Inbound ICMP Not Reaching Router

[CntrlAltDel]

Hi everyone,

I recently switched from OPNsense back to Asus Merlin firmware, and I’m having trouble getting ICMP (ping) requests to reach my WAN from external sources. I’ve enabled the "Respond ICMP Echo (ping) Request from WAN" option, but it's still not working. Disabling the firewall didn’t help either.

Looking at the packet log, it seems inbound ICMP requests aren’t even reaching my router, which makes me suspect CGNAT might be the issue. The confusing part is that everything worked fine on OPNsense yesterday, allowing inbound ICMP from whitelisted addresses.

I should also add that I'm not pinging my DDNS domain name, instead my public IP directly in order to get the most accurate results as to why inbound ICMPs are not working.

Afrihost / Octotel

 

[CntrlAltDel]

OOF!
I just went back to my OPNsense config and saw that I was using PPPOE WAN instead of DHCP. I reconfigured to PPPOE and tested inbound ICMP. Everything's working again!

 

[CntrlAltDel]

@AfriNatic @AfriGuy @Afrigirl @AfriFella

I recently switched my WAN connection to use PPPoE with a username and password, and now I’m able to receive inbound connections again. The issue is, this feels more like a workaround. I remember having frequent disconnects (at least once a week) when I was previously on PPPoE, so ideally, I’d prefer to use DHCP instead. The problem is the CG-NAT setup.

I’ve now changed my WAN setup back to DHCP, and interestingly, I’m still seeing the public IP assigned to my router from the previous PPPoE session, which is great because inbound connections are still working. However, I’m concerned that when the IP lease expires or IPs rotate, I might end up with an IP that’s behind a double NAT due to CG-NAT.

Can anyone confirm if my thinking is correct here? Would I eventually get stuck with a double NAT situation once the IP changes? Any advice or insights would be much appreciated!

Thanks!

 

[Afrigirl]

Hi.

The IP will likely change when you switch routers, and you must be mapped again if the line was reprovisioned after a fault. We can't guarantee whether it will be a public or CGNAT IP. However, a CGNAT IP will likely be allocated to new clients after activation.

The CGNAT IP can be removed upon request.

 

[CntrlAltDel]

Hi.

The IP will likely change when you switch routers, and you must be mapped again if the line was reprovisioned after a fault. We can't guarantee whether it will be a public or CGNAT IP. However, a CGNAT IP will likely be allocated to new clients after activation.

The CGNAT IP can be removed upon request.

Thanks for your response!

So, just to clarify — it sounds like the only real risk of getting a CGNAT IP would be if I switch routers again, correct? My main concern is that when my current public IP (169.x.x.x) expires or rotates, I don’t end up with a CGNAT IP. I need to ensure that services that were working previously and rely on inbound connections to my network don’t suddenly stop functioning.

Any further thoughts or advice on this would be really helpful! Thanks again!

 

[Afrigirl]

Thanks for your response!

So, just to clarify — it sounds like the only real risk of getting a CGNAT IP would be if I switch routers again, correct? My main concern is that when my current public IP (169.x.x.x) expires or rotates, I don’t end up with a CGNAT IP. I need to ensure that services that were working previously and rely on inbound connections to my network don’t suddenly stop functioning.

Any further thoughts or advice on this would be really helpful! Thanks again!

The lease is likely to expire in 10 days, and yes, when you get a new lease, another IP will be allocated.
Have you tried using our buildin DDNS for your services?

 

[13en]

This is interesting, I had a similar issue that was affecting my IPV6 connection, Inbound icmpv6 traffic was filtered, and the workaround was to switch me to PPPOE, but this has overhead on resources on the customer routers, @Afrigirl are the plans to resolve this so we can be switched back to DHCP?

 

[CntrlAltDel]

The lease is likely to expire in 10 days, and yes, when you get a new lease, another IP will be allocated.
Have you tried using our buildin DDNS for your services?

Just to clarify, when the new IP is assigned, will it follow the same standard as my current one and be a public IP address, not a CGNAT IP? I want to make sure I avoid any issues with services that rely on inbound connections.

Also, for reference, I’m using Afrihost’s DDNS.

