Slashdot Mirror

← Back to Stories (view on slashdot.org)

Life Behind the Firewall Curtain?

Posted by Cliff on from the online-but-unroutable dept.

beegle asks: "After a recent move, I discovered that my only broadband option is a cable company that puts all of its customers behind a NAT box. That means that my ISP gives me a 'private' 10.x.x.x address instead of a routable IP address. I'd like to connect to my machines remotely and use software that depends on a real address (P2P, games, etc.). The ISP doesn't prohibit this, but they're not willing to help, either. I've considered setting up a VPN to a friend's network, but that seems terribly inefficient. What hardware or software would you recommend for those of us who are stuck with 'fake' IP addresses?"

21 of 91 comments (clear)

  1. VPN or bust by Fubar420 · · Score: 5, Informative

    Well, if you want them to be able to connect to you, you're gonna need a routable IP. Period.

    Your choices then are VPN (pptp, etc) or pseudo VPN (ssh, et al.)

    Unless you know someone on the same ISP, who has a RealIP(tm), who can dnat to you, you'd be pretty much hosed :-/

    --
    -- (appended to the end of comments you post, 120 chars)
  2. Proxy Out by kevinmf · · Score: 5, Interesting

    After a couple hacking incidents and virus outbreaks, my school decided to impose a firewall on everyone which put a stop to gaming with anyone off campus. Anyway, those of us lucky enough to have a cable modem or dsl at home just set up proxys on those boxes and used SocksCap to make programs using winsock transparently go through and use the proxy instead of trying to get to the net from the firewall.

    Sounds like it'd be a good solution for you to do something similar.

    Game performance took a hit though, because of all the extra hops that added.

    1. Re:Proxy Out by aberson · · Score: 3, Informative
      Another option is htthost and httport. A little more complicated to setup than SocksCap, but especially good if you only want to use your proxy connection for some apps, but not all, and also if you just want everything to look like (encrypted) HTTP traffic (like if you're at work).

      It isn't going to help the original poster with INBOUND connections though, which is obviously his primary concern. For that it seems like VPN/SSH will be necessary... I doubt it's fast enough going all the way out to your friend's cable modem and then back out to the real internet, but it's worth a shot. Otherwise one of the paid VPN providers mentioned in other posts is probably the best option.

  3. What the fuck? by Vokbain · · Score: 5, Insightful

    Post what ISP it is, so everybody knows not to ever go with them.

    1. Re:What the fuck? by exhilaration · · Score: 2, Informative

      No - a friend of mine living in Houston, Texas told me his cable company did the same thing.

  4. I know you've discounted it... by dJCL · · Score: 4, Informative

    I know that you've discounted the VPN option, but it could work for you...

    I pay for a dedicated server at a cheap host($29.95/month... there is a catch thou..) and ip address's are cheap there too. You can setup a ppp based vpn that basically lets you act like one of the spare ip address's that you have assigned. (I use a ssh-ppp tunnel myself, and it works great for that.)

    There are cheaper VPS hosting optins out there that you could get a spare IP at and vpn throu that to get your web connection too... I'm sure you could find a $5/month cheap-O pleace and set it up, no one would care, it's not like you will be using a terabyte or so per month bandwidth anytime soon(and if you are, that's your problem to solve).

    Nice advantages of this approach: one server can be used by multiple people, you have a computer with shell access online, you have a web/mail server and my favourite - VNC desktops that you can use from anywhere!(I never close my apps, my copy of thunderbird has an uptime that rivals most systems, and the latest VNC viewer is really rather feature ritch for low bandwidth usage...)

    Anyway...
    Enjoy!

    --
    On Arrakis: early worm gets the bird. Magister mundi sum!
  5. Go with IP6 by MarsDefenseMinister · · Score: 2, Insightful

    You can tunnel IP6 over IP4. Once you have that set up, you can have a static IP6 address on the real IP6 Internet. Now all you have to do is find a game server to talk to you at your IP6 address. Good luck.

    --
    No weapon in the arsenals of the world is so formidable as the will and moral courage of free men.-Ronald Reagan
  6. Bug the ISP by JohnGalt00 · · Score: 5, Informative

    Bug the ISP. Call them often and either ask for a real IP address, or ask them how to get your favorite programs to work.

    Oh yeah, and tell us who you're ISP is, so we know to avoid them.

    Are you sure the NAT is to protect the customers, or are they being cheap by not shelling out for enough IP space?

  7. Re:Hardware? by jpmkm · · Score: 4, Informative

    Did you even read the first sentence of his post?

  8. If they will give you a port by QuantumRiff · · Score: 2, Interesting

    Ask them to give you a non-standard port, such as 1357 (I made it up, don't know if it goes to anything.) If they will set up Port forwarding to your Port 80, you can use a DNS provider, like EverDns.net ( I believe) to do the translation for you, telling clients to connect on that port.

