Re: ssh to my computer behind NAT

On Tuesday 09 March 2010 06:41:52 am Hiisi wrote:
2010/3/9 Rick Sewill <rsewill@xxxxxxxxx>:
On Tue, 2010-03-09 at 00:08 -0600, Rick Sewill wrote:
On Tue, 2010-03-09 at 08:40 +0300, Hiisi wrote:
2010/3/9 Rick Sewill <rsewill@xxxxxxxxx>:
My first thought is to say, talk to the ISP.
The ISP should have a way for you to configure their NAT router
to forward the ssh port to your host.

Other than charging for the service, it might be hard for the ISP to forward
the ssh port to your host, simply because ssh port is maybe already being
forwarded to some other host, for internal use by the ISP admins --- they
might want to get into one of their machines just like you want to get into
yours, and there might be no way for the router to decide when to forward the
port to this or that computer while doing NAT.

This depends on the capabilities of the master router of your ISP, and their
infrastructure. I used to work once for an institution which had *one* single
public IP available for the single router, everything else was behind NAT. And
the router itself was a miserable pos, for that matter...

Are you, and some other customers of the ISP, sharing the same public
IP address? Doing so would reduce the number of public IP addresses
the ISP would need. I'd be very, very surprised if an ISP did this.
I'd be more than surprised. I'd be shocked.

This is actually a fairly common practice. I believe there are more ISP's in
the world that do this than those that don't. Think China or such. Not every
country has a wide enough range of public IP's available, so local ISP's use
this kind of measures to save the IP pool as much as possible, until IPv6
arrives.

I live in a students hostel and I'm unable to change ISP. The only
other solution would be to to get a gprs-modem. But I don't want to
bay it because prices are wild here in Moscow (and I'd have dynamic IP
then, correct?). Before writing on this list I've consulted my ISP.
They have no better (free) solution that the one I have at the moment.
Alternatively, they can charge me with extra money for so called
'static IP'. I don't need it because I don't want to run WEB-server at
home. I just want to access my files at home computer from lab
computer to eliminate stresses in case I forgot a USB-drive in a rash
to the lab :-)

You might want to look into OpenVPN. It's a method to create a "virtual"
network, which would allow you to do whatever you want within that network,
including ssh, vnc, and other. This has some drawbacks, however:

1) you need at least one machine with a fixed IP which is publicly visible (the
"middle" computer that you use now) to set up a OpenVPN server (to which all
other machines --- clients --- should connect to)

2) it might be somewhat slower than the native connection, but that is
insignificant if all your machines are on the same LAN. It might get
significantly slower if one machine is in Paris, the other in Cairo and the
server is in Peking...

3) It takes some time and effort to learn, install and set up. It is simpler to
use than your current usage of ssh -R, but way more complicated to set up.
Although, you need to set it up only once.

But once you master it and implement it, no router or firewall may stop you
from accessing your own machines. That's what I use --- I have connected three
clients (all three behind various ISP NAT's in two different cities) to my main
machine (which acts as an OpenVPN server) which has public IP. I use the
virtual network to admin all those machines (including the server itself) from
the other side of the continent, for over a year now.

Works like a charm, never failed me. ;-)

HTH, :-)
Marko

--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Relevant Pages

  • Re: Help Please - Router using Fixed WAN IP and DHCP Lan
    ... Can not get wired or wireless to conection to internet through router. ... Well, if you have the router setup to obtain a DHCP IP from the ISP, then you should have no problems with connecting the router to the ISP's network. ... However, if the ISP uses MAC authentication and you have not provisioned the router's MAC with the ISP, the router is not going to have a connection to the WAN/Internet and neither will any of the machines connected to the router will have a connection to the WAN. ... Those are LAN IPyou're talking about above and look to be DHCP IPfrom the router's DHCP server and are not WAN IP. ...
    (alt.internet.wireless)
  • Re: Terminal release ip command?
    ... Apart from networking between the two machines right:-) ... pick up a single DHCP address from your ISP, ... DHCP IP addresses on your own private network and NAT taking care ... the case of free dial-up accounts where an ISP may create far more ...
    (comp.sys.mac.system)
  • Re: Outpost firewall
    ... > Outpost/ipconfig/etc cannot report on your external ISP assigned IP. ... if you have the right utils with the router then the utils ... > Most ADSL routers have NAT allowing you to connect several machines ... > This way you're not reliant on a single machine for Internet ...
    (comp.security.firewalls)
  • Re: Outpost firewall
    ... Outpost/ipconfig/etc cannot report on your external ISP assigned IP. ... if you have the right utils with the router then the utils ... Most ADSL routers have NAT allowing you to connect several machines ...
    (comp.security.firewalls)
  • Re: Linksys static ip configuration question
    ... > I've got the network up and running on a linksys 8-port. ... You go to the router's Status tab and copy the DNS IPto your ISP. ... That's what the router is for to share the one IP by all ... machines connected to the router, if the block is what you're talking ...
    (comp.security.firewalls)