 

[Afrigirl]

This is interesting, I had a similar issue that was affecting my IPV6 connection, Inbound icmpv6 traffic was filtered, and the workaround was to switch me to PPPOE, but this has overhead on resources on the customer routers, @Afrigirl are the plans to resolve this so we can be switched back to DHCP?

Hi.

Which FNO are you with?
Are you still connected using PPPoE mode?

 

[Afrigirl]

Just to clarify, when the new IP is assigned, will it follow the same standard as my current one and be a public IP address, not a CGNAT IP? I want to make sure I avoid any issues with services that rely on inbound connections.

Also, for reference, I’m using Afrihost’s DDNS.

As mentioned, we cannot guarantee what IP will be allocated when the lease expires. It can be a public or CGNAT.

 

[CntrlAltDel]

Hi.

Which FNO are you with?
Are you still connected using PPPoE mode?

Octotel and currently I’m in DHCP mode the public address I received while in PPPoE seemed to persist through to the change to DHCP

 

[13en]

Hi.

Which FNO are you with?
Are you still connected using PPPoE mode?

MFN and yes, I am still using PPPOE, on DHCP icmpv6 replies stop working which breaks IPV6

 

[Afrigirl]

MFN and yes, I am still using PPPOE, on DHCP icmpv6 replies stop working which breaks IPV6

Thanks, I remember @AfriNatic mentioned it, and they could not find the fault in the escalations with MFN.

 

[CntrlAltDel]

As mentioned, we cannot guarantee what IP will be allocated when the lease expires. It can be a public or CGNAT.

Thanks for the suggestion on requesting a public IP in case I get assigned a CGNAT IP during the next rotation. Would making this request ensure that all future IP rotations give me a public IP, or would I need to submit a request every time I get a new IP?

If it’s the latter, I’m thinking of automating the process by creating a script on my router that switches to PPPoE if the IP doesn’t match the 169.x.x.x range. Once a 169 IP is assigned, it would switch back to DHCP. This assumes the behaviour I initially observed continues of the PPPoE assigned public IP persisting even after changing back to DHCP.

Any feedback on this approach? Does it sound feasible?

 

[Afrigirl]

Thanks for the suggestion on requesting a public IP in case I get assigned a CGNAT IP during the next rotation. Would making this request ensure that all future IP rotations give me a public IP, or would I need to submit a request every time I get a new IP?

If it’s the latter, I’m thinking of automating the process by creating a script on my router that switches to PPPoE if the IP doesn’t match the 169.x.x.x range. Once a 169 IP is assigned, it would switch back to DHCP. This assumes the behaviour I initially observed continues of the PPPoE assigned public IP persists even after changing back to DHCP.

Any feedback on this approach? Does it sound feasible?

You will need to make a request every time you get a CGNAT.

Yes, you can create a script.

 

[CntrlAltDel]

You will need to make a request every time you get a CGNAT.

Yes, you can create a script.

Thanks for all of your input!
Will do so and report back in case anyone else is having the same conundrum.

 

[CntrlAltDel]

Hi @Afrigirl @AfriGuy @AfriNatic I spoke with an Afrihost agent earlier today and they said we are no longer able to request a public IP.
Is this true? Up until recently I was able to use PPPOE on Octotel but that seems to have changed. I am no longer able to switch to PPPOE, get a public IP, then switch back to DHCP while maintaining that same public IP. I understand it is intended for PPPOE to not work as DHCP is preferred but now all my ingress services are dead because I have a double NAT'd IP.

 

[Afrigirl]

Hi @Afrigirl @AfriGuy @AfriNatic I spoke with an Afrihost agent earlier today and they said we are no longer able to request a public IP.
Is this true? Up until recently I was able to use PPPOE on Octotel but that seems to have changed. I am no longer able to switch to PPPOE, get a public IP, then switch back to DHCP while maintaining that same public IP. I understand it is intended for PPPOE to not work as DHCP is preferred but now all my ingress services are dead because I have a double NAT'd IP.

Please drop me a PM with email address.

 

[CntrlAltDel]

Thank you @Afrigirl for sorting out my issue