Metrofibre Feedback

[Deckert]

So is CGNAT at Metrofibre the new normal? After the work they did last night I am now only getting CGNAT IPs (so no longer a public IP). This breaks my DynDNS and causes problems with my SIP phone as well as my CCTV security system (can no longer access my feed from my phone app).

--deckert

 

[Chris_Auc]

So is CGNAT at Metrofibre the new normal? After the work they did last night I am now only getting CGNAT IPs (so no longer a public IP). This breaks my DynDNS and causes problems with my SIP phone as well as my CCTV security system (can no longer access my feed from my phone app).

--deckert

Who is your ISP?


My ISP is Afrihost. I just asked them for a public IP. My FNO is Metrofibre.

 

[cavedog]

So is CGNAT at Metrofibre the new normal? After the work they did last night I am now only getting CGNAT IPs (so no longer a public IP). This breaks my DynDNS and causes problems with my SIP phone as well as my CCTV security system (can no longer access my feed from my phone app).

--deckert

Direct MFN it's been like that for a while. Enable ipv6. Also redialing pppoe multiple times you will eventually get a public sometimes.

 

[Deckert]

Direct MFN it's been like that for a while. Enable ipv6. Also redialing pppoe multiple times you will eventually get a public sometimes.

Yah, I had a script that would reset my pppd process if it detected a CGNAT IP. Almost always I would get a public IP on the second try, but after last night's work that no longer works.

My ISP is also Metrofibre (most affordable and frankly, quite stable). I've run IPv6 in the past with Afrihost - it's interesting, but I've not found much practical use for IPv6 as yet. You say MFN direct has IPv6 has an option?

Edit: Metrofibre used to have an option to ask for a static IP, but that likely comes with its own problems. But it is something I will consider.

--deckert

 

[cavedog]

Yah, I had a script that would reset my pppd process if it detected a CGNAT IP. Almost always I would get a public IP on the second try, but after last night's work that no longer works.

My ISP is also Metrofibre (most affordable and frankly, quite stable). I've run IPv6 in the past with Afrihost - it's interesting, but I've not found much practical use for IPv6 as yet. You say MFN direct has IPv6 has an option?

Edit: Metrofibre used to have an option to ask for a static IP, but that likely comes with its own problems. But it is something I will consider.

--deckert

Yes they do ipv6 so worth it to enable that but you need a working ipv6 connection to access stuff remotely.

 

[Deckert]

Yes they do ipv6 so worth it to enable that but you need a working ipv6 connection to access stuff remotely.

Yep, have working IPv6 on my Linode.

Not seeing an IPv6 activation on their (anemic) client portal - I guess I'll have to engage with their support staff.

--deckert

 

[cavedog]

Yep, have working IPv6 on my Linode.

Not seeing an IPv6 activation on their (anemic) client portal - I guess I'll have to engage with their support staff.

--deckert

You won't. Just enable it on your router. DHCPv6 should be the default option. They give a dynamic /64 prefix for pd and I think a /128 wan ip if I remember correctly.

 

[system32]

You won't. Just enable it on your router. DHCPv6 should be the default option. They give a dynamic /64 prefix for pd and I think a /128 wan ip if I remember correctly.

Also on MetroFibre FNO.

Just to confirm, for ipv6, I just enable DHCPv6 even though the link is PPPoE for ipv4?

My connection was CGNAT but with a single public IPv4.
They reset the connection every 24h which was annoying as it would reset 24h later, and not 3am.

Then they "upgraded" the CGNAT to use a pool of public IPv4 addresses which caused even more issues.

I got hold of support and got moved to a static ip.

All good so far.

 

[Deckert]

Then they "upgraded" the CGNAT to use a pool of public IPv4 addresses which caused even more issues.

Yes, this!

Currently, multiple connections out to a single destination comes from multiple source IPs. Some sites balk at this, especially when fetching different objects from the site (e.g. sites that prevent direct linking to image resources). It's a mess.

--deckert

 

[system32]

Yes, this!

Currently, multiple connections out to a single destination comes from multiple source IPs. Some sites balk at this, especially when fetching different objects from the site (e.g. sites that prevent direct linking to image resources). It's a mess.

--deckert

Very bad implementation of CGNAT.
Each new connection originating from a different public IPv4.
Many session checks fail when IP addresses change between connections.

I'm OK for now as I have a static IP address.

 

[Deckert]

Ugh, it gets worse:

1. The CGNAT has finite limits on connection tracking. So my SSH sessions keep on breaking ... even with active traffic on them, they seem to have an absolute time limit. So I'm in the middle of editing a file on a remote server ... *poof* my SSH connection terminates.

2. Last night, Netflix reported "too many people are using your account" to me. I realised that's because my login and the main TV login is now coming from different IP addresses. This has never been a problem in the past (until right after the recent work that Metrofibre did).

