH open to the V6 internet for 8 years and have the logger set up to email me for any connections, and I have never once seen an attempt. For popular sites with well known DNS names that's obviously different, but I keep DNS current and can SSH by name to that V6 listener from anywhere so it's not my ISP trying to save me from myself either. And that's not even a host with the normal automatic temporary addresses, it's been a fixed interface id portion with an effectively static V6 prefix for years.

For a while I had several other services open as well, at one point we even played around with using NFS and iSCSI over IPv6 on the internet just for giggles, no actual important data. I can imagine some sysadmin's face twisting in horror just reading that knowing the carnage that would have ensued doing that with V4, where we commonly drop entire geo-blocks just to curtail the log spam of all the various automatic admin portal and VPN login scans.

There are of course techniques to gather live V6 addresses but between the vast space and temporary addresses on most end-user devices it really has been a night and day difference.

esseph

6d ago

[delayed]

irusensei

6d ago

It's the same bullshit everywhere it seems. There goes the CGNAT with their router where the "advanced" options are basically defining DHCP settings. There is also the stupid TV that no one asked for but it's part of the package.

And when they do give you v6 its a /64.

I wish there might be a category of prosumer friendly ISP of sorts. Those exist but they are hard to find.

yuvadam

6d ago

1 reply

Call me a tailscale simp, but since it was launched I honestly stopped caring about any of such issues.

They've built such an incredible product I actually feel guilty I pay absolutely nothing for it.

beautyReloaded

6d ago

public ip abundance of the internet should not depend on mappings in the tailscale servers owned by tailscale or self hosted by other people

apitman

6d ago

1 reply

This looks like an excellent overview of the current state of things, and some nice practical instructions on getting end to end connectivity working.

Personally I don't think IPv6 will ever supplant IPv4. As far as big tech is concerned, NAT solves the problem well enough for clients and SNI routing solves it well enough for servers.

What incentive do they have to make things better for small orgs and p2p use cases? Better from their perspective to retain control over IPv4 real estate and extract rent.

immibis

6d ago

2 replies

For one, most major governments have told them to do it or else.

apitman

6d ago

1 reply

I wish I had an IPv4 block to hoard.

Far more important than current adoption is rate of adoption, which is slowing.

US mandates will certainly help and may be enough, but the US can't force other countries to follow. Many countries have far lower adoption rates.

immibis

6d ago

1 reply

Major internet centers are US (V6 mandate), Europe (V6 mandate, I think - and if not already, they will), China (V6 mandate) and to a lesser extent Japan and Korea. Other countries will do whatever they have to do to remain connected to these, unless they want to make their own isolated BR(not I)(not C)S internet with blackjack and hookers.

apitman

6d ago

1 reply

I hope you're right

immibis

5d ago

What else do you foresee? A country like Chile just decides it doesn't want to be in the global internet and more, and separates? No, I think that's completely unrealistic.

If it can't upgrade in time, it might remain connected using some kind of translator or proxy. Even if not official, someone would surely run one - it's too useful and we're not talking about a censorship scenario where it would be illegal. Experience shows this is very annoying and will quickly be upgraded to native level. Note that tunneling is native.

Most end-user ISPs today use some kind of tunneling to separate the architecture of their network from the architecture of the services they deliver to customers. If you use DSL, your connection is (usually) a PPPoAoE tunnel with one endpoint at your house and another endpoint at one of your ISP's POPs - the entire access network feels transparent to you. If you use a cellular network, it does something similar with GTP.

And considering that fact, it's not as hard to upgrade a network to IPv6 as you might think. Some core routers and edge routers must be upgraded, but the majority of the network is tunneled over. Perhaps during a transitionary period, your CPE (home router) will encapsulate your IPv6 packets in IPv4. This doesn't require a new router because most of them do routing in software and can just get a firmware update.

unethical_ban

6d ago

Accusation of malice is a little far, I think the ipv6 transition isn't obvious to people because it has mostly been on mobile networks and the big datacenters. There are a lot of large organizations yet to implement it internally.

idatum

6d ago

If you are already running a VPS, the SSH -J option is useful if you don't want to expose your SSH to your home public address.

You create an SSH reverse tunnel (-R option) from a server in your home network to your remote VPS. This gives you a localhost port on your VPS to your server SSH port. Something like:

    ssh -NT -R 2222:localhost:22 vpsuser@yourvps.com

From your laptop, use your your VPS address and localhost port in the -J option. Something like:

    ssh -J vpsuser@yourvps.com:2222 homeuser@yourhome.com

I only allow ssh key auth and only my laptop is trusted by my home server. The home server doesn't need to trust the VPS "jump server".

View full discussion on Hacker News

ID: 46401899Type: storyLast synced: 1/1/2026, 8:10:34 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN