Acces Pfsense behind a cable modem ISP
-
@phdemartin said in Acces Pfsense behind a cable modem ISP:
How can I solve this problem to get acces to an openvpn server for example?
You can't, unless you can set up a tunnel or VPN that terminates somewhere that you can reach. This is an excellent example of why the world should have moved to IPv6 years ago. The IPv4 address shortage is causing ISPs to use NAT, which breaks things like this.
Here's what's happening in Europe, because people haven't moved to IPv6.
The RIPE NCC has run out of IPv4 Addresses
Yep, that's right. There are no more IPv4 addresses available, unless someone sells off their surplus. This is the result of the head in the sand stupidity that has affected so many people. IPv6 has been up & running for years (I've been using it for almost 10 years) and the IPv4 address shortage has been known for a lot longer, yet the world is full of idiots who that think we should rely on things like NAT to keep going with IPv4, instead of moving to IPv6. IDIOTS!!!
Don't these ISPs recognize that things like carrier grade NAT are performance killers? Don't the customers understand that sticking with IPv4 limits what they can do with the Internet???
-
I'm assuming the client can't just call their ISP and have them reconfigured their modem in bridge mode?
If not, a few things that should/might work:
-
Build a site-to-site tunnel
-
If you can get to an SSH server on the inside, you should be able to do some SSH tunneling
-
Build a tunnel with HE.net and connect using IPv6
-
Have the client configure a standalone router with an OpenVPN client and build a site-to-site tunnel using the standalone router
-
Configure a remote access server on the server-side, have the client connect to the remote access server from a PC on the remote-end, enable routing on the PC, configure a CSO telling the server-side which network is behind the client
-
Connect the client-side PFsense box to a VPN provider and use port forwarding to access PFsense.
-
Possible shot in the dark workaround... I have no idea if this would work, but with some creative routing...you may be able to leverage Teamviewer's VPN feature to access PFsense on the remote-end.... maybe
-
-
@marvosa said in Acces Pfsense behind a cable modem ISP:
I'm assuming the client can't just call their ISP and have them reconfigured their modem in bridge mode?
Is the ISP providing carrier grade NAT? That's the way I read it. If so, then bridge vs gateway mode wouldn't make any difference. On the other hand, if that 190 address was at his modem, then he could use it.
-
At the end, I wrote a simple script to connect automatically my netgear Pfsense to a DigitalOcean droplet, now I can acces it with a browser at xxx.xxx.xxx.xxx:80 or en ssh at admin@xxx.xxx.xxx.xxx: -p 3322
#!/bin/sh killall ssh sleep 180 while true; do nc -vz xxx.xxx.xxx.xxx 3380 if [ $? -eq 1 ]; then ssh root@xxx.xxx.xxx.xxx fuser -k 3380/tcp ssh root@xxx.xxx.xxx.xxx fuser -k 3322/tcp ssh -NR 3380:localhost:443 -NR 3322:localhost:22 root@xxx.xxx.xxx.xxx sleep 30 else sleep 2400 fi doneIt check the port connection and if the connection is down, it free the port on the server and establish a reverse ssh for the ports 443 and 22.
The script is placed under /usr/local/etc/rc.d/start_reverse_ssh.sh to start automatically.
Of course, you need to put the content of your .ssh/id_rsa.pub certificate in the .ssh/authorized_keys on the DigitalOcean server to enable a passwordless connection.
-
So you are behind carrier grade NAT then? It's not clear in your posts and I just assumed, based on your comments. When you're asking for help, you should try to provide an accurate picture, so we're not guessing.
-
@JKnott I'm connected to a ISP who don't give me an external IP, my coaxial routers have a ip like 192.168.35.xxx. I cannot access it from the web obviously, so no openvpn server or direct ssh is possible.
The technician from the ISP don't respond to my email, and show nany intention to portforward some port to my IP, who any way is dynamically attributed by the ISP.
So, the simple solution I'm using now, is a reverse ssh connection script, as shoon in my last post.
The only problem remaining is the fact that due to the slow connection provided in my fishing village in Chile, I have two parallel wan in a gateway group, and it's look like it is sometime causing some connection problem to establish the tunnel. -
@phdemartin said in Acces Pfsense behind a cable modem ISP:
and show nany intention to portforward some port to my IP
You honestly thought they'd do that? If they did, that means that port wouldn't be available to anyone else. While standard port numbers are used for setting up a connection, the return connection could go to any port number, essentially at random. The only solution to this sort of situation is to move to IPv6. With ISPs like yours, all the customers have to share a pool of addresses, with not a single one for any user. Compare that with what I get from my ISP on IPv6. I get a /56 prefix, which is 2^72 addresses (4.72236648287e+21 decimal). That /56 contains 256 /64s. Each /64 has the entire IPv4 address space squared! Your example is why I get so annoyed at those who will not move to IPv6, despite the need for it.
BTW, since the computer I'm sitting at has been up for over a week, it currently has 8 global addresses. Maybe you should be bugging your ISP to move to IPv6, instead of asking them to assign you a port out of a pool that has to be shared with the other customers.
-
@JKnott For me, they can redirect whatever port they want to my client port 22.
As for IpV6, they are at years to implrment it, but it is the fastest isp in this place.... :=( 15 meg down 2 up, this is still the third world. (I've got two off those) for a 23 room hotel . :( -
If you're behind NAT, you're sharing every possible port number with other customers. There are only about 65K of them. If they allocate one to you, then it's not available for any other customer. Now supposed they did the same for other customers? Don't forget, every TCP connection requires a different port number, so if you have several browser windows connected, you're using multiple ports for the return path. Now multiply that by all the other users and you'll understand the problem. On top of that, the port number will have to be specified when you try to access it.
IPv6 has been officially "open" for about 7 years (Ive been using it for almost 10). There's no excuse for any ISP to not have it up & running by now.
Incidentally, some of the 3rd world countries are further ahead than the rest of the world, because they had to use it due to lack of IPv4 addresses.
-
Someone above mentioned setting an IPv6 tunnel. I did that for a few years before my ISP provided IPv6. I could configure for a prefix, as I did on my home network or a single address, which I used on my notebook computer. Perhaps that would work for you. It would also provide IPv6 for your guests.
