Slashdot Mirror
Life Behind the Firewall Curtain?
beegle asks: "After a recent move, I discovered that my only broadband option is a cable company that puts all of its customers behind a NAT box. That means that my ISP gives me a 'private' 10.x.x.x address instead of a routable IP address. I'd like to connect to my machines remotely and use software that depends on a real address (P2P, games, etc.). The ISP doesn't prohibit this, but they're not willing to help, either. I've considered setting up a VPN to a friend's network, but that seems terribly inefficient. What hardware or software would you recommend for those of us who are stuck with 'fake' IP addresses?"
Well, if you want them to be able to connect to you, you're gonna need a routable IP. Period.
:-/
Your choices then are VPN (pptp, etc) or pseudo VPN (ssh, et al.)
Unless you know someone on the same ISP, who has a RealIP(tm), who can dnat to you, you'd be pretty much hosed
-- (appended to the end of comments you post, 120 chars)
After a couple hacking incidents and virus outbreaks, my school decided to impose a firewall on everyone which put a stop to gaming with anyone off campus. Anyway, those of us lucky enough to have a cable modem or dsl at home just set up proxys on those boxes and used SocksCap to make programs using winsock transparently go through and use the proxy instead of trying to get to the net from the firewall.
Sounds like it'd be a good solution for you to do something similar.
Game performance took a hit though, because of all the extra hops that added.
Post what ISP it is, so everybody knows not to ever go with them.
i'd probably go the vpn route, to one of my dedicated servers at ev1servers.net, but I'd want to move first...
I hear its nice in Vancouver....
now all i need is a job in Vancouver...
I know that you've discounted the VPN option, but it could work for you...
I pay for a dedicated server at a cheap host($29.95/month... there is a catch thou..) and ip address's are cheap there too. You can setup a ppp based vpn that basically lets you act like one of the spare ip address's that you have assigned. (I use a ssh-ppp tunnel myself, and it works great for that.)
There are cheaper VPS hosting optins out there that you could get a spare IP at and vpn throu that to get your web connection too... I'm sure you could find a $5/month cheap-O pleace and set it up, no one would care, it's not like you will be using a terabyte or so per month bandwidth anytime soon(and if you are, that's your problem to solve).
Nice advantages of this approach: one server can be used by multiple people, you have a computer with shell access online, you have a web/mail server and my favourite - VNC desktops that you can use from anywhere!(I never close my apps, my copy of thunderbird has an uptime that rivals most systems, and the latest VNC viewer is really rather feature ritch for low bandwidth usage...)
Anyway...
Enjoy!
On Arrakis: early worm gets the bird. Magister mundi sum!
You can tunnel IP6 over IP4. Once you have that set up, you can have a static IP6 address on the real IP6 Internet. Now all you have to do is find a game server to talk to you at your IP6 address. Good luck.
No weapon in the arsenals of the world is so formidable as the will and moral courage of free men.-Ronald Reagan
one of these.
Bug the ISP. Call them often and either ask for a real IP address, or ask them how to get your favorite programs to work.
Oh yeah, and tell us who you're ISP is, so we know to avoid them.
Are you sure the NAT is to protect the customers, or are they being cheap by not shelling out for enough IP space?
Did you even read the first sentence of his post?
This is an option in the kernel, I haveno idea how or if it works
Buttsex.
That's great if his ISP will set it up for him, but what happens to the -next- guy who wants to use those same ports? If they are forwarding to Joe#1, Joe#2 can not have those ports.
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
Yes.
Ask them to give you a non-standard port, such as 1357 (I made it up, don't know if it goes to anything.) If they will set up Port forwarding to your Port 80, you can use a DNS provider, like EverDns.net ( I believe) to do the translation for you, telling clients to connect on that port.
What are we going to do tonight Brain?
I'm behind a NAT box and games work fine. Some games may have special requirements but modern NAT boxes tend to understand the protocols (I'm pretty sure games like Quake3 will work no matter what).
P2P is going to be somewhat of a problem. But only for people trying to connect to you. Some of the modern P2P protocols can work around it (by way of you initiating the outgoing connection). Other than that all the P2P stuff I have used worked (although I'm not a big P2P user).
All in all, NAT isn't that bad and most of the time I don't even notice it's there. It's my NAT box though, so it's a little different. However, I haven't done any special configuration other than allowing the occasional VNC/SSH connection to internal machines.
