Slashdot Mirror
Life Behind the Firewall Curtain?
beegle asks: "After a recent move, I discovered that my only broadband option is a cable company that puts all of its customers behind a NAT box. That means that my ISP gives me a 'private' 10.x.x.x address instead of a routable IP address. I'd like to connect to my machines remotely and use software that depends on a real address (P2P, games, etc.). The ISP doesn't prohibit this, but they're not willing to help, either. I've considered setting up a VPN to a friend's network, but that seems terribly inefficient. What hardware or software would you recommend for those of us who are stuck with 'fake' IP addresses?"
Well, if you want them to be able to connect to you, you're gonna need a routable IP. Period.
:-/
Your choices then are VPN (pptp, etc) or pseudo VPN (ssh, et al.)
Unless you know someone on the same ISP, who has a RealIP(tm), who can dnat to you, you'd be pretty much hosed
-- (appended to the end of comments you post, 120 chars)
That's basically it. I don't see how hardware is going to help you much. There are a number of VPN services that specialize in hotspot users mainly, but it should work for you.
After a couple hacking incidents and virus outbreaks, my school decided to impose a firewall on everyone which put a stop to gaming with anyone off campus. Anyway, those of us lucky enough to have a cable modem or dsl at home just set up proxys on those boxes and used SocksCap to make programs using winsock transparently go through and use the proxy instead of trying to get to the net from the firewall.
Sounds like it'd be a good solution for you to do something similar.
Game performance took a hit though, because of all the extra hops that added.
Post what ISP it is, so everybody knows not to ever go with them.
i'd probably go the vpn route, to one of my dedicated servers at ev1servers.net, but I'd want to move first...
I hear its nice in Vancouver....
now all i need is a job in Vancouver...
I know that you've discounted the VPN option, but it could work for you...
I pay for a dedicated server at a cheap host($29.95/month... there is a catch thou..) and ip address's are cheap there too. You can setup a ppp based vpn that basically lets you act like one of the spare ip address's that you have assigned. (I use a ssh-ppp tunnel myself, and it works great for that.)
There are cheaper VPS hosting optins out there that you could get a spare IP at and vpn throu that to get your web connection too... I'm sure you could find a $5/month cheap-O pleace and set it up, no one would care, it's not like you will be using a terabyte or so per month bandwidth anytime soon(and if you are, that's your problem to solve).
Nice advantages of this approach: one server can be used by multiple people, you have a computer with shell access online, you have a web/mail server and my favourite - VNC desktops that you can use from anywhere!(I never close my apps, my copy of thunderbird has an uptime that rivals most systems, and the latest VNC viewer is really rather feature ritch for low bandwidth usage...)
Anyway...
Enjoy!
On Arrakis: early worm gets the bird. Magister mundi sum!
Unless they have a separat NAT server that translates a unique IP to each 10.x.x.x they give each customer you're going to find quite a few things seriously difficult.
Most apps including some p2p and games should be ok. But you can forget running a server. You can't even ask your ISP to open certain ports to you (incoming I mean) because then they'll be taking that option away from other customers. Like if they redirect port 21 to you, that means all other customers wouldn't be able to ask for port 21. I jsut don't see that working.
But, as long as you aren't running a server, most modern apps and games work fine behind a nat.
Exept for MSN messenger of course, what a peice of garbage. Chat works out, but you can forget about voice / video and file xfers.
Love,
ZAq
Just switch providers. Your problem is one that is becomming rampant in the ISP industry - we no longer have Internet Service Providers, we now have Web Service Providers, and anyone who doesn't fit into the "browse the web and check email" niche doesn't fit with your isp.
RandomAndInteresting.comdefending the world from stupidity since 1979
You can tunnel IP6 over IP4. Once you have that set up, you can have a static IP6 address on the real IP6 Internet. Now all you have to do is find a game server to talk to you at your IP6 address. Good luck.
No weapon in the arsenals of the world is so formidable as the will and moral courage of free men.-Ronald Reagan
one of these.
Bug the ISP. Call them often and either ask for a real IP address, or ask them how to get your favorite programs to work.
Oh yeah, and tell us who you're ISP is, so we know to avoid them.
Are you sure the NAT is to protect the customers, or are they being cheap by not shelling out for enough IP space?
This is an option in the kernel, I haveno idea how or if it works
Buttsex.
You can use it to google for other ISPs that have less annoying policies. I'm quite happy with speakeasy's policies, for example, if you're in a city they support. I agree that VPNing out is inefficient, although if you can't change providers it may be your only option. :'(
So you are saying that this guy should call up the isp and ask them to configure their linksys router to forward all traffic on a certain port to his ip address and not allow any other customer to have traffic on that port?
That's great if his ISP will set it up for him, but what happens to the -next- guy who wants to use those same ports? If they are forwarding to Joe#1, Joe#2 can not have those ports.
