TELUS Neighbourhood

suthakamal · ‎08-09-2022

I’ve got Telus PureFibre 1.5/.95 service in North Vancouver.

The Nokia fiber device is plugged straight into an Eero. The Eero gets what looks like a public IP address (173.180.26.88). All the devices on the internal network are 192.168.7.x

To avoid any port blocking, I’ve got the Eero set to forward port 65001 -> 22 on my Mac for ssh.

If I’m on another device on the local network, I can ssh to [email protected]:65001 successfully. However, as soon as switch to another connection (via a VPN, or via a Bell LTE connection) the connection reliably fails.

My first question is: Is my apparently public IP address actually behind some sort of grotesque CGNAT?

Any ideas on what’s wrong / how to fix?

xray · ‎08-10-2022

I can ping your external IP so it is indeed public. Perhaps you have some firewall rules blocking access on the Eero?

View solution in original post

xray · ‎08-10-2022

What does canyouseeme.org show you for your public IP address?

suthakamal · ‎08-10-2022

Everything (canyouseeme, whatismyip, speedtest, etc.) shows my WAN IP address (173.180.26.88),

xray · ‎08-10-2022

Then you are not behind carrier grade NAT. The issue narrows down to port forwarding. Does port 65001 look to be alive from canyouseeme.org?

suthakamal · ‎08-10-2022

Nope. No ports (including 65001) work from CanYouSeeMe. Fails with a connection timeout.

If I'm on any network except the LAN, I can't connect to anything.

Strangely, if I connect from another machine on the local (192.168.x.x) network *to* the public IP and port (173.180.26.88:65001), it works, and the Mac shows the IP address of the login as coming from the public IP address.

But as soon as I'm out on any other network (even another Telus network, just not routable to my LAN) I can't connect to the 173.180.26.88 host.

xray · ‎08-10-2022

That could be the Eero doing an internal loopback to simulate external access. Typically you can't access the external IP from inside the local network. However it does confirm the port forwarding is working on the loopback. Not sure if that translates to actual external access.

BTW, there is no point checking ports that don't have any services running. All open ports will report as closed if there are no services to answer on that port.

suthakamal · ‎08-10-2022

Yup, I’ve got multiple ports forwarded to 22 on the Mac where SSH lives, and nothing works (22, 2200, 8080, 65001) from the outside Internet.

Shouldn’t another device on the LAN be able to connect to a LAN-peer via a public IP and port forwarding? I mean, the public IP should be routable, and the Eero ought to do the appropriate NAT routing to connect both endpoints, no?

I’ve plugged another ethernet cable into the Nokia fibre modem to see if I can get another “external” connection to test, but the connection doesn’t seem physically active, so that seems a dead-end.

I’m wondering if I should use wireshark/tcpdump and put my Mac w/ 2 promiscuous mode NICs between the Nokia fibre modem and the Eero to validate that packets are actually coming in, and not getting dropped by the Eero. Surely there’s a less painful way to test? 🙂

xray · ‎08-10-2022

I can ping your external IP so it is indeed public. Perhaps you have some firewall rules blocking access on the Eero?

suthakamal · ‎08-10-2022

Yeah, I’m beginning to think that the Eero is behind this, and of course its beautifully simple app doesn’t have any logs to view or anything helpful in this regard.

There’s no apparent firewall running on the Eero, so I’m going to ping Eero support and see if they’ve got thoughts.

Thanks very much for the help!

xray · ‎08-10-2022

Np, let us know if you get this resolved. Port forwarding issues come up often here so it would be beneficial to all.

I know it works because I set up external access with port forwarding to my security camera DVR many years ago and it's still working.

TELUS Neighbourhood

Pure fiber- looks like public IP, but is unreachable outside Telus