STE VE CASSIDY
Steve introduces “