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
My linksys router allows you to re-map externally visible ports to services running on the internal systems.
Is this flamebait, or did you just not read the post? The NAT is taking place at the ISP level, it's not self-imposed by a store-bought router. And, while the poster did not explicitly state it, it was pretty much implied that he does not have control over his ISP's networking equipment at their office(s).
This has nothing to do with the ISP. I have have multiple machines inside the router on a private network. For example, I tell the router to map port 22 to 10.0.0.y on the inside. Then I tell the router to redirect port 23 on the outside to port 22 on 10.0.0.y.
Yes.
Ask them to give you a non-standard port, such as 1357 (I made it up, don't know if it goes to anything.) If they will set up Port forwarding to your Port 80, you can use a DNS provider, like EverDns.net ( I believe) to do the translation for you, telling clients to connect on that port.
What are we going to do tonight Brain?
I'm behind a NAT box and games work fine. Some games may have special requirements but modern NAT boxes tend to understand the protocols (I'm pretty sure games like Quake3 will work no matter what).
P2P is going to be somewhat of a problem. But only for people trying to connect to you. Some of the modern P2P protocols can work around it (by way of you initiating the outgoing connection). Other than that all the P2P stuff I have used worked (although I'm not a big P2P user).
All in all, NAT isn't that bad and most of the time I don't even notice it's there. It's my NAT box though, so it's a little different. However, I haven't done any special configuration other than allowing the occasional VNC/SSH connection to internal machines.
The ratio of people to cake is too big
Read the original post a bit more carefully. ALL the subscribers' IP addresses are private, nonroutable addresses. It isn't even an issue of having a router at home.
I got a cheap DSL connection, and declined the offer of a static IP ($15/month). When i checked my IP address, i was 192.168.2.79. GREAT, non routable, right?
WELL! it turns out the DSL Modem had a NAT router built in, and when i was able to configure it, i was able to get a REAL IP address. Of course it changes every few hours, but any Dynamic DNS server can help you there.
Try to point your browser at your "Gateway" and see if it is yours or if it is shared amongst everyone in your neighborhood. The ISPs like to default people to a "Browse Only" environment, but often real internet is only a few keystrokes away.
move.
Get a friend to let you be constantly SSH'd into his box - you can use that to set up tunneling to that certain ports are forwarded back. Or, heck, even tunnel it through IRC if he's a windows user, and doesn't want to set up SSH - just have him install an IRC server.
I wrote up a short artical on how I got past dual one-way NAT connections. It does require a 3rd party that is reachable by both machines.
p hp
http://www.linuxlogin.com/linux/admin/sshtunnels.
Works great for me. I have my home box run a cronjob and ssh into public box. It checks every 5 mins and reconnects if needed. Using ssh-keys and ssh-agent it is able to auto-login to the remote host. Then just a quick ssh port forward and everything is up and going. On my remote systems I can then ssh into my home box by doing ssh -p 2222 localhost and it is forwarded right to my home machine. You could of course forward more then one port.
I found myself in this exact situation once a while back. And when I'd call the ISP I'd usually be on the phone with "tech support" people who didn't even know what an IP was. After a lot of frusteration from not having a real IP, I later discovered that I actually _did_ but it was behind a 1:1 ratio NAT built into the ISP's modem device. I went to http://www.whatismyip.com to discover the public IP that my destinations _thought_ I had, tried to connect to it from an off-site host, and it worked. Maybe you've already tried this, but if you haven't it might be worth a shot.
http://publicvoidlife.blogspot.com
What's the state of the art of Microsoft connectivity from behind a NAT router?
Time was, NT domain controllers couldn't talk to each other if at least one of them was behind a NAT, and I think that was true for at least the early versions of Active Directory.
Nowadays, can you get remote domain controllers [respectively - Active Directory controllers] to talk to each under something like the following?
If not OpenSSL, then insert your favorite encryption protocol.Oh, and the same question for Microsoft clients: What can you do for e.g.
so that the entire sequence is encrypted, and the client can, e.g. download and upload files?Thanks!
Yes, thank you for the tutorial, but we all understand the concept of NAT and routing. Except you. You just bought a router, followed the instructions, and somehow believe yourself to have become an expert.
Sure, he could go buy a Linksys router himself, but the $50 for it is a lot of money for something he'd really only use to beat you over the head with.
Suck it up, drop back to 53K and learn to use Lynx, pine and trn. The time is approaching when the Intarweb is going to be useless for us slashdotters anyway, so you can be cutting edge by going CLI.
I want to delete my account but Slashdot doesn't allow it.
Consider upgrading to the commercial service, rather than the residential. Chances are that the commerical service already includes a routable IP, and even if not, it wouldn't be an uncommon thing for a business to need a routable IP, so they would already have a process in place to provide you with one.