I'll raise a ticket with them - this is no longer acceptable. I guess user-experience for Metrofibre users will just slowly become worse and worse.

--deckert

 

[system32]

I was using 'port-knocking' on a VPS to open the ssh port to the IPv4 address from home.
Once ssh port is open, you still need ssh keys to login. IMHO, works better than fail2ban.
MetroFibre "improved" CGNAT broke the port-knock as the my public IP address keeps changing with every new connection.
The previous MetroFibre CGNAT worked fine - you used 1 public NAT IP for all connections for the day.

 

[DashPole]

Ugh, it gets worse:

1. The CGNAT has finite limits on connection tracking. So my SSH sessions keep on breaking ... even with active traffic on them, they seem to have an absolute time limit. So I'm in the middle of editing a file on a remote server ... *poof* my SSH connection terminates.

2. Last night, Netflix reported "too many people are using your account" to me. I realised that's because my login and the main TV login is now coming from different IP addresses. This has never been a problem in the past (until right after the recent work that Metrofibre did).

I'll raise a ticket with them - this is no longer acceptable. I guess user-experience for Metrofibre users will just slowly become worse and worse.

--deckert

According to MFN support - they aren't using CGNAT.

Make of that what you will.

 

[system32]

Do a traceroute and check the for cgnat addresses.

The CGNAT (Carrier-Grade NAT) IP address range is 100.64.0.0/10, which translates to 100.64.0.0 through 100.127.255.255.

 

[Deckert]

According to MFN support - they aren't using CGNAT.

Make of that what you will.

When I raised my ticket with them, they confirmed switching to CGNAT for the Gauteng/Centurion region. On my router I could also see the CGNAT IP range (as system32 mentions too).

Aug 27 12:42:09 vm-firewall pppd[25148]: local IP address 100.127.165.112
Aug 27 12:42:09 vm-firewall pppd[25148]: remote IP address 196.50.234.64

I have since applied for a static IP and things are now back to normal.

--deckert

 

[DashPole]

It probably just depends on who you are talking to these days.

Now I see they are using AI to answer support questions as well .

 

[Asteroid Z]

Hi,

I had an issue with Metrofibre on Saturday, 4th April 2026.

I am a direct customer and had an all-in-one Nokia ONT, WiFi router
The tech replaced the router with the separate devices - Nokia-ONT G-010G -R and a separate Nokia Beacon Router.

The problem is that the Nokia Beacon router only has 1x LAN out. (I know a switch can be used ) But I'm trying to avoid that as i have a DC UPS connected and having more than one device (3 if I add a switch) means it won't last as long and also more things to worry about. (including diagnosing issues, if any)

The Nokia beacon router(I have full admin access, if this helps ) connects via PPPoE. (your service number @metro + password ) Has anyone had luck with MetroFiber providing those details and using your own router? Not sure if it's MAC address-specific, but I'm sure that's only for the ONT.

I did log a ticket, unfortunately, MetroFiber customer service is very poor (infact worst than Telkom )

 

[PBCool]

Hi,

I had an issue with Metrofibre on Saturday, 4th April 2026.

I am a direct customer and had an all-in-one Nokia ONT, WiFi router
The tech replaced the router with the separate devices - Nokia-ONT G-010G -R and a separate Nokia Beacon Router.

The problem is that the Nokia Beacon router only has 1x LAN out. (I know a switch can be used ) But I'm trying to avoid that as i have a DC UPS connected and having more than one device (3 if I add a switch) means it won't last as long and also more things to worry about. (including diagnosing issues, if any)

The Nokia beacon router(I have full admin access, if this helps ) connects via PPPoE. (your service number @metro + password ) Has anyone had luck with MetroFiber providing those details and using your own router? Not sure if it's MAC address-specific, but I'm sure that's only for the ONT.

I did log a ticket, unfortunately, MetroFiber customer service is very poor (infact worst than Telkom )

You would need to put it into bridge mode as well, but I dont see why they wouldnt provide you those details.

 

[Randmental1]

I am using an OPNSense Router/Firewall and just copied the PPPoE info from the Nokia UX; I have not had a problem in 2 years.

My Nokia Router is in the cupboard since day 1 - they did not want to give me credit for giving it back.

 

[Asteroid Z]

I am using an OPNSense Router/Firewall and just copied the PPPoE info from the Nokia UX; I have not had a problem in 2 years.

My Nokia Router is in the cupboard since day 1 - they did not want to give me credit for giving it back.

Tried that, got a bunch of random letters.

Metrofibre eventually provided info, not without a big warning about how they can't help resolve layer 3 issues, etc., etc., and that I would be liable to pay R650 per hour should a tech come out and find an issue is not with layer 2 infrastructure.