Follow Slashdot stories on Twitter


Forgot your password?
The Internet Software

Life Behind the Firewall Curtain? 91

beegle asks: "After a recent move, I discovered that my only broadband option is a cable company that puts all of its customers behind a NAT box. That means that my ISP gives me a 'private' 10.x.x.x address instead of a routable IP address. I'd like to connect to my machines remotely and use software that depends on a real address (P2P, games, etc.). The ISP doesn't prohibit this, but they're not willing to help, either. I've considered setting up a VPN to a friend's network, but that seems terribly inefficient. What hardware or software would you recommend for those of us who are stuck with 'fake' IP addresses?"
This discussion has been archived. No new comments can be posted.

Life Behind the Firewall Curtain?

Comments Filter:
  • VPN or bust (Score:5, Informative)

    by Fubar420 ( 701126 ) on Wednesday August 04, 2004 @03:31PM (#9881913)
    Well, if you want them to be able to connect to you, you're gonna need a routable IP. Period.

    Your choices then are VPN (pptp, etc) or pseudo VPN (ssh, et al.)

    Unless you know someone on the same ISP, who has a RealIP(tm), who can dnat to you, you'd be pretty much hosed :-/

  • Proxy Out (Score:5, Interesting)

    by kevinmf ( 628527 ) on Wednesday August 04, 2004 @03:33PM (#9881926)

    After a couple hacking incidents and virus outbreaks, my school decided to impose a firewall on everyone which put a stop to gaming with anyone off campus. Anyway, those of us lucky enough to have a cable modem or dsl at home just set up proxys on those boxes and used SocksCap [] to make programs using winsock transparently go through and use the proxy instead of trying to get to the net from the firewall.

    Sounds like it'd be a good solution for you to do something similar.

    Game performance took a hit though, because of all the extra hops that added.

    • Re:Proxy Out (Score:3, Informative)

      by aberson ( 461047 )
      Another option is htthost and httport []. A little more complicated to setup than SocksCap, but especially good if you only want to use your proxy connection for some apps, but not all, and also if you just want everything to look like (encrypted) HTTP traffic (like if you're at work).

      It isn't going to help the original poster with INBOUND connections though, which is obviously his primary concern. For that it seems like VPN/SSH will be necessary... I doubt it's fast enough going all the way out to your fr

  • What the fuck? (Score:5, Insightful)

    by Vokbain ( 657712 ) * on Wednesday August 04, 2004 @03:33PM (#9881933) Homepage
    Post what ISP it is, so everybody knows not to ever go with them.
    • My guess is, this guys is a student stuck with dorm Net access... just like me:

      Behind a firewall, with 10gig/month at 30$CAN... But you get Uni Access which is blinding fast...
      • Re:What the fuck? (Score:3, Informative)

        No - a friend of mine living in Houston, Texas told me his cable company did the same thing.
        • Who does he use in Houston that does that? I've used SBC DSL in the past, and now have Earthlink cable (TW's backbone). I have a real IP.

          Well, my router has a real IP. I don't think there's anyone in town a lot cheaper than Earthlink, too. I've been very happy with them; he should look into switching, if possible,

      • You could call Willie and ask:

        whois -h

        Registrant Name:William Beegle
        Registrant Street1:#### Hobart St. Apt. #
        Registrant City:Pittsburgh
        Registrant State/Province:PA
        Registrant Postal Code:#####
        Registrant Country:US
        Registrant Phone:+1.412#######

        You might find him at Carnegie Mellon University Computing Services:

        5000 Forbes Avenue
        Cyert Hall 285
        Pittsburgh PA 15213
        Administrative Office Main Number: 412.268.2638

        His phone number is: x8-4419.

        He may
    • Oh grow up. Just because an ISP doesn't support what you want to do doesn't mean they're evil. Not everybody wants to run P2P apps. Most ISP customers just want to surf the web and do email, and do so without worrying about getting their system hacked.

      The alternative is a firewall. Which might make more sense to you, but it's a less reliable solution, and one that creates problems of its own.

      • I agree with you, man!

