ISP MODEM CONFIGURATION MODES GUIDE

ISP MODEM CONFIGURATION MODES GUIDE

MODE 1: 2xNAT (CGNAT) - DHCP

CONFIGURATION EXAMPLE:

  1.   Local Adapter IP:  10.45.123.78     (automatically assigned via DHCP)
  2.   Subnet Mask:        255.255.255.0  (typically /24)
  3.   Gateway:               10.45.123.1      (ISP's internal router)Public
  4.   WAN IP:                96.78.88.70 (shared with other customers)

CHARACTERISTICS:

      • ISP uses one public IP address for multiple customers simultaneously
      • Your traffic goes through TWO NAT layers (your modem + ISP network)
      • Cannot host publicly accessible services without ISP cooperation
      • Most common configuration for residential cable/fiber internet
      • Inbound port forwarding is impossible at the customer level

PRIVATE IP RANGES USED:

Standard RFC 1918 Private Ranges:
  1. 10.0.0.0/8        (10.0.0.0 - 10.255.255.255)
  2. 172.16.0.0/12     (172.16.0.0 - 172.31.255.255)
  3. 192.168.0.0/16    (192.168.0.0 - 192.168.255.255)
RFC 6598 Shared Address Space (CGNAT-specific):
  1. 100.64.0.0/10     (100.64.0.0 - 100.127.255.255)
UNDERSTANDING RFC 6598 SHARED ADDRESS SPACE (100.64.0.0/10)
WHAT IS RFC 6598?
RFC 6598 defines a special IP address block (100.64.0.0/10) specifically
Reserved for Carrier-Grade NAT (CGNAT) deployments. This range was created
because ISPs were running out of private IP space to manage their growing
customer bases behind NAT.

WHY ISPs USE 100.x.x.x INSTEAD OF 10.x.x.x:
Avoids conflicts with customer's internal networks (many home routers use
192.168.x.x or 10.x.x.x internally)
Provides a dedicated 4 million+ address space for ISP infrastructure
Clearly identifies carrier-side NAT addresses vs customer-side private IPs
Allows ISPs to scale CGNAT without IP conflicts

IDENTIFYING RFC 6598 CGNAT:
If your adapter shows an IP like:
  1. 100.64.5.123
  2. 100.100.200.45
  3. 100.127.255.254
You are definitely behind CGNAT. This is NOT a private network range that
customers can use - it's exclusively for ISP carrier-grade NAT infrastructure.
CGNAT MULTI-EXIT POINT PROBLEM
THE ISSUE:
When ISPs deploy CGNAT using the 100.64.0.0/10 range, they often use
multiple carrier exit points (also called NAT gateways or CGN devices)
distributed across their network infrastructure. This creates a serious
problem for stateful protocols like VPNs.

HOW IT WORKS:
1. Your device gets assigned 100.64.45.123 (CGNAT internal IP)
2. You initiate a VPN connection to vpn.company.com
         • First packet exits through ISP Gateway A (public IP: 203.0.113.50)
         • VPN server sees connection from 203.0.113.50
         • VPN handshake begins
3. Your next packet takes a different path through the ISP network
         • Second packet exits through ISP Gateway B (public IP: 203.0.113.88)
         • VPN server sees NEW connection from 203.0.113.88
         • VPN server thinks this is a different client or an attack
4. VPN connection fails or constantly drops

WHY MULTIPLE EXIT POINTS EXIST:
      • Load balancing across multiple CGN devices
      • Geographic distribution of NAT infrastructure
      • Redundancy and failover capabilities
      • Traffic engineering and optimization
      • Different exit points for different destination networks

SYMPTOMS OF MULTI-EXIT CGNAT:
      • VPN connections establish but immediately disconnect
      • Frequent "Session expired" or "Connection reset" errors
      • VPN works for 30-60 seconds then dies repeatedly
      • Some destinations work while others fail inconsistently
      • Running "curl ifconfig.me" multiple times shows different IPs
      • Gaming servers kick you for "connection instability"

TECHNICAL DETAILS:
VPN protocols maintain state based on source IP + source port. When your
packets exit through different NAT gateways with different public IPs, the
VPN server sees what appears to be completely different clients trying to
use the same session keys or connection IDs, which triggers security
protections and drops the connection.

Common affected protocols:
        • IPsec VPN (IKEv2, L2TP/IPsec)
        • OpenVPN (UDP mode more affected than TCP)
        • VoIP/SIP calls
        • Online gaming with UDP protocols

WORKAROUNDS (LIMITED):
      • Use VPN over TCP instead of UDP (less efficient but more stable)
      • Enable VPN keepalives with short intervals (5-10 seconds)
      • Use protocols designed for NAT traversal (WireGuard handles this better)
      • Contact ISP and request business-grade service without CGNAT
      • Use a VPS as a "bounce box" with persistent tunnel to bypass CGNAT
      • Cellular backup connection (often has stable CGNAT or no CGNAT)

PERMANENT SOLUTIONS:
      • Request static IP allocation from ISP (see Mode 3 below)
      • Use ISP bridge mode if available (see Mode 2 below)

