Configuring port forwarding with CGNAT

Hi,

I've recently acquired a 5G wireless solution trough my ISP connected to a router also provided by my ISP.

It's seems like one is the antenna and the other is actually the router probably connected as bridge? Since it's getting a Power connection through RJ45 (in and out)

I'm pretty sure that my IP is private since it starts by 100.X.X.X, however when connected to the router my ip address becomes 200.X.X.X which according to my research is public.

I naturally set port forwarding to (om both TCP and UDP)

Private from 51820 to 51820

Public from 51820 to 51820

I've configured WG on my Beryl like I usually do however it seems like it's wouldn't work, and I get an orange light on the Beryl GUI besides VPN client.

I've looked online and it seems like I could use VPS or alternatively Tailscale, but I would rather use WG with port forwarding like I usually do, it's stable, reliable, fast and has a kill switch to prevent leaking my ip address.

I also tried requesting a public IP from my ISP but I'm not sure they can, I'll see if I can re attempt.

At this time what do you guys recommend, also please note that the distance between WG server and WG client is about 9,800 KM.

Thank you for your help in advance.

Screenshot_20260405-1322431080×2424 279 KB

If you go to https://whatismyipaddress.com/ while sitting on the on the 5g network and then go into the router and look at the ip address on the WAN interface does the ip address on the WAN interface match what you see from the website?

If they dont, then a port forward isnt gonna work as you are sitting on CGNAT You would need to look into something like tailscale to connect to your local network

https://www.reddit.com/r/telus/comments/1gop14y/telus_switched_to_cgnat/

According to this, it sounds like Telus uses CGNAT (and if you search around there are other forum posts and whatnot saying CGNAT is a thing with said ISP)

Check out this post, you might be able to get a public ip address from them

https://www.reddit.com/r/telus/comments/1faxa6a/cgnat_woes/llycweo/

Thanks so much for your answer it looks like I would need yo get lucky otherwise some support chat will likely have me upgrade to business which is what I'll probably end up doing if they don't fix this for me.. it's sad that they even use CGNAT, knowing that I had to ask before I got the service and was told for sure that I wouldn't be behind CGNAT..

What if I use VPS? Would it still work with the killswitch and all?

Thanks again for your help

this will explain some Issues and how to solve it.
the key is the port control protocol on the mainrouter

I use a VPS to allow me to use a couple routers working as VPN servers behind 5G home routers that I don’t have access to for configuring their port-forwarding. This allows me to access these VPN servers on a public static IP address, and use their residential IP addresses while traveling.

To do this, I have the routers on boot start an outer Wireguard tunnel to the VPS, and then have them start a second inner Wireguard service to give me remote access. On the VPS I use iptables to redirect a port to reach the inner Wireguard tunnel. Once everything is setup, I set my travel router to use the VPS IP address with the redirected port, and my traffic magically uses the 5G home routers as my exit point.

The VPS I use has a static public IPv4 address. It does not have to be very powerful. Even a free tier Oracle VPS works great. It is a bit complicated to setup. Kill switch still works, and all last year I was 9,000+ KM from my residential routers.

One thing to note is the 5G routers I’m working with have poor uplink speeds, which is your maximum download speed. Its in the 30 Mbps to 50 Mbps range

It will work, but the question is it worth the extra amount of moneys?

If the awnser is no, go with something like tailscale especially for both udp/tcp support, I used ngrok in the past to expose a limited jenkins-ci webhook and love it but that one only supports tcp.

The other reason about self hosting a vps is also that alot of responsibility comes to you into securing it against bots cracking your ssh, but also you expose your vps ip everywhere without a reverse proxy which makes you vulnerable to ddos attacks, for securing ssh that is not so difficult if you know what you are doing, but having reverse proxy is a different story.

With something like tailscale that is a non issue.

Sorry that did not help.

It's a lot of theory based on what can be done when you're behind CGNAT And some IP literacy, plus it looks like it's in German and there's just a voice assistance that was embedded. Unfortunately it's not working for me.