        Take solace in the fact that this is slashdot, and those who modded you down probably don't know what NAT means, and are just flexing their mod-muscles in the face of someone who knows better. I agree with you - some ISPs don't want the liability and extra work open IPs cause. I think the stance the company is taking is perfectly understandable. Again, being slashdot, if a company acts in a way that doesn't benefit the /. community in a rapid fashion, there must be something wrong

      • Although you shouldn't be modded as flamebait, the complaint about the firewall is valid, as is the desire to have a warning. I think most people *on /.* would like to avoid ISP's like this. The parent didn't say they were evil, just that he'd like to avoid them
        • When somebody titles their post "what the fuck?" I think a certain amount of moral outrage is implied. In any case, somebody who's buying a high-tech service (such as internet access) and wants to seek or avoid specific features (such as use of private network spaces) needs to do their own research, not rely on second-hand info.

      • Oh grow up. Just because an ISP doesn't support what you want to do doesn't mean they're evil.

        If they're going to be in the INTERNET SERVICE provider business, they need to provide INTERNET SERVICE. Internet service means they carry IPv4 packets from you to anywhere you want on the internet and back again. *All* of them. If they aren't doing that then they aren't really providing internet service.

        • Internet service means they carry IPv4 packets from you to anywhere you want on the internet and back again. *All* of them.
          And that is written where, exactly?

          • And that is written where, exactly?

            In common sense. What do you think "internet service" means? carrying just some of your internet traffic? Would that not be partial internet service?

            • By your logic, a "grocery store" should stock every grocery there is. Come to think of it, that'd be great. Then I wouldn't have to hunt around for those obscure cookies I like and nobody else does. Of course, it'd be hard on the grocers, since they'd have to stock a lot of stuff they'd never sell. But that's their problem, right?
              • By your logic, a "grocery store" should stock every grocery there is. Come to think of it, that'd be great. Then I wouldn't have to hunt around for those obscure cookies I like and nobody else does. Of course, it'd be hard on the grocers, since they'd have to stock a lot of stuff they'd never sell. But that's their problem, right?

                A grocery store? That analogy made no sense whatsoever. That is not my logic at all. Carrying every conceivable grocery isn't implied in the term "grocery store"

                "internet serv

                • Carrying every conceivable grocery isn't implied in the term "grocery store"
                  But carrying every possible kind of packet is implied by "internet service". Yeah, that's consistent.

                  I could argue you with you point by point, but why should I bother? You're insisting on words that have meanings that suit your arguments. Not a productive discussion.

                  • But carrying every possible kind of packet is implied by "internet service". Yeah, that's consistent.

                    Yes - exactly. Or more specificly, carrying every kind of internet packet is implied by "internet service". I don't expect an ISP to carry IPX/SPX frames to my friend's house to play an old video game. Just internet (ipv4) packets.

                    Imagine signing up for local phone service. Just plain old local phone service. You try to call some 1-800 tech support number, but you hear a message saying "sorry, we don't

  • i'd probably go the vpn route, to one of my dedicated servers at, but I'd want to move first...

    I hear its nice in Vancouver....

    now all i need is a job in Vancouver...
  • by dJCL ( 183345 ) on Wednesday August 04, 2004 @03:34PM (#9881942) Homepage
    I know that you've discounted the VPN option, but it could work for you...

    I pay for a dedicated server at a cheap host($29.95/month... there is a catch thou..) and ip address's are cheap there too. You can setup a ppp based vpn that basically lets you act like one of the spare ip address's that you have assigned. (I use a ssh-ppp tunnel myself, and it works great for that.)

    There are cheaper VPS hosting optins out there that you could get a spare IP at and vpn throu that to get your web connection too... I'm sure you could find a $5/month cheap-O pleace and set it up, no one would care, it's not like you will be using a terabyte or so per month bandwidth anytime soon(and if you are, that's your problem to solve).

    Nice advantages of this approach: one server can be used by multiple people, you have a computer with shell access online, you have a web/mail server and my favourite - VNC desktops that you can use from anywhere!(I never close my apps, my copy of thunderbird has an uptime that rivals most systems, and the latest VNC viewer is really rather feature ritch for low bandwidth usage...)

  • Unless they have a separat NAT server that translates a unique IP to each 10.x.x.x they give each customer you're going to find quite a few things seriously difficult.

    Most apps including some p2p and games should be ok. But you can forget running a server. You can't even ask your ISP to open certain ports to you (incoming I mean) because then they'll be taking that option away from other customers. Like if they redirect port 21 to you, that means all other customers wouldn't be able to ask for port 21. I j
  • You can tunnel IP6 over IP4. Once you have that set up, you can have a static IP6 address on the real IP6 Internet. Now all you have to do is find a game server to talk to you at your IP6 address. Good luck.
    • Have you ever tried to do this?
      Do you know how most of those tunnels work?