Assuming the ISP won't help you out with a real IP, I'd recommend using OpenVPN. Fairly straightforward to install and configure. And it's supported on all the major OS's with the same config files on each.
Also probably inefficient as hell, but I've used SSH's port-redirection capabilities to remotely access machines that are behind a firewall. I haven't tried any big file transfers, but I can't imagine it would be too bad.
As far as your VPN (or SSH or whatever you end up using) concerns: unless you're doing a vpn between two old, slow computers, I can't imagine the processing overhead would be more than a blip compared to the relative smallness of a broadband pipe; especially if the 'host' you use is reasonably well-connected.
...it was pretty much implied that he does not have control over his ISP's networking equipment at their office(s).
;-)
True, but he was asking us about specific hardware purchases to help his situation. I reccomend the purchase of a set of lock-picks and a map to the premesis where the router is located
The alternative is a firewall. Which might make more sense to you, but it's a less reliable solution, and one that creates problems of its own.
Take solace in the fact that this is slashdot, and those who modded you down probably don't know what NAT means, and are just flexing their mod-muscles in the face of someone who knows better. I agree with you - some ISPs don't want the liability and extra work open IPs cause. I think the stance the company is taking is perfectly understandable. Again, being slashdot, if a company acts in a way that doesn't benefit the /. community in a rapid fashion, there must be something wrong with it, and it should be condemned to the deepest levels of hell, even though it's a sound business idea that might actually be doing a lot of people good.
these mods suck ass.
Although you shouldn't be modded as flamebait, the complaint about the firewall is valid, as is the desire to have a warning. I think most people *on /.* would like to avoid ISP's like this. The parent didn't say they were evil, just that he'd like to avoid them
There is a reason for everything. Sometimes that reason just sucks.
When somebody titles their post "what the fuck?" I think a certain amount of moral outrage is implied. In any case, somebody who's buying a high-tech service (such as internet access) and wants to seek or avoid specific features (such as use of private network spaces) needs to do their own research, not rely on second-hand info.
If they're going to be in the INTERNET SERVICE provider business, they need to provide INTERNET SERVICE. Internet service means they carry IPv4 packets from you to anywhere you want on the internet and back again. *All* of them. If they aren't doing that then they aren't really providing internet service.
This was my thought as well.
Many cable companies don't care what you have for a cable modem. Go get a new one at BestBuy if theirs is closed and see if it works. You might need to register its ID with the cable company. I'm not sure if it's a MAC address or not, if it is MAC spoofing might be easier.
You can then setup port forwarding for the services you wish to use.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
LinkSys DSL modem/routers should have support for dyndns. Use it, since you probably won't drop a lease during a game, and only need to know the new one during a setup, and IIRC, the router can notify you of the new one when it switches.
In common sense. What do you think "internet service" means? carrying just some of your internet traffic? Would that not be partial internet service?
By your logic, a "grocery store" should stock every grocery there is. Come to think of it, that'd be great. Then I wouldn't have to hunt around for those obscure cookies I like and nobody else does. Of course, it'd be hard on the grocers, since they'd have to stock a lot of stuff they'd never sell. But that's their problem, right?
A grocery store? That analogy made no sense whatsoever. That is not my logic at all. Carrying every conceivable grocery isn't implied in the term "grocery store"
"internet service" provider means you carry internet traffic for your customers. P2P traffic is internet traffic just as much as web traffic. If ISP's dont want to carry it they need to stop saying they supply internet service and tell their customers what it really is - partial internet service. They don't carry all internet traffic, just some of it.
Would you not be upset if I sold you a car and then after the deal you found out it didn't come with a transmission?
I could argue you with you point by point, but why should I bother? You're insisting on words that have meanings that suit your arguments. Not a productive discussion.
Yes - exactly. Or more specificly, carrying every kind of internet packet is implied by "internet service". I don't expect an ISP to carry IPX/SPX frames to my friend's house to play an old video game. Just internet (ipv4) packets.
Imagine signing up for local phone service. Just plain old local phone service. You try to call some 1-800 tech support number, but you hear a message saying "sorry, we don't allow tech support calls. people tend to stay on those calls longer which uses up too much bandwidth". Or calling your friend 5 doors down and hear a message saying "sorry, the person you are calling is a suspected child pornographer. We don't allow calls to him.".
The difference between the grocery store and phone or internet service is there are practical physical limits on what a grocery store can carry. It is unreasonable to expect them to carry every kind of grocery that exists. The limitations on some internet service and my hypothetical local phone service are arbitrary, pointless and underhanded.
A lot of broadband ISPs filter traffic to services running on the customers end, the argument being that servers use more bandwidth. Is it neccesarrily true that servers use more bandwidth than anything else you could do? No, of course not. The real reason is just to have a reason to charge you more for "higher grade" service. I bet they will do something similar if IPv6 ever becomes popular. It is written in RFCs that customers of ISPs, or end users, are supposed to get a