The ratio of people to cake is too big
Read the original post a bit more carefully. ALL the subscribers' IP addresses are private, nonroutable addresses. It isn't even an issue of having a router at home.
Just switch providers.
It's implied from the post (which I suggest you actually read) that such a course of action would require moving again. While not impossible, the circumstances surrounding one's residence (local employment, affordability, etc.) are a lot to weigh against having a public IP.
Unless you're suggesting that the poster go with dial-up, though that's not much of an option either...
http://publicvoidlife.blogspot.com
I got a cheap DSL connection, and declined the offer of a static IP ($15/month). When i checked my IP address, i was 192.168.2.79. GREAT, non routable, right?
WELL! it turns out the DSL Modem had a NAT router built in, and when i was able to configure it, i was able to get a REAL IP address. Of course it changes every few hours, but any Dynamic DNS server can help you there.
Try to point your browser at your "Gateway" and see if it is yours or if it is shared amongst everyone in your neighborhood. The ISPs like to default people to a "Browse Only" environment, but often real internet is only a few keystrokes away.
Get a friend to let you be constantly SSH'd into his box - you can use that to set up tunneling to that certain ports are forwarded back. Or, heck, even tunnel it through IRC if he's a windows user, and doesn't want to set up SSH - just have him install an IRC server.
I wrote up a short artical on how I got past dual one-way NAT connections. It does require a 3rd party that is reachable by both machines.
p hp
http://www.linuxlogin.com/linux/admin/sshtunnels.
Works great for me. I have my home box run a cronjob and ssh into public box. It checks every 5 mins and reconnects if needed. Using ssh-keys and ssh-agent it is able to auto-login to the remote host. Then just a quick ssh port forward and everything is up and going. On my remote systems I can then ssh into my home box by doing ssh -p 2222 localhost and it is forwarded right to my home machine. You could of course forward more then one port.
I found myself in this exact situation once a while back. And when I'd call the ISP I'd usually be on the phone with "tech support" people who didn't even know what an IP was. After a lot of frusteration from not having a real IP, I later discovered that I actually _did_ but it was behind a 1:1 ratio NAT built into the ISP's modem device. I went to http://www.whatismyip.com to discover the public IP that my destinations _thought_ I had, tried to connect to it from an off-site host, and it worked. Maybe you've already tried this, but if you haven't it might be worth a shot.
http://publicvoidlife.blogspot.com
I would suggest, though, that people who are moving scope out the ISP and broadband provider scene before they settle on a place. At least try to live somewhere where you can chose between cable (ugh!) and DSL (there are some good providers out there, even if the access lines from the "telco" (cough, customer non-service, cough) might be expensive.
This is espescially important if you are buying a home, and found the perfect one, but broadband availability sucks: "$20k off the offer for the house being in the unfashionable part of the internet".
You could've hired me.
What's the state of the art of Microsoft connectivity from behind a NAT router?
Time was, NT domain controllers couldn't talk to each other if at least one of them was behind a NAT, and I think that was true for at least the early versions of Active Directory.
Nowadays, can you get remote domain controllers [respectively - Active Directory controllers] to talk to each under something like the following?
If not OpenSSL, then insert your favorite encryption protocol.Oh, and the same question for Microsoft clients: What can you do for e.g.
so that the entire sequence is encrypted, and the client can, e.g. download and upload files?Thanks!
Mmm. +5 insightful. A lot of mods didn't bother to read the first sentence, either.
"In the end they will lay their freedom at our feet and say to us, 'Make us your slaves, but feed us.'" -Dostoevsky
Yes, thank you for the tutorial, but we all understand the concept of NAT and routing. Except you. You just bought a router, followed the instructions, and somehow believe yourself to have become an expert.
Sure, he could go buy a Linksys router himself, but the $50 for it is a lot of money for something he'd really only use to beat you over the head with.
Consider upgrading to the commercial service, rather than the residential. Chances are that the commerical service already includes a routable IP, and even if not, it wouldn't be an uncommon thing for a business to need a routable IP, so they would already have a process in place to provide you with one.
Assuming the ISP won't help you out with a real IP, I'd recommend using OpenVPN. Fairly straightforward to install and configure. And it's supported on all the major OS's with the same config files on each.
Also probably inefficient as hell, but I've used SSH's port-redirection capabilities to remotely access machines that are behind a firewall. I haven't tried any big file transfers, but I can't imagine it would be too bad.
As far as your VPN (or SSH or whatever you end up using) concerns: unless you're doing a vpn between two old, slow computers, I can't imagine the processing overhead would be more than a blip compared to the relative smallness of a broadband pipe; especially if the 'host' you use is reasonably well-connected.