Thank you for your answer though

Hey Eric, thank you for your answer.

I think I saw you on one of my other posts, you always bring great insights!

Now just to make it simple, I don't want to complicate it anything and I want reliability, stability and most likely I don't want my IP to be leaked or take that chance.

I'm just using a Beryl running the latest firmware for both my server and my client.

I usually would open TCP and UDP ports to 51820 on the main router, then create a profile on the server with a pass key and dynamic DNS, then will upload depth configuration on the client and in Boone you get the green circle and I get 50 megabytes upload and download which is perfect for me.

This stupid private IP address does not work with port forwarding and yes I know because you can only make inbound or outbound or whatever and it's basically a pool of fusers at the same time and whatever, but all of that doesn't matter to me, all I need to know is if I buy a VPS like you suggested, will it be doing the port forward and to me? And I could still use my basic configuration as I mentioned?

Thanks.

Thank you for outlining the risks of VPS usage.

That's the thing I do not want to expose my network to any SSH, hackers or whatever.

I've been using wireguard server and wire guard clients on my Beryl with a success rate of 99.99%! . It's just smooth. Works great with no nterruptions kill switch works, I use lan deactivate Wi-Fi Bluetooth while my location is not exact but it's still around a reasonable radius and that's what I want to do.

Although I'm going to try hard with my ISP again, could you tell me if using VPS will help me do the port forwarding that I'm not able to do with that stupid private IP that I'm getting from my ISP?

The simple answer is no, not with GL iNet’s firmware alone. You need to configure a client tunnel on your home router that automatically connects to your VPS at boot, so the VPS can reach your home router’s WireGuard server. I have always done this with ssh, as I don’t think GL iNet allows setting this up with their GUI interface.

I have done this with the 3.x GL iNet firmware, but I have given up on using GL iNet firmware for anything other than a basic travel router on 4.x. They’ve made advanced configuration far too difficult. My VPN servers now run OpenWrt or Ubuntu.

Once things are configured, using it is as simple are your current client config. The only change is you use the VPS IP address (or DNS name), and not your home IP address. Kill switch and everything else works the same.

In theory it should work, aslong the (travel) router is using a wgclient inside the gl software.

Because firewalls work like this to understand things more easy:

If your local network sents packet x to the internet to machine z, machine z is allowed to communicate back on the same line and the firewall will not block anything.

this is the reason why this can work under a cgnat, aslong the wireguard server is remotely and not self hosted locally.

Anything what was not first initiated by your local network to the internet, unsolicitated traffic will be blocked by the firewall.

With other words, if you took the role of portforwarding and having a local server, then the port forward allowed the unsolicitated traffic to your wireguard server, which is what the cgnat blocks.

So anything from source (local) to external (wan) is allowed and create a handshake/respond line.

So having a server external on vps will work, the GL-iNet software needs to be configurated as wireguard client, and then only the checkbox to allow lan must be checked so that you can communicate with local devices.

Then to portforward something, you first need to be sure the server also handles traffic between peers if that is something what is needed, one issue can be the range of ip addresses set in both the peers section in the config on the server, and the config on the client, you have address /32 but one can also use address /24 this can act as broadcast I think, normally on the server I would use /32 on peer address, /24 on client peer, make sure it auto routes on the client.

Then a basic firewall rule would be the source is wgclient, and destination rewrite is device/empty/0.0.0.0 (if for router), and else lan, also you might want to look to advanced settings because there is a fine distinction between portforwarding and traffic rules which does not met with gl ui, I have requested this some while ago but I guess they don't see a reason for it.

Often you do not need to port forward but allow traffic between zones, if it is directly to the router it is often a traffic rule, if it is directly to a device it is a port forward if it is to a network traffic rule.

