this post was submitted on 30 Dec 2023

352 points (94.7% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

54424 readers

287 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others

Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):

💰 Please help cover server costs.


Ko-fi	Liberapay

founded 1 year ago

MODERATORS

[email protected]

352

Me vs my ISP (lemmy.dbzer0.com)

submitted 10 months ago* (last edited 10 months ago) by [email protected] to c/[email protected]

138 comments fedilink hide all child comments

So I was looking into getting port forwarding set up and I realized just how closed-off the internet has gotten since the early days. It's concerning. It used to be you would buy your own router and connect it to the internet, and that router would control port-forwarding and what-have-you.

Now, your ISP provides your router, which runs their firmware, which (in my case) doesn't even have the option to enable port forwarding.

It gets worse - because ISPs are choosing NATs over IPv6, so even if you install a custom firmware on your router without it getting blacklisted by your ISP, you still can't expose your server to the internet because the NAT refuses to forward traffic your way. They even devise special NAT schemes like symmetric NAT to thwart hole punching.

Basically this all means that I have to purchase my web hosting separately. Or relay all the traffic through an unnecessary third party, introducing a point of failure.

It's frustrating.

I like to control my stuff. I don't like to depend on other people or be in a position where I have to trust someone not to fuck with my shit. Like, if the only thing outside my apartment that mattered to my website was a DNS record, I'd be really happy with that.

Edit: TIL ISPs in the US don't have NATs

Edit 2: OMG so much advice. My knowledge about computers is SO clearly outdated, I have a lot of things to read up on.

Edit 3: There's definitely a CGNAT involved since the WAN ip in the router config is not the same as the one I get when I use a website that echos my IP address. Far as I can tell ~~my devices don't get unique IPv6 addresses either~~. (funnily enough, if I check my IP address on my phone using roaming data, there's no IPv6 address at all). It's a router/modem combo, at least I think since there's only one device in my apartment (maybe there's a modem managing the whole complex or something?). And it doesn't have a bridge mode, except for OTT. Might try plugging my own router into it, but it feels like a waste of time and money from what I'm seeing. Probably best to just host services over a VPN or smth.

Edit 4: Devices do get unique IPv6 addresses, but it's moot since I can't do anything but ping them. I guess it wouldn't be port forwarding but something else that I would have to do that my router doesn't support

(page 2) 50 comments

sorted by: hot top controversial new old

[–] [email protected] 5 points 10 months ago (1 children)

Might not be ideal but perhaps simpler, do you have the ability to upgrade your service to business class? Usually the business tiers allow such things and they will support self hosting and open up the ports for you if you ask. It will likely cost more for the same speed you currently have. Another option to consider

[–] [email protected] 4 points 10 months ago (1 children)

Just a bit of a warning if you do this. Business class service usually requires full year contacts, and breaking the contract can mean THOUSANDS of dollars in termination fees depending on the timing.

load more comments (1 replies)

[–] [email protected] 5 points 10 months ago (2 children)

Cheapest vps plus "sshuttle" may work, host everything on your home server but have dedicated ip of your vps

load more comments (2 replies)

[–] [email protected] 4 points 10 months ago* (last edited 10 months ago) (5 children)

why not bridge the router and use your own?

the router doesn't have one?

which ISP is it?

[–] [email protected] 2 points 10 months ago (1 children)

sounds like his router is locked down, and even then, if the isp puts him behind nat, there isnt much he can do on his side even if he could theoretically forward those ports.

[–] [email protected] 3 points 10 months ago (1 children)

yes, cgnat is very common in many countries due to IPv4 shortage, bypassing the ISP Router and using your own along with a self hosted VPN Server (for China, Hong Kong or Tokyo works great) is the best choice.

[–] [email protected] 2 points 10 months ago

ipv6 is nice to use too if they dont also NAT it (which looks rare?)

load more comments (4 replies)

[–] [email protected] 3 points 10 months ago

It's really shitty. My isp offers a static ip plan but it costs a lot more, so I try using tailscale and it works ok. It's a shame though

[–] [email protected] 3 points 10 months ago

Use cloudflare tunnel.

[–] [email protected] 3 points 10 months ago* (last edited 10 months ago)

On the flip side, direct open ports to your home network isn't really a great idea anyway.

At one time it wasn't as bad, but today I'd be hesitant because of the number and capability of bad actors and I'm not a network security expert (though I have a lot of training in networks, just shy of that kind of expertise).

In a way, these restrictions have promoted the use of even more secure approaches, like using Cloudflare tunnels, VPS's with VPN connections to your network, or things like Wireguard/Tailscale, which provide a virtual (encrypted) network layered on top of the public (untrusted) network.

All of these can provide an externally controlled (secured and encrypted) access to specific resources within your own network. As mentioned, VPS with VPN, Cloudflare tunnels, or Tailscale Funnel or Share.

[–] [email protected] 3 points 10 months ago

Are you trying to offer a port for peer sharing (XDCC/BT)? I've never tried using it like this but I think Tailscale Funnel could work.

It's a sort of reverse VPN, I guess you could call it. Tailscale maintains the public IP and when someone connects to your advertised port they tunnel it to you through (encrypted) WireGuard. It passes through NAT because connections are outgoing to their servers.

The catch is that wireguard is easily detectable through deep packet inspection so if your ISP is a real asshole they can kill the connections, but if they go that far then NAT traversal is the least of your worries.

[–] [email protected] 2 points 10 months ago

I don’t know what you mean by ISPs in the US don’t have NATs. They most certainly do NAT at the gateway device. But they also typically provide a way to DMZ to your own router instead. I don’t have to deal with double NAT simply because I effectively have my ISP gateway in bridge mode (forwarding all traffic to a specific device, in this case, my personal router).

Note: I have gigabit FTTH from AT&T. I left cable internet the moment fiber service was made available.

[–] [email protected] 1 points 10 months ago

Did you contact your ISP about this? Most of them can adjust a setting for you to remove the NAT part, the feature is usually called dual-stack. If you are in the EU, you even have a fundamental right to use your own router, you just have to register your MAC with them.

load more comments