...it was pretty much implied that he does not have control over his ISP's networking equipment at their office(s).
;-)
True, but he was asking us about specific hardware purchases to help his situation. I reccomend the purchase of a set of lock-picks and a map to the premesis where the router is located
Have you ever heard of stateful packet inspection?
That's common sense, man--you won't last long here posting stuff like that :).
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
'Course, I could blow all that karma in one fell swoop, and have been known to write vitrolic rants against my former home country (i have, at least temporarily, escaped) of Soviet Canuckistan (which elicit an amusing war of mods between insightful, informative, and flamebait), but somehow I manage to balance political views with technical information.
Then again, if knowledge of who my present employer is were to leak (I have not updated my online resume in a while), Slashdotters might be far less charitable with me.
You could've hired me.
Point taken :). But whenever I try to blow karma, I usually fail. Though it probably helps that "Funny" mods don't count, but the down-mods do.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
Although you shouldn't be modded as flamebait, the complaint about the firewall is valid, as is the desire to have a warning. I think most people *on /.* would like to avoid ISP's like this. The parent didn't say they were evil, just that he'd like to avoid them
There is a reason for everything. Sometimes that reason just sucks.
I tried this in 1998. I was moving to a city where PacBell had announced 3 months prior they would roll out DSL, along with all the standard "3 miles away" stuff. I wanted to know roughly where the service areas were, so that as we looked at rentals, one additional consideration would be availability of broadband. So, call customer service.
Drone: "Thank you for being a victim of our local monopoly, how can I help you?"
Me: "I'm interested in getting DSL, but I don't live in [XXXXX] yet. I'd like to know general areas so that as I look at a rental, I can know that I'll be able to get DSL there."
Drone: "Well, if you give me your phone number, I can check."
Me: "That's just it. I haven't moved yet, and so there is no phone number."
Drone: "But I can check if you give me your phone number."
Me: "Did you hear me? There is no phone number. I haven't moved yet. I would like to know what areas are close enough to the C.O. to get DSL so I can move into one of those."
Drone: "I can't give you that information; it's confidential. If you give me your phone number, I can check for DSL."
Me: "Never mind."
In the end, we picked the best place, and it turned out that we could get DSL about 1 year later. When we were looking at houses to buy last year, I asked the agent to give me the current resident's phone number so I could check for DSL. It was available, and we made an offer.
My long-winded point is that it isn't always easy to find out if you can get broadband until after you've signed the lease and tried to get the connection. And by then it's too late.
-paul
Pistol caliber is like religion: everyone has their favourite, and theirs is the only right choice.
When somebody titles their post "what the fuck?" I think a certain amount of moral outrage is implied. In any case, somebody who's buying a high-tech service (such as internet access) and wants to seek or avoid specific features (such as use of private network spaces) needs to do their own research, not rely on second-hand info.
If they're going to be in the INTERNET SERVICE provider business, they need to provide INTERNET SERVICE. Internet service means they carry IPv4 packets from you to anywhere you want on the internet and back again. *All* of them. If they aren't doing that then they aren't really providing internet service.
This was my thought as well.
Many cable companies don't care what you have for a cable modem. Go get a new one at BestBuy if theirs is closed and see if it works. You might need to register its ID with the cable company. I'm not sure if it's a MAC address or not, if it is MAC spoofing might be easier.
You can then setup port forwarding for the services you wish to use.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
In common sense. What do you think "internet service" means? carrying just some of your internet traffic? Would that not be partial internet service?
That's exactly what I did when I went looking for a house in the Seattle, WA area. When we narrowed down our choices to a few houses, we had our agent approach the seller's agent asking for permission to check if DSL service was available to that current number. In this area it is normal for sellers to be present when buyers view a house (though I find this somewhat awkward both as a buyer and as a seller and when selling do the prospective buyers and their agent the curtesy of leaving for 20-30 minutes). So, it is easy to ask, "Do you have DSL?" If they say "yes", we then put immediate DSL availability as a contingency in our offer. If they say no, we ask permission to use their current phone number to find out. We have never been refused, though we make it very clear that's the only reason we want the number, and are willing to produce a written statement on the spot to that effect. In fact, you don't need the whole phone number -- just enough to identify the CO: the NPA-NXX (area code and first three digits of the number), though most on-line lookup apps insist on all seven digits of the number.
