Preliminary research remote working abroad using two travel routers with SKY

tangledfoot · September 23, 2025, 9:59am

Hello

I intend to set up a (and you will forgive my ignorance with terminology) a tunnel between France and the UK so my wife can work remotely in France while providing her employer with a UK IP address. I know, I know!

I am proposing to use the set up shown in the diagram. Proposing because Im clueless (advice appreciated), so far I have only ordered the Beryl. I’ll be doing all the set-up from France if possible as access to the UK is difficult and my wife (who will be doing the final installation in the UK is even less literate than I am.

My questions are.

Is there a way to overcome SKY DGNAT if I don’t have a real public IP address in the UK (I’m thinking of using Tailscape if that’s the case)? Does Tailscape present a UK IP address ?

How can I ensure a minimum amount of configuration for my wife when she installs the end node (Beryl) with ethernet cables to the SKY router ( fibre white) back in the UK when she next visits?

Am I barking up the wrong tree ? Is there a better way?

That’s it for now, plenty more to find out, but if there's no solution, I’ll have to look elsewhere.

bruce · September 23, 2025, 10:32am

If you want to connect a GL router behind SKY modem in the UK and act as a VPN server, you must confirm whether the ISP provides the public IP to Modem or (Modem bridge to) router WAN port.

If you own public IP, I think you can easily configure it by referring to the following video or docs.

If there is no public IP, you can use AstraWarp, Tailscale, etc. to form a virtual network and use the IP from your home in the UK as the exit node. I think it will be safer and less likely to detect than VPN public service providers.

tangledfoot · September 23, 2025, 11:37am

I found this post on a Sky forum about T-Map used instead of cgNAT does this make it easier to run a VPN server behind a Sky Hub router?

I've been with Sky Broadband for a while, recently re-contracted (on FTTP) and was sent a new Sky Hub Max router (which I didn't need, but I've swapped it over from the old Sky router anyway).

As expected, got a change of WAN IP, so updated my ping monitor over at thinkbroadband and was confused why I wasn't getting any ping responses (100% packet loss). Checked the firewall on the new Sky Hub Max router which has an admin interface that is strangely hybrid - some things you can configure on the router, some things you have to configure via their app or the My Sky website.

In any case, in doing so, I spotted this information about my IPv4 WAN connection:

Screenshot 2024-06-11 at 07.10.17.webp

I've never heard of MAP-T (despite working in tech infra), so was curious. A quick google seems like it is an alternative to CGNAT. It seems that the IPv4 address will be shared across a number of different users (CPEs), and traffic is encapsulated into IPv6 traffic (IPv4 + port) before leaving the CPE router and handled entirely as IPv6 across Sky's core, and then only breaking out to IPv4 again (via the shared IPv4 address) at their border relay.

From what I've read, the IPv4 is shared by dividing up a portion of the IPv4 ports across a number of users of that IPv4 address. Which explains why ping to the CPE doesn't work since ICMP has no understanding on TCP ports...

I found this interesting presentation from Sky Italy (in English) which indicates they've been rolling it out over there for a while. I guess this has extended to the UK now.

Interestingly, I can affect the sharing ratio by defining port-forwarding configuration (via MySky) -- if you pick a large range of ports, your sharing ratio reduces (which makes sense). However, even when configuring a DMZ, I still end up on MAP-T albeit with a sharing ratio of 1:1 -- even in that scenario, the IPv4 address isn't really terminated on my router.

Map-T seems (from my little knowledge on it) to be a better solution than CGNAT since it allows for port-forwarding to be defined by the user, but is a big step away from having a dual-stack WAN-side of the CPE.

tangledfoot · September 24, 2025, 7:17am

Hello, thank you. Is it possible using Tailscape to create VPN to simply plug an ethernet cable between Beryl WAN and the SKY hub LAN without having to change any settings on the SKY router? Looks like SKY are using MAP-T where a public IP is shared between local users.

bruce · September 26, 2025, 7:43am

One public IP is shared between local users, so in fact we don’t own this public IP, and can’t use it to do anything, such as building VPN server/Web server and other services that can be accessed by the public Internet.

You can enable Tailscale on Bery and set it to be hosted the exit nodes.

On other devices (remote), enable tailscale and select Beryl as the exit node.