    --

    What are we going to do tonight Brain?
    1. Re:If they will give you a port by Omega1045 · · Score: 2, Interesting

      He means that the ISP would take one of their public IP addresses and redirect all traffic on a port to his private ip on a port. You can do this in IPFW, IPCHAINS and on my D-LINK router. Haven't used IP Tables yet... I REALLY doubt that the ISP will do this.

      --

      Great ideas often receive violent opposition from mediocre minds. - Albert Einstein

  9. Depends on what kind of NAT by Cthefuture · · Score: 2, Insightful

    I'm behind a NAT box and games work fine. Some games may have special requirements but modern NAT boxes tend to understand the protocols (I'm pretty sure games like Quake3 will work no matter what).

    P2P is going to be somewhat of a problem. But only for people trying to connect to you. Some of the modern P2P protocols can work around it (by way of you initiating the outgoing connection). Other than that all the P2P stuff I have used worked (although I'm not a big P2P user).

    All in all, NAT isn't that bad and most of the time I don't even notice it's there. It's my NAT box though, so it's a little different. However, I haven't done any special configuration other than allowing the occasional VNC/SSH connection to internal machines.

    --
    The ratio of people to cake is too big
  10. Same thing happened (i thought) by Anonymous Coward · · Score: 5, Informative

    I got a cheap DSL connection, and declined the offer of a static IP ($15/month). When i checked my IP address, i was 192.168.2.79. GREAT, non routable, right?

    WELL! it turns out the DSL Modem had a NAT router built in, and when i was able to configure it, i was able to get a REAL IP address. Of course it changes every few hours, but any Dynamic DNS server can help you there.

    Try to point your browser at your "Gateway" and see if it is yours or if it is shared amongst everyone in your neighborhood. The ISPs like to default people to a "Browse Only" environment, but often real internet is only a few keystrokes away.

  11. SSH tunneling by magefile · · Score: 2, Interesting

    Get a friend to let you be constantly SSH'd into his box - you can use that to set up tunneling to that certain ports are forwarded back. Or, heck, even tunnel it through IRC if he's a windows user, and doesn't want to set up SSH - just have him install an IRC server.

  12. SSH Tunnel(s)? by linuxkrn · · Score: 4, Informative

    I wrote up a short artical on how I got past dual one-way NAT connections. It does require a 3rd party that is reachable by both machines.

    http://www.linuxlogin.com/linux/admin/sshtunnels.p hp

    Works great for me. I have my home box run a cronjob and ssh into public box. It checks every 5 mins and reconnects if needed. Using ssh-keys and ssh-agent it is able to auto-login to the remote host. Then just a quick ssh port forward and everything is up and going. On my remote systems I can then ssh into my home box by doing ssh -p 2222 localhost and it is forwarded right to my home machine. You could of course forward more then one port.

  13. How did you confirm this information? by cyber0ne · · Score: 5, Informative

    I found myself in this exact situation once a while back. And when I'd call the ISP I'd usually be on the phone with "tech support" people who didn't even know what an IP was. After a lot of frusteration from not having a real IP, I later discovered that I actually _did_ but it was behind a 1:1 ratio NAT built into the ISP's modem device. I went to http://www.whatismyip.com to discover the public IP that my destinations _thought_ I had, tried to connect to it from an off-site host, and it worked. Maybe you've already tried this, but if you haven't it might be worth a shot.

    --
    http://publicvoidlife.blogspot.com
  14. Re:Port mapping by MoonBuggy · · Score: 3, Funny

    ...it was pretty much implied that he does not have control over his ISP's networking equipment at their office(s).

    True, but he was asking us about specific hardware purchases to help his situation. I reccomend the purchase of a set of lock-picks and a map to the premesis where the router is located ;-)

  15. Re:Commercial Service by renehollan · · Score: 2, Insightful
    Yes, but with growth of P2P networks, that may become moot. The one-sided client/server bias in the Internet is largely due to the need for a centralized, albeit distributed, directory service and the asymetrical nature of inbound and outbound connections.

    Consider what is possible if you hack TCP/IP to permit opining an inbound connection with merely a TCP ACK with the right sequence number (which was published on a P2P network when you "open" the non-standard port). The first respondant to connect "wins" and you can spawn a session. To accept another one on the same port, you publish a new ACK sequence number. The downside is that inbound connections have to poll to connect, and this does not scale well -- breaking the sequence number space into "inbound" and "response" sequences can address this somewhat. This is meant as an example of how the TCP connection sequence can be made symetrical and not a definitive best way of doing so.

