Slashdot Mirror
Life Behind the Firewall Curtain?
beegle asks: "After a recent move, I discovered that my only broadband option is a cable company that puts all of its customers behind a NAT box. That means that my ISP gives me a 'private' 10.x.x.x address instead of a routable IP address. I'd like to connect to my machines remotely and use software that depends on a real address (P2P, games, etc.). The ISP doesn't prohibit this, but they're not willing to help, either. I've considered setting up a VPN to a friend's network, but that seems terribly inefficient. What hardware or software would you recommend for those of us who are stuck with 'fake' IP addresses?"
Well, if you want them to be able to connect to you, you're gonna need a routable IP. Period.
:-/
Your choices then are VPN (pptp, etc) or pseudo VPN (ssh, et al.)
Unless you know someone on the same ISP, who has a RealIP(tm), who can dnat to you, you'd be pretty much hosed
-- (appended to the end of comments you post, 120 chars)
I know that you've discounted the VPN option, but it could work for you...
I pay for a dedicated server at a cheap host($29.95/month... there is a catch thou..) and ip address's are cheap there too. You can setup a ppp based vpn that basically lets you act like one of the spare ip address's that you have assigned. (I use a ssh-ppp tunnel myself, and it works great for that.)
There are cheaper VPS hosting optins out there that you could get a spare IP at and vpn throu that to get your web connection too... I'm sure you could find a $5/month cheap-O pleace and set it up, no one would care, it's not like you will be using a terabyte or so per month bandwidth anytime soon(and if you are, that's your problem to solve).
Nice advantages of this approach: one server can be used by multiple people, you have a computer with shell access online, you have a web/mail server and my favourite - VNC desktops that you can use from anywhere!(I never close my apps, my copy of thunderbird has an uptime that rivals most systems, and the latest VNC viewer is really rather feature ritch for low bandwidth usage...)
Anyway...
Enjoy!
On Arrakis: early worm gets the bird. Magister mundi sum!
Bug the ISP. Call them often and either ask for a real IP address, or ask them how to get your favorite programs to work.
Oh yeah, and tell us who you're ISP is, so we know to avoid them.
Are you sure the NAT is to protect the customers, or are they being cheap by not shelling out for enough IP space?
Did you even read the first sentence of his post?
That's great if his ISP will set it up for him, but what happens to the -next- guy who wants to use those same ports? If they are forwarding to Joe#1, Joe#2 can not have those ports.
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
It isn't going to help the original poster with INBOUND connections though, which is obviously his primary concern. For that it seems like VPN/SSH will be necessary... I doubt it's fast enough going all the way out to your friend's cable modem and then back out to the real internet, but it's worth a shot. Otherwise one of the paid VPN providers mentioned in other posts is probably the best option.
I got a cheap DSL connection, and declined the offer of a static IP ($15/month). When i checked my IP address, i was 192.168.2.79. GREAT, non routable, right?
WELL! it turns out the DSL Modem had a NAT router built in, and when i was able to configure it, i was able to get a REAL IP address. Of course it changes every few hours, but any Dynamic DNS server can help you there.
Try to point your browser at your "Gateway" and see if it is yours or if it is shared amongst everyone in your neighborhood. The ISPs like to default people to a "Browse Only" environment, but often real internet is only a few keystrokes away.
I wrote up a short artical on how I got past dual one-way NAT connections. It does require a 3rd party that is reachable by both machines.
p hp
http://www.linuxlogin.com/linux/admin/sshtunnels.
Works great for me. I have my home box run a cronjob and ssh into public box. It checks every 5 mins and reconnects if needed. Using ssh-keys and ssh-agent it is able to auto-login to the remote host. Then just a quick ssh port forward and everything is up and going. On my remote systems I can then ssh into my home box by doing ssh -p 2222 localhost and it is forwarded right to my home machine. You could of course forward more then one port.
I found myself in this exact situation once a while back. And when I'd call the ISP I'd usually be on the phone with "tech support" people who didn't even know what an IP was. After a lot of frusteration from not having a real IP, I later discovered that I actually _did_ but it was behind a 1:1 ratio NAT built into the ISP's modem device. I went to http://www.whatismyip.com to discover the public IP that my destinations _thought_ I had, tried to connect to it from an off-site host, and it worked. Maybe you've already tried this, but if you haven't it might be worth a shot.
http://publicvoidlife.blogspot.com
No - a friend of mine living in Houston, Texas told me his cable company did the same thing.
That's exactly what I did when I went looking for a house in the Seattle, WA area. When we narrowed down our choices to a few houses, we had our agent approach the seller's agent asking for permission to check if DSL service was available to that current number. In this area it is normal for sellers to be present when buyers view a house (though I find this somewhat awkward both as a buyer and as a seller and when selling do the prospective buyers and their agent the curtesy of leaving for 20-30 minutes). So, it is easy to ask, "Do you have DSL?" If they say "yes", we then put immediate DSL availability as a contingency in our offer. If they say no, we ask permission to use their current phone number to find out. We have never been refused, though we make it very clear that's the only reason we want the number, and are willing to produce a written statement on the spot to that effect. In fact, you don't need the whole phone number -- just enough to identify the CO: the NPA-NXX (area code and first three digits of the number), though most on-line lookup apps insist on all seven digits of the number.
Now, just because the current owners have DSL or can get DSL does not mean you can: sometimes more than one CO serves a particular residential area (at least in some parts of Canada -- not sure anout the U.S. and they do occasionally run out of lines. Still, it is encouraging.
Finally, though the telco droid generally won't tell you where DSL is available (generally because they just have a phone number to availability mapping application), you can find out what COs serve which areas with a bit of Googling. You can then find out which COs have deployed DSL. It used to be the case that you then had to know which ISPs had DSLAMs colocated in the CO's. DSL Reports is a good place to look for more information on this. These days, the telco generally rolls out DSL access and can backhaul to any ISP that offers DSL -- the difference relates to who owns the DSLAMs: the telco or ISP. If the telco owns the DSLAM you pay them separately from the ISP, unless the telco has subcontracted DSL package sales to that ISP (but this is usually for an "Intarweb" style service -- no static IP and no inbound connections permitted -- often what the telco offers directly when it acts as the ISP. It's the difference between a $30/month and an $80/month service. You generally have to contact the telco about "advanced data services" which are completely different from "Residential DSL" (this being Verizon-speak, for example).
If you do contact the telco's data service department, you'll often get far more friendly and useful information: which CO's are provisioned, etc. -- generally enough to get your ISP of choice to handle their end of things. Verizon was actually helpful here, in my case (though getting the link hot was delayed twice for a total of a two week extra wait over the 5 days initially promissed). (Setting up the particular long distance plans was another story: getting dinged $0.70/minute instead of $0.07/minute for calls to Soviet Canuckistan (Canada) was not fun).
What I have found is this: it appears that if you're willing to spend $40-$45 a month just for the DSLAM port and backhaul to your ISP, as opposed to the telco's resold $19.95 or $29.95 Intarweb DSL service, they seam much more interested in being helpful. The biggest headache I encountered in knowing which department I needed to contact within Verizon: local, long-distance, Intarweb DSL, and Advanced Data Services appear to be so separate from each other and uncoordinated. It took a while to find out, for example, that I should be speaking to the "Advanced Data Services" department instead of the "DSL saled droid" (who didn't even know of the Advanced Data Services department). In fact, it
You could've hired me.