Now, just because the current owners have DSL or can get DSL does not mean you can: sometimes more than one CO serves a particular residential area (at least in some parts of Canada -- not sure anout the U.S. and they do occasionally run out of lines. Still, it is encouraging.
Finally, though the telco droid generally won't tell you where DSL is available (generally because they just have a phone number to availability mapping application), you can find out what COs serve which areas with a bit of Googling. You can then find out which COs have deployed DSL. It used to be the case that you then had to know which ISPs had DSLAMs colocated in the CO's. DSL Reports is a good place to look for more information on this. These days, the telco generally rolls out DSL access and can backhaul to any ISP that offers DSL -- the difference relates to who owns the DSLAMs: the telco or ISP. If the telco owns the DSLAM you pay them separately from the ISP, unless the telco has subcontracted DSL package sales to that ISP (but this is usually for an "Intarweb" style service -- no static IP and no inbound connections permitted -- often what the telco offers directly when it acts as the ISP. It's the difference between a $30/month and an $80/month service. You generally have to contact the telco about "advanced data services" which are completely different from "Residential DSL" (this being Verizon-speak, for example).
If you do contact the telco's data service department, you'll often get far more friendly and useful information: which CO's are provisioned, etc. -- generally enough to get your ISP of choice to handle their end of things. Verizon was actually helpful here, in my case (though getting the link hot was delayed twice for a total of a two week extra wait over the 5 days initially promissed). (Setting up the particular long distance plans was another story: getting dinged $0.70/minute instead of $0.07/minute for calls to Soviet Canuckistan (Canada) was not fun).
What I have found is this: it appears that if you're willing to spend $40-$45 a month just for the DSLAM port and backhaul to your ISP, as opposed to the telco's resold $19.95 or $29.95 Intarweb DSL service, they seam much more interested in being helpful. The biggest headache I encountered in knowing which department I needed to contact within Verizon: local, long-distance, Intarweb DSL, and Advanced Data Services appear to be so separate from each other and uncoordinated. It took a while to find out, for example, that I should be speaking to the "Advanced Data Services" department instead of the "DSL saled droid" (who didn't even know of the Advanced Data Services department). In fact, it
You could've hired me.
By your logic, a "grocery store" should stock every grocery there is. Come to think of it, that'd be great. Then I wouldn't have to hunt around for those obscure cookies I like and nobody else does. Of course, it'd be hard on the grocers, since they'd have to stock a lot of stuff they'd never sell. But that's their problem, right?
A grocery store? That analogy made no sense whatsoever. That is not my logic at all. Carrying every conceivable grocery isn't implied in the term "grocery store"
"internet service" provider means you carry internet traffic for your customers. P2P traffic is internet traffic just as much as web traffic. If ISP's dont want to carry it they need to stop saying they supply internet service and tell their customers what it really is - partial internet service. They don't carry all internet traffic, just some of it.
Would you not be upset if I sold you a car and then after the deal you found out it didn't come with a transmission?
I could argue you with you point by point, but why should I bother? You're insisting on words that have meanings that suit your arguments. Not a productive discussion.
Yes - exactly. Or more specificly, carrying every kind of internet packet is implied by "internet service". I don't expect an ISP to carry IPX/SPX frames to my friend's house to play an old video game. Just internet (ipv4) packets.
Imagine signing up for local phone service. Just plain old local phone service. You try to call some 1-800 tech support number, but you hear a message saying "sorry, we don't allow tech support calls. people tend to stay on those calls longer which uses up too much bandwidth". Or calling your friend 5 doors down and hear a message saying "sorry, the person you are calling is a suspected child pornographer. We don't allow calls to him.".
The difference between the grocery store and phone or internet service is there are practical physical limits on what a grocery store can carry. It is unreasonable to expect them to carry every kind of grocery that exists. The limitations on some internet service and my hypothetical local phone service are arbitrary, pointless and underhanded.
A lot of broadband ISPs filter traffic to services running on the customers end, the argument being that servers use more bandwidth. Is it neccesarrily true that servers use more bandwidth than anything else you could do? No, of course not. The real reason is just to have a reason to charge you more for "higher grade" service. I bet they will do something similar if IPv6 ever becomes popular. It is written in RFCs that customers of ISPs, or end users, are supposed to get a
Yes. That's what NATs do.
I mean it will restrict port 80 as an open server to others if he asks to run a webserver. Stateful packet inspection doesn't apply in that case, and it isn't fair to the other users.
No it won't affect websurfing.