TESTING SOLUTIONS: 
      • See the "TESTING FOR CGNAT MULTI-EXIT ISSUES" section below for how to test

MODE 2: BRIDGED MODE - DHCP

CONFIGURATION EXAMPLE:
  1. Local Adapter IP:  96.78.88.65       (automatically assigned via DHCP)
  2. Subnet Mask:       255.255.255.0     (/24 - typical for ISP DHCP pools)
  3. Gateway:           96.78.88.1        (ISP's gateway, usually .1 or .254)
  4. Public WAN IP:     96.78.88.65       (matches your local IP exactly)
CHARACTERISTICS:
      • Modem acts as transparent bridge - no NAT layer at all
      • Your device gets a genuine public IP directly from ISP's DHCP server
      • Can host services (web server, game server, etc.)
      • IP address may change when DHCP lease expires (usually 24-72 hours)
      • Single public IP assigned dynamically to your connection
      • Local adapter IP and public IP are identical
      • Ability to create Port Forwards through firewall/gateway to hosts on the LAN

ADVANTAGES OVER CGNAT:
      • VPN connections work reliably
      • Gaming/VoIP has lower latency
      • Service on the LAN can be accessed via Port Forwards
      • No double-NAT performance penalty

    DISADVANTAGES:
      • IP changes periodically (can use dynamic DNS services)

MODE 3: ROUTED MODE - STATIC BLOCK
CONFIGURATION EXAMPLE (Manual):
  1. Static IP Address: 96.78.88.65       (you choose from assigned range)
  2. Subnet Mask:       255.255.255.248   (/29 = 6 usable IPs)
  3. Gateway:           96.78.88.70       (ISP's router)
  4. DNS Servers:       8.8.8.8, 1.1.1.1  (your choice or ISP provided)
  5. Public WAN IP:     96.78.88.65       (matches your configured IP)
SUBNET BREAKDOWN EXAMPLE (/29 BLOCK):
  1. Network Address:   96.78.88.64       (not usable - identifies network)
  2. Usable Range:      96.78.88.65-70    (6 addresses total)
  3. Gateway:           96.78.88.70       (ISP router - typically last usable)
  4. Your Static IPs:   96.78.88.65-69    (5 IPs you can assign to devices)
  5. Broadcast:         96.78.88.71       (not usable - broadcast address)
CHARACTERISTICS:
      • No NAT whatsoever - direct public internet connectivity
      • IP addresses never change (persistent configuration)
      • Can host publicly accessible services reliably
      • Requires manual network configuration (static IP setup)
      • Common for business connections or advanced residential users
      • Multiple public IPs available for different devices/services
      • Best for running multiple servers, mail servers, DNS servers, etc.

TYPICAL STATIC BLOCK SIZES:
  1. /29 = 6 usable IPs (most common small business allocation)
  2. /28 = 14 usable IPs
  3.  /27 = 30 usable IPs
  4. /26 = 62 usable IPs

QUICK IDENTIFICATION GUIDE

STEP 1: CHECK YOUR LOCAL ADAPTER IP:

Linux/Mac:
  1. ip addr show
Windows:
  1. ipconfig /all
STEP 2: IDENTIFY YOUR MODE:
If your IP is:
  1. 10.0.0.0 - 10.255.255.255
    1. 2xNAT/CGNAT (RFC 1918)
  2. 172.16.0.0 - 172.31.255.255
    1. 2xNAT/CGNAT (RFC 1918)
  3. 192.168.0.0 - 192.168.255.255
    1. 2xNAT/CGNAT (RFC 1918)
  4. 100.64.0.0 - 100.127.255.255
    1. 2xNAT/CGNAT (RFC 6598 - CGNAT specific)
  5. Any other IP
    1. Bridged or Routed Mode
STEP 3: CHECK PUBLIC IP
Visit in browser:
  1. https://ifconfig.me
  2. https://ipchicken.com
Or in terminal:
  1. curl ifconfig.me
  2. curl ipinfo.io/ip
  3. dig +short myip.opendns.com @resolver1.opendns.com

QUICK LOCAL AND PUBLIC IP CHECK (Windows PowerShell):
One-liner command:
  1. "Local IPs:"; (ipconfig | Select-String "IPv4").Line -replace '.*:\s+',''; "`nPublic IP:"; curl icanhazip.com
 Add permanent shortcut to your PowerShell profile:
        1. Open profile:
  1. notepad $PROFILE
        2. Add this function:
  1. function myips {
                   "Local IPs:"
                   (ipconfig | Select-String "IPv4").Line -replace '.*:\s+',''
                   "`nPublic IP:"
                   curl icanhazip.com
               }
        3. Save and restart PowerShell (or run: . $PROFILE)
        4. Usage: Enter "myips" in any PowerShell session

Note: If $PROFILE doesn't exist, create it first with:
  1. New-Item -Path $PROFILE -ItemType File -Force
STEP 4: COMPARE LOCAL AND PUBLIC
If local IP matches public IP:
  1. Bridged or Routed Mode (Modes 2 or 3)
If local IP is private (10.x, 172.x, 192.168.x, or 100.64.x) but public IP is different:
  1. 2xNAT/CGNAT (Mode 1)
STEP 5: DETERMINE BRIDGED VS ROUTED
Check your network configuration:
  1. If using DHCP (automatic): Bridged Mode (Mode 2)
  2. If configured manually/static: Routed Mode (Mode 3)
Windows: Look at "DHCP Enabled: Yes" in ipconfig /all output
Linux: Check /etc/network/interfaces or NetworkManager settings