    While it is easy for an ISP to filter inbound TCP SYN packets, ensuring outbound ACKs aren't really rogue connection iniatiators using this hacked protocol requires the ISP's filtering to suddenly become stateful (otherwise they can not know that it is a bonafide response).

    The downside of a symetrical session-establishment protocol is, of course, the race between inbound and outbound connection attempts (think of the difference between picking up the phone to make vs. answer a call -- you don't know which one you're doing utill after you listen for dialtone or a surprised counterparty ("...but it didn't ring yet!?"). But, that can be overcome.

    --
    You could've hired me.
  16. Re:Mod: -1: The Universe doesn't revolve around yo by asdfghjklqwertyuiop · · Score: 2, Interesting

    Oh grow up. Just because an ISP doesn't support what you want to do doesn't mean they're evil.


    If they're going to be in the INTERNET SERVICE provider business, they need to provide INTERNET SERVICE. Internet service means they carry IPv4 packets from you to anywhere you want on the internet and back again. *All* of them. If they aren't doing that then they aren't really providing internet service.

  17. Re:Your only option is to ... by renehollan · · Score: 2, Informative
    When we were looking at houses to buy last year, I asked the agent to give me the current resident's phone number so I could check for DSL. It was available, and we made an offer.

    That's exactly what I did when I went looking for a house in the Seattle, WA area. When we narrowed down our choices to a few houses, we had our agent approach the seller's agent asking for permission to check if DSL service was available to that current number. In this area it is normal for sellers to be present when buyers view a house (though I find this somewhat awkward both as a buyer and as a seller and when selling do the prospective buyers and their agent the curtesy of leaving for 20-30 minutes). So, it is easy to ask, "Do you have DSL?" If they say "yes", we then put immediate DSL availability as a contingency in our offer. If they say no, we ask permission to use their current phone number to find out. We have never been refused, though we make it very clear that's the only reason we want the number, and are willing to produce a written statement on the spot to that effect. In fact, you don't need the whole phone number -- just enough to identify the CO: the NPA-NXX (area code and first three digits of the number), though most on-line lookup apps insist on all seven digits of the number.

    Now, just because the current owners have DSL or can get DSL does not mean you can: sometimes more than one CO serves a particular residential area (at least in some parts of Canada -- not sure anout the U.S. and they do occasionally run out of lines. Still, it is encouraging.

    Finally, though the telco droid generally won't tell you where DSL is available (generally because they just have a phone number to availability mapping application), you can find out what COs serve which areas with a bit of Googling. You can then find out which COs have deployed DSL. It used to be the case that you then had to know which ISPs had DSLAMs colocated in the CO's. DSL Reports is a good place to look for more information on this. These days, the telco generally rolls out DSL access and can backhaul to any ISP that offers DSL -- the difference relates to who owns the DSLAMs: the telco or ISP. If the telco owns the DSLAM you pay them separately from the ISP, unless the telco has subcontracted DSL package sales to that ISP (but this is usually for an "Intarweb" style service -- no static IP and no inbound connections permitted -- often what the telco offers directly when it acts as the ISP. It's the difference between a $30/month and an $80/month service. You generally have to contact the telco about "advanced data services" which are completely different from "Residential DSL" (this being Verizon-speak, for example).

    If you do contact the telco's data service department, you'll often get far more friendly and useful information: which CO's are provisioned, etc. -- generally enough to get your ISP of choice to handle their end of things. Verizon was actually helpful here, in my case (though getting the link hot was delayed twice for a total of a two week extra wait over the 5 days initially promissed). (Setting up the particular long distance plans was another story: getting dinged $0.70/minute instead of $0.07/minute for calls to Soviet Canuckistan (Canada) was not fun).

    What I have found is this: it appears that if you're willing to spend $40-$45 a month just for the DSLAM port and backhaul to your ISP, as opposed to the telco's resold $19.95 or $29.95 Intarweb DSL service, they seam much more interested in being helpful. The biggest headache I encountered in knowing which department I needed to contact within Verizon: local, long-distance, Intarweb DSL, and Advanced Data Services appear to be so separate from each other and uncoordinated. It took a while to find out, for example, that I should be speaking to the "Advanced Data Services" department instead of the "DSL saled droid" (who didn't even know of the Advanced Data Services department). In fact, it

    --
    You could've hired me.
  18. Re:Mod: -1: The Universe doesn't revolve around yo by fm6 · · Score: 2, Interesting

    By your logic, a "grocery store" should stock every grocery there is. Come to think of it, that'd be great. Then I wouldn't have to hunt around for those obscure cookies I like and nobody else does. Of course, it'd be hard on the grocers, since they'd have to stock a lot of stuff they'd never sell. But that's their problem, right?