      I think not.

      Last time I tried, there were no "publicly" offered tunnels available which would work even over a firewalled Public-IP connection, which is one step less evil than a NAT connection.

      Sure, you can use a PPP tunnel and push IPv6 over that, but you could just as easily push IPv4 over that, as previously suggested here. You'd either way need an external machine on the real-Internet and not the fake NAT deal.

      This reminds me
      • Your personality leaves a lot to be desired. Offensiveness is apparently your strong point.

        I know how the tunnel works. The original poster didn't reveal his ISP, so neither you nor I have any idea if he has a facility to tunnel IP6. If you do your homework, you will see that some ISP's provide this to their customers. Hurricane Electric is one that comes up on a Google search.

        If his ISP provides this to the customers, then it won't matter if he's NAT or not. He will have a static IP on the IPv6 Internet.
  • one of these [].
  • Bug the ISP (Score:5, Informative)

    by JohnGalt00 ( 214319 ) on Wednesday August 04, 2004 @03:39PM (#9881996)
    Bug the ISP. Call them often and either ask for a real IP address, or ask them how to get your favorite programs to work.

    Oh yeah, and tell us who you're ISP is, so we know to avoid them.

    Are you sure the NAT is to protect the customers, or are they being cheap by not shelling out for enough IP space?
  • This is an option in the kernel, I haveno idea how or if it works
  • You can use it to google for other ISPs that have less annoying policies. I'm quite happy with speakeasy's policies, for example, if you're in a city they support. I agree that VPNing out is inefficient, although if you can't change providers it may be your only option. :'(
  • by QuantumRiff ( 120817 ) on Wednesday August 04, 2004 @03:49PM (#9882078)
    Ask them to give you a non-standard port, such as 1357 (I made it up, don't know if it goes to anything.) If they will set up Port forwarding to your Port 80, you can use a DNS provider, like ( I believe) to do the translation for you, telling clients to connect on that port.
  • by Cthefuture ( 665326 ) on Wednesday August 04, 2004 @03:49PM (#9882082)
    I'm behind a NAT box and games work fine. Some games may have special requirements but modern NAT boxes tend to understand the protocols (I'm pretty sure games like Quake3 will work no matter what).

    P2P is going to be somewhat of a problem. But only for people trying to connect to you. Some of the modern P2P protocols can work around it (by way of you initiating the outgoing connection). Other than that all the P2P stuff I have used worked (although I'm not a big P2P user).

    All in all, NAT isn't that bad and most of the time I don't even notice it's there. It's my NAT box though, so it's a little different. However, I haven't done any special configuration other than allowing the occasional VNC/SSH connection to internal machines.
  • by Anonymous Coward on Wednesday August 04, 2004 @03:55PM (#9882131)
    I got a cheap DSL connection, and declined the offer of a static IP ($15/month). When i checked my IP address, i was GREAT, non routable, right?

    WELL! it turns out the DSL Modem had a NAT router built in, and when i was able to configure it, i was able to get a REAL IP address. Of course it changes every few hours, but any Dynamic DNS server can help you there.

    Try to point your browser at your "Gateway" and see if it is yours or if it is shared amongst everyone in your neighborhood. The ISPs like to default people to a "Browse Only" environment, but often real internet is only a few keystrokes away.

  • SSH tunneling (Score:3, Interesting)

    by magefile ( 776388 ) on Wednesday August 04, 2004 @03:56PM (#9882143)
    Get a friend to let you be constantly SSH'd into his box - you can use that to set up tunneling to that certain ports are forwarded back. Or, heck, even tunnel it through IRC if he's a windows user, and doesn't want to set up SSH - just have him install an IRC server.
  • SSH Tunnel(s)? (Score:5, Informative)

    by linuxkrn ( 635044 ) <> on Wednesday August 04, 2004 @04:00PM (#9882180)
    I wrote up a short artical on how I got past dual one-way NAT connections. It does require a 3rd party that is reachable by both machines. hp []