TESTING FOR CGNAT MULTI-EXIT ISSUES

Run this test to detect if you have unstable multi-exit CGNAT:

Bash (Linux/Mac):
  1.       for i in {1..10}; do 
              echo "Check $i: $(curl -s ifconfig.me/ip)"
              sleep 5
            done
PowerShell (Window):
  1.         1..10 | % {
              "Check $_ `: $(curl -s ifconfig.me/ip)"
              sleep 5
            }

INTERPRETING RESULTS:
All 10 IPs are the same (Good - Stable connection):
  1. Check 1 : 187.190.4.181
  2. Check 2 : 187.190.4.181
  3. Check 3 : 187.190.4.181
Single exit point CGNAT or stable public IP (VPNs should work well)

Multiple different IPs (Bad - Unstable connection):
  1. Check 1 : 203.0.113.50
  2. Check 2 : 203.0.113.88
  3. Check 3 : 203.0.113.50
  4.  Check 4 : 203.0.113.102
Multi-exit CGNAT (VPNs will be problematic)

SUMMARY COMPARISON

┌──────────────────────────────┬────────────────┬────────────────┬────────────────┐ │ Feature │ Mode 1: CGNAT │ Mode 2: Bridge │ Mode 3: Static │ ├──────────────────────────────┼────────────────┼────────────────┼────────────────┤ │ NAT Layers │ 2 (Double) │ 0 (None) │ 0 (None) │ │ Public IP Assignment │ Shared │ Dynamic │ Static │ │ Can Host Services │ No │ Yes │ Yes │ │ Port Forwarding Possible │ No │ Yes │ Yes │ │ IP Changes │ N/A │ Yes (periodic) │ Never │ │ VPN Reliability │ Poor-Fair │ Good │ Excellent │ │ Configuration Complexity │ Automatic │ Automatic │ Manual │ │ Typical Use Case │ Residential │ Residential+ │ Business │ │ Monthly Cost │ Lowest │ Low-Medium │ Highest │ │ Multiple Public IPs │ No │ No │ Yes │ └──────────────────────────────┴────────────────┴────────────────┴────────────────┘

TROUBLESHOOTING TIPS FOR MSPsImplement dynamic DNS

COMMON CLIENT ISSUES BY MODE:

Mode 1 (CGNAT) Problems:
      • VPN randomly disconnects - Test for multi-exit CGNAT
      • Cannot access client remotely - No inbound port forwarding possible
      • Security camera remote viewing fails - No inbound port forwarding possible
      • VoIP quality issues - Inconsistent NAT traversal

Mode 2 (Bridged) Problems:
      • ISP DHCP IP address keeps changing -Implement dynamic DNS

QUICK DIAGNOSTIC COMMANDS:
Windows:
  1. ipconfig /all                      # Check local IP and DHCP status
  2. tracert 8.8.8.8                 # Trace route to verify gateway
  3. nslookup google.com     # Test DNS resolution
Linux:
  1. ip addr show                        # Check IP configuration
  2. ip route                                # Verify routing table
  3. traceroute 8.8.8.8               # Trace route to internet
  4. dig @8.8.8.8 google.com   # Test DNS
Test for CGNAT:
  1. curl ifconfig.me/ip             # Get public IP
Compare with local adapter IP If different = NAT present

    • Related Articles

    • WAN Static IP Configuration Guide Prerequisites

      WAN Static IP Configuration Guide Prerequisites Administrative access to Uplevel portal ISP-provided static IP configuration parameters Network downtime maintenance window scheduled Setting Static IP From The Uplevel Portal Login to your Portal and ...

    • Point to Point (P2P) Wireless Bridge Setup Guide

      Point to Point (P2P) Wireless Bridge Setup Guide Overview This guide walks you through setting up a wireless point-to-point bridge to extend your network to a remote location. The bridge consists of two wireless devices: an upstream device connected ...

    • Using LTE / Mobile Network Modem As Primary or Backup / Failover Connections

      Choosing Hardware: Since the Uplevel Unbox provides Wi-Fi and firewall capabilities, we recommend using a single-purpose modem, which simplifies configuration and reduces the solution cost. In this document, for our examples we use the Netgear 4G LTE ...

    • WAN Mapping - Multiple Static IPs

      Introduction This article describes the configuration, and mapping usage, when multiple Static IPs are added to the Primary or AUX WAN Ports. WAN Static IP Capabilities: Up to 4 Static IPs may be configured for each of the WAN Ports. Each Static IP ...

    • Domain Filtering Configuration Guide

      Domain Filtering Configuration Guide Enabling Domain Filtering will increase your monthly invoice. The Domain Filtering feature is part of our Advanced Firewall which includes Threat Analysis, Country Blocking, and Domain Filtering for a single ...