Port forward rewrites the port to a different device on a network, a traffic rule allows traffic between zones and also devices between different zones, on my own wireguard server which I run local, I use traffic rules from there, and the clients have access, it works the same way as the src-external way, you want wgclient src to device and zone, re-writing is not perse needed so you might use traffic rules

There is one issue with custom .lan domains, you may want to enter advanced settings on the router of the wireguard client, and go to dhcp settings to remove /lan/ then the annoying dns probe possible is gone

After a long discussion with Telus, an agent was too kind to look this up for me and after consulting with his support they have advised him to add an add on on my account that goes by the name of “APN P2P Gaming” for $5 which I of course accepted.

Although both the router and the signal were rebooted, I still have a private IP address which was frustrating to be honest.

At this point I am considering tailscale And I started configuring it, looks pretty easy however my “use custom node” Button is grayed out and I can't activate it, I'm thinking it's a permission issue or something I tried a couple of things but it didn't work.

I would appreciate it if you guys could help me “ungray” It, I've tried some SSH commands but it still didn't work.

Just so I understand, I don't need an external machine or subscription or whatever, I just need both my routers and to allow all the settings on tailscale, add the devices onto my console managements which I've done already right?

If you could please keep it simple for me cuz I'm just traveling and using my smartphone, It's not the best to be doing those things to be honest.

Thanks

Not sure what custom node is.

I believe you want a normal node, which gives you instructions to install the agent software.

From there to open a port to the full open internet not just tailnet you need to use tailscale funnel, there are however some limitations I found when I tried to setup a minecraft server, no vps is needed here.

There is tcp support, but it won't work nice with raw tcp ports there is still a tls counterpart/encryption part which can make packets fail for minecraft this was not working and from checking there is not a solution.

Also tcp ports are limited to 443,80,8443,10000 there is also ngrok which works better with tcp, but for a raw tcp port not just https they ask for debit/creditcard info, they don't withdraw money but they do it for protective reason against abuse, either way to me that was not a ideal solution since databreaches are too common to store these sensitive data

^ the limitation highly depend what your hosting intentions are, I just took minecraft as a example because I was trying this myself but not because of cgnat but because I don't want my ip exposed.

Thank you for the answer.

What I meant by exit node is when I'm trying to configure tailscale it's grayed out so I understand that I need my ip address to go through that tunnel which is the exit node. However, it says change is not allowed so I'm thinking I need to twist things a little bit more.

Also, I'm not sure if I need to install tailscale on my Windows computer or is it okay just to go to the admin console on my Google Chrome browser and have things run from there.

Screenshot_20260407-2033241078×1940 233 KB

Screenshot_20260407-203048~21080×1575 175 KB

Screenshot_20260407-203120~21080×1439 136 KB

Maybe someone else can help here, I only used the tailscale CLI directly

Hi

Our devices currently do not support advertising themselves as a Tailscale exit node.

You can refer to the following guide to configure it manually:

Alternatively, you can install a plugin provided by a forum user:

Amazing! There's even a plug-in to avoid a DNS leak! Thank sitting down once I'm out of the airport and I will be configuring my tailscale then with SSH have my travel router exit note setup from my home router.

Once the exit node is configured then, that's it right? It will just act as the wireguard server and clients that I initially wanted to use, right?

Thank you again for your assistance.

Yes, once the router is configured and running as a Tailscale exit node, it will take on a role similar to a WireGuard server.

After that, you just need to run Tailscale on client devices—such as another our router, PC, or mobile phone—and select it as the exit node to route all traffic back to your home network.

For client-side setup, here is our router configuration guide:

For other client devices, please refer to Tailscale’s official guide:

Thanks @will.qiu

@AhmedFadhil - you’ll especially want the plugin for the client/travel router side. The guide method (without the plugin) will leave you leaking both real IP and DNS for ~8 seconds anytime the TS daemon on the router restarts or gets OOM killed.

Dude!!!

This is the exact solution that I was looking fort and with peace of mind! Kill switch and no IP Leaks!

Also, all within both my beryls Gui, simplified , although, I am comfortable with SSH, but still.

Kudos to whoever came up with this magnificent plugin! 26.1KB That literally changes lives!

Thank you again for your help.

Cheers!