    Works great for me. I have my home box run a cronjob and ssh into public box. It checks every 5 mins and reconnects if needed. Using ssh-keys and ssh-agent it is able to auto-login to the remote host. Then just a quick ssh port forward and everything is up and going. On my remote systems I can then ssh into my home box by doing ssh -p 2222 localhost and it is forwarded right to my home machine. You could of course forward more then one port.
  • by cyber0ne ( 640846 ) on Wednesday August 04, 2004 @04:03PM (#9882202) Homepage
    I found myself in this exact situation once a while back. And when I'd call the ISP I'd usually be on the phone with "tech support" people who didn't even know what an IP was. After a lot of frusteration from not having a real IP, I later discovered that I actually _did_ but it was behind a 1:1 ratio NAT built into the ISP's modem device. I went to [] to discover the public IP that my destinations _thought_ I had, tried to connect to it from an off-site host, and it worked. Maybe you've already tried this, but if you haven't it might be worth a shot.
    • Try what this man suggests! I have a similar setup with my ISP. The "Real" IP address is often dynamic and may change more frequently than the the 10.* address but if you can go out to someplace like and find a "Real" address that leads back to your machine (try ssh/ftp/etc/ into the "Real" address and see if it goes to your machine), then or something similar will allow you to set up a name for your machine ( for example ) and you can set up a script or program (th
    • This was my thought as well.

      Many cable companies don't care what you have for a cable modem. Go get a new one at BestBuy if theirs is closed and see if it works. You might need to register its ID with the cable company. I'm not sure if it's a MAC address or not, if it is MAC spoofing might be easier.

      You can then setup port forwarding for the services you wish to use.

  • What's the state of the art of Microsoft connectivity from behind a NAT router?

    Time was, NT domain controllers couldn't talk to each other if at least one of them was behind a NAT, and I think that was true for at least the early versions of Active Directory.

    Nowadays, can you get remote domain controllers [respectively - Active Directory controllers] to talk to each under something like the following?

    BDC -> NAT -> OpenSSL -> NAT -> PDC

    If not OpenSSL, then insert your favorite encryption

  • Dialup (Score:1, Troll)

    by Gothmolly ( 148874 )
    Suck it up, drop back to 53K and learn to use Lynx, pine and trn. The time is approaching when the Intarweb is going to be useless for us slashdotters anyway, so you can be cutting edge by going CLI.
  • Consider upgrading to the commercial service, rather than the residential. Chances are that the commerical service already includes a routable IP, and even if not, it wouldn't be an uncommon thing for a business to need a routable IP, so they would already have a process in place to provide you with one.
    • When I looked for DSL service with a single static IP address, and no inbound port-blocking, or restrictive TOS (outbound traffic limits being O.K. if reasonable -- I just want to sink email for my domain, and occasionally SSH in from work), Verizon only provided such facilities as part of "business class service" for around US$90 a month.

      Sigh. A bit more than the $80 I budgeted, but O.K., I'll bite.

      They refused to sell me the service even though I was willing to pay for it.

      Turns out I got a better de

      • What was their basis for refusing to sell? That your premises was a residence? That you didn't produce a business license?
        • That my premises was a residence, yes.

          Though, their lowest grade of biz. service did not include QoS guarantees, so it wasn't a question of being on the wrong circuit (connected to redundant equipment, etc.) or anything.

          • Sheesh. I guess by the time this kind of junk becomes standard practice, an ISP won't be much use anyway. Thanks for letting me know what the reason was!
            • Yes, but with growth of P2P networks, that may become moot. The one-sided client/server bias in the Internet is largely due to the need for a centralized, albeit distributed, directory service and the asymetrical nature of inbound and outbound connections.

              Consider what is possible if you hack TCP/IP to permit opining an inbound connection with merely a TCP ACK with the right sequence number (which was published on a P2P network when you "open" the non-standard port). The first respondant to connect "wins"

        • Generally, if the phone line isn't business rate, they can't put business rate DSL on it.

          Similarly, if the phone line isn't residential rate, one can't but residential DSL on it.

  • Assuming the ISP won't help you out with a real IP, I'd recommend using OpenVPN. Fairly straightforward to install and configure. And it's supported on all the major OS's with the same config files on each.
  • by omarius ( 52253 )
    Also probably inefficient as hell, but I've used SSH's port-redirection capabilities to remotely access machines that are behind a firewall. I haven't tried any big file transfers, but I can't imagine it would be too bad.

    As far as your VPN (or SSH or whatever you end up using) concerns: unless you're doing a vpn between two old, slow computers, I can't imagine the processing overhead would be more than a blip compared to the relative smallness of a broadband pipe; especially if the 'host' you use is reaso

"The pyramid is opening!" "Which one?" "The one with the ever-widening hole in it!" -- The Firesign Theatre