4G double NAT - Expose home LAN machine?
I would like to expose a machine on my internal network so my Linode can make a connection to the LAN machine. Or another way, can I use my Linode to give the Lan machine a public routable ip address.
My WAN is (EE) 4G IPv4, dynamic and behind NAT (multiple).
I'm just asking whether or not this is possible and, perhaps, a pointer to what I need to learn about… is this a use case for openVPN, SSH tunnels, magic firewall trickery or is it just impossible.
Traceroute to my Linode shows multiple 10.n.n.n hops. So 7 hops of NATs.
1 router.lan (192.168.1.1) 0.256 ms 0.333 ms 0.403 ms
2 * * *
3 10.248.29.217 (10.248.29.217) 47.976 ms 47.945 ms 47.953 ms
4 10.247.83.27 (10.247.83.27) 49.989 ms 49.891 ms 49.959 ms
5 * * *
6 10.247.83.9 (10.247.83.9) 49.787 ms 48.460 ms 48.277 ms
7 10.247.83.18 (10.247.83.18) 48.365 ms 33.155 ms 48.923 ms
8 87.237.20.228 (87.237.20.228) 48.902 ms 46.915 ms 46.970 ms
9 87.237.20.77 (87.237.20.77) 50.986 ms 50.902 ms 50.956 ms
10 195.66.225.73 (195.66.225.73) 50.857 ms 50.693 ms 47.464 ms
11 if-3-22.router1-lon1.linode.com (109.74.207.17) 49.954 ms if-3-17.router2-lon1.linode.com (109.74.207.13) 50.109 ms 49.839 ms^C
Many thanks in advance,
Mike
7 Replies
✓ Best Answer
I would like to expose a machine on my internal network so my Linode can make a connection to the LAN machine. Or another way, can I use my Linode to give the Lan machine a public routable ip address.
This is generally not possible if you're using an ISP. Most ISPs assign WAN addresses using DHCP(6)…from a designated pool of addresses. Consequently, your ISP (EE…owner of 87.237.16.0/21) may not give your router the same WAN address each time it connects.
If you can guarantee (i.e., you pay EE lots more) that everything about your setup with them will result in static IP addresses, you're golden. Until you can do that, you're out of luck.
Of course, maybe I've misjudged your tolerance for pain here…but doubt it…
-- sw
P.S. You're also going to be in a world of hurt if Avensys Networks Ltd (owner of 195.66.225.73) changes the IP address of this router. DANGER WILL ROBINSON! Ditto for EEs router at 87.237.20.77.
Of course, maybe I've misjudged your tolerance for pain here…but doubt it…
I think you have judged my tolerance for pain perfectly and I thank you for giving a pragmatic answer ;-) Static IP not affordable for home user and I'm stuck with 4G.
P.S. You're also going to be in a world of hurt if Avensys Networks Ltd (owner of 195.66.225.73) changes the IP address of this router. DANGER WILL ROBINSON! Ditto for EEs router at 87.237.20.77.
Yep, the routing changes frequently - the Avensys Ip seems to change frequently. EE's routing changes day to day. I live in Northern Scotland so and think civilisation stops at Carlisle.
I can achieve my objective the other way (home pushes up to Linode) but I had hoped to start 'home lab' so will now concentrate on 'LinodeOLab' instead.
I'll step over this rabbit hole meantime, Alices' wonderland of advanced Networking can wait ;-)
Thanks Sevewi!!
I have my Linode in the /etc/hosts file of every machine on my home LAN:
xxx.xxx.xxx.xxx domain.com mail.domain.com www.domain.com dave
xxxx:xxxx::xxxx:xxxx:xxxx:xxxx domain.com mail.domain.com www.domain.com dave
So, it appears that my Linode is part of my home network…even though it's really not. I've been operating this way for nearly 10 years. I really haven't found any problems with it.
Even if you don't have DNS in your home network (why would you?), programmatic name resolution works just fine with just /etc/hosts entries.
-- sw
Yep, I do have DNSMasq running so getting TO my Linode is not an issue. My IoT stuff will just have to speak to Linode via an API which is easy enough and servers will have to be cloud based.
I would have liked to have my own www/mail/. servers at home but there seems to be no way to get a public routable IP so they would be publicly addressable (short of paying EE for static). I did this when on landline ADSL using dynDNS - dead easy but I'm 7 miles from exchange on overhead copper, no hope of fibre (Dial up was quicker). Now I have EE 4G with good bandwidth but no public IP.
I had wondered if my Linode (used for other stuff) could double up as a magic super easy VPNish proxy thing that would make the EE Nats mysteriously transparent.
Hopefully, IPv6 will save the day eventually.
Cheers SW!!
The number of RFC 1918 IP addresses in traceroute doesn't necessarily have anything to do with NAT, or how many "layers" of NAT you're using. Sometimes ISPs assign such IPs to their routers to conserve public IPv4 IPs or for other reasons.
Some Linode data centers (Atlanta in the example below) do so, and they're not using NAT at all!
$ mtr -4brwc 3 example.com
Start: 2022-01-19T18:19:43+0000
HOST: ultimate Loss% Snt Last Avg Best Wrst StDev
1.|-- gw-li1940.linode.com (172.105.134.1) 0.0% 3 0.2 0.2 0.1 0.2 0.0
2.|-- 10.204.64.6 0.0% 3 1.6 0.7 0.3 1.6 0.8
3.|-- 10.204.32.6 0.0% 3 5.6 2.4 0.4 5.6 2.8
4.|-- 10.204.32.71 0.0% 3 0.4 0.7 0.4 1.5 0.6
5.|-- atl-b24-link.ip.twelve99.net (62.115.190.68) 0.0% 3 0.6 0.6 0.6 0.7 0.0
6.|-- verizon-ic321840-atl-b24.ip.twelve99-cust.net (213.248.84.159) 0.0% 3 1.5 1.9 1.3 2.9 0.9
7.|-- ae-66.core1.agb.edgecastcdn.net (152.195.81.131) 0.0% 3 1.1 1.1 1.1 1.1 0.0
8.|-- 93.184.216.34 0.0% 3 1.6 0.8 0.3 1.6 0.7
So you might want to find another way to confirm how your network is set up… but it is pretty common for mobile networks to use double NAT and otherwise be difficult to work with.
It should be possible to set up some kind of VPN to allow your Linode to connect to your home computers. It might not be easy or efficient, but it should be possible.
I don't want to sound like a shill, but maybe check out Tailscale. It's a WireGuard-based VPN with end-to-end encryption but centralized control. It's pretty good at punching through NATs, and if it can't, it can relay traffic through proxy servers. (Again, the proxy servers can't decrypt your traffic, just move it around.)
I would have liked to have my own www/mail/. servers at home but there seems to be no way to get a public routable IP so they would be publicly addressable (short of paying EE for static).
I have a mail server at home…for testing sieve plugins mostly. It routes mail directly to my mail server on my Linode using just postfix configuration. Ditto for a web server using redirects.
I use Google for all my IoT stuff (which comes from Google anyway -- Nest thermostats and smoke/CO detectors). I suppose I could talk to my Nest thermostats & smoke detectors from my Linode but I just haven't found the need to do that…
-- sw
I don't want to sound like a shill, but maybe check out Tailscale. It's a WireGuard-based VPN with end-to-end encryption but centralized control. It's pretty good at punching through NATs, and if it can't, it can relay traffic through proxy servers. (Again, the proxy servers can't decrypt your traffic, just move it around.)
Thank you. I will check this out. I know for sure I am behind multiple NATs but I'm no network expert, I can only do the easy stuff. A few years ago, I did buy my 4G through a reseller who claimed to be able to give me a static IP over VPN or at least be able to push a through ports through. They failed totally, it would work for exactly 4 hours then routing changed (according to them). My current thought is to skill up a bit before attempting myself, I just do not know enough about VPN or networking in general. My internal network is simple but it is secure, likewise my Linode. I will investigate Tailscale for sure ;)
I use Google for all my IoT stuff (which comes from Google anyway -- Nest thermostats and smoke/CO detectors). I suppose I could talk to my Nest thermostats & smoke detectors from my Linode but I just haven't found the need to do that…
My IoT stuff is all home brewed, it a bit of an obsession, I use it to control the house and gardens, pumps, outside lighting and a whole raft of other stuff. I use micros to get data from heating, detectors and weather stations, (too) many many raspberry pi's. I also have projects at neighbouring farms which I feed into my internal network. My big problem is I can not interact with any node from outside my network. I guess this is probably good for security but not for convenience. I like to cloud store some of my data, hence the Linode and am part way through building a webapp for it all.
I'm rebuilding the whole network after storm Arwen took a building so this is why I wondered if it would be easy enough to do some trickery to have one bastion machine exposed. I have already built a small API that will sit on the Linode and accept data from the bastion (like an MQTT broker). The aim is to make a web app accessible from anywhere. The problem still remains on how to send a command from the internet into the LAN via an API but I have a few ideas.
Thanks to all for the replies. I'll stick with an API and make that work (I can do that properly and securely-ish). I think playing with networks I do not understand is just going to be dangerous.