How can I have a server even if my ISP blocks incoming requests to my IP?

I have a home network with a 3G Modem that provides internet. I just put in some security cameras and I'd like to access them remotely. The camera system comes with a free DDNS service and I've got is all set up (at the provider, in my camera system, and port forwarding set up in my router). But, when I tried to access it using the DDNS address, I started to realize that my ISP is blocking traffic from outside to inside. I went to http://mypublicip.com and got the IP. I tried pinging the IP and got no replies:

PING 186.2.136.123 (186.2.136.123): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2

HOWEVER, I also have some WeMo devices in the house that I can control remotely. I think the WeMo devices are somehow calling out to a remote server to maintain a connection in order to receive commands.

So, my question has two parts:

Is there a way to make my port forwarding and DDNS solution work with my security system even though my ISP wants to make it hard for me to do?
If not, is there a way to do what I want to do that might be somewhat similar to how the WeMo devices work remotely?

port-forwarding

Byron

Posted 2012-10-07T16:00:00.463

Reputation: 205

2You're all over the place man, bad assumptions of protocols and function. I wish I could help I just don't have the mental strength, lol. – SpacemanSpiff – 2012-10-07T16:01:33.330

2Get a real ISP. As written, you're on a residential, consumer-grade ISP. Put a server in a local co-location facility and you'll have no issues. – EEAA – 2012-10-07T16:04:55.810

Do you have a flat rate or your ISP is charging you for consumed traffic? – Serge – 2012-10-07T16:15:12.310

Answers

First, Ping drops don't mean that your provider is blocking you. This means that ICMP is turned off (in your router or theirs), being blocked, or being dropped. A timeout indicates either a drop or ICMP is off. You may want to check settings in your router to see if you have ICMP shut off. Next, you could build a VPN server in your network. Using the IP address to get back to the VPN server, any computer that connects would look like a computer IN your network to your network.

Giving you instruction in how to build a VPN server is outside the scope of an answer. There are MANY sets of instruction all over the web. A good source of direction for VPN tunnels, SSH tunnels, and proxies is Hak5. They give directions in how to do these things for both Windows and Linux.

Just because ICMP traffic doesn't work doesn't mean that all in bound traffic is blocked.

Let me know if you have any other questions.

Everett

Posted 2012-10-07T16:00:00.463

Reputation: 5 425

The solution was to set up my router to connect to a remote VPN, and then connect my devices to the same VPN so that they see each other as if on the local network. – Byron – 2012-10-08T22:55:43.183

Doubtfully. Often providers NAT mobile clients behind a single or a set of ip addresses. I such scenario you don't have any kind of externally visible ip address, so your port forwarding rules won't work, because your forwarding appliance never sees the packet it should be forwarding.

Sometimes though, providers also offer a different kind of (usually a business) mobile plan, which enables externally visible (though rarely static) IP address. This is achieved by using a different APN on the mobile device, and equally often it's more expensive to use such a plan.
One way to achieve this would be to place an always-on workstation inside your local network and run a service such as TeamViewer or Log Me In on it. Such services maintain a client connection to the service providers servers, which enables them to work around NAT etc. restrictions.

por

Posted 2012-10-07T16:00:00.463

Reputation: 271

Your modem in your house, if it's giving your devices a 192.168.x.x address, and doing NAT, those devices can't be reached from the outside unless you expose the port in question so that incoming packets get routed to the proper device.

I had a similar problem with a Kodak esp 3.2 printer that is supposed to be cloud ready but connects via a wireless. My ancient WTR54G wireless router assigns a 192.168.x.x address and the printer can't be reached from outside.

The fix was to install DD-WRT software into the wireless router, assign some real IP's to be handed out, and nail up the IP for the printer so that the printer would always be reachable via that IP.

I run an ISP and we provide Unix shell accounts with ssh and NX so if you need something that will do port forwarding, that's an alternative but if you're router's handing out internal addresses and nat'ing one IP to them, you have to configure it either to hand out a real externally reachable IP (as I did) or hardwire the particular port to that device so the router knows which device to hand incoming packets to for that port.

If you need a Unix shell account with ssh and the ability to setup port forwarding, see www.eskimo.com.

Robert Dinse

Posted 2012-10-07T16:00:00.463

Reputation: 21