4

I have a client located in a rural area where they are using the ISP Xplornet, it's a wireless/satellite type of internet connection.

After initial setup, We where able to have access to the site remotely, but it was extremely slow. So the client upgraded their service with them and now we cannot access it anymore.

We have gone back to site, but we just cannot seem to get through remotely. After doing some digging, it looks like the upgraded connection is using the 4G/LTE network and that they have created a private network for their WAN before it goes wild on the internet, so a double NAT.

I have been looking at getting them a static IP as my understanding is if you do so, this particular ISP then bridges you directly instead of being in that private WAN network.

The question is, is there a way around this without them paying extra monthly for this static IP (and bridging)

*Please let me know if the question isn't clear or missing info.

rhymsy
  • 193
  • 1
  • 7
  • 3
    This will become much more common as IPv4 exhaustion continues to take its toll. The preferred solution is IPv6, of course, but some idiotic ISPs have not yet rolled it out, even when they should have (like this circumstance). – Michael Hampton Nov 25 '15 at 18:21

3 Answers3

4

Not really. The only thing you could do would be to tunnel through their network to a server somewhere else, and set up routing rules to route everything through the tunnel instead.

For example, if you created an IPSec tunnel (which might not even be possible with the double-NAT, but you might be able to get away with L2TP or, dare I even suggest it, PPTP1) originating at the site and connecting to something under your control, you could then assign it an IP address using 1:1 NAT or something gross like that.

1Yeah, don't do this. PPTP is really not a VPN, it's just a VN. There's no privacy on PPTP. The main advantage of it is that it's so easy to get running and so incredibly widely supported. But that said, there's a lot of new equipment that does not support PPTP at all because of how easily it is snooped upon. So if you do go down the PPTP route, just remember that it's no more secure than sending your stuff over the internet in plain text.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • 1
    IPsec ought not to be a problem, as long as at least one end of the tunnel isn't NATted. IPsec does have its own NAT traversal protocol, you know. – Michael Hampton Nov 25 '15 at 18:28
  • 1
    @MichaelHampton sure, which is why I have added *might*. Because in double nat, who knows. Also I've had so many problems with IPSec over NAT I basically just don't do it any more. – Mark Henderson Nov 25 '15 at 18:37
  • I dare to question what is the difference in security between having a gateway through a PPTP Tunnel and using a bare network connection, behind a NAT or not. Not to mention that, while the PPTP specifications do not include anything related to encryption and authentication, most clients and servers do support it. – Florin Asăvoaie Nov 25 '15 at 18:49
  • @FlorinAsavoaie the advantage of PPTP over a bare network is that it is still a virtual network that you can route over as if it was directly connected, not over double-NAT. But... that's about it. But if you're talking about getting into the network from outside, then that's what you could achieve. – Mark Henderson Nov 25 '15 at 18:53
  • 1
    That was my point, what the op is trying to achieve does not need the extra security concerns as it does not change the state of security that is already there. All he wants to do is just get the connection up. All the security related stuff in the answer are, in my opinion, off-topic, even if mostly true. – Florin Asăvoaie Nov 25 '15 at 19:00
  • 1
    @FlorinAsavoaie fair enough. I guess I just added them in case someone else sees this in the future and I wanted to make sure that they were aware of the implications. – Mark Henderson Nov 25 '15 at 19:02
  • openvpn works well over nat as its udp based and client-server architected – Nath Nov 25 '15 at 20:38
  • @MarkHenderson, that's kinda what I thought, and I do appreciate the security concern, but that is taken care of already in other ways. – rhymsy Nov 25 '15 at 21:03
0

I've been in a similar situation, supporting clients with a particularly rural set of locations.

We re-provisioned some old HP thin clients to boot linux, and set up automatic SSH and OpenVPN in site-to-site mode, to "phone home"
As long as one of them worked, we'd have a way to connect back to the remote host and use it as a jump-box.

This worked quite well, and would keep retrying if the connection was lost for any reason. We also ran smokeping there to keep an eye on the performance to other sites, and to the internet at large. This helped to identify causes for latency.

These days you'd probably use a raspberry pi, or a VM if the remote site has a VM server. Either way, the device should be small and easy to ignore. Our thin clients got shoved into the back of a cabinet and I bet many of them are still running.

Criggie
  • 2,219
  • 13
  • 25
-2

Install team viewer on a PC in your network. Access remotely. Make sure to setup team viewer with a password. team viewer is free.

Brian Finlay
  • 1
  • This is not originally was asked for. And as a "solution", it is flimsy in stability as best. The customers servers need to rely on the uptime of a workstation running desktop environment. – Anders Feb 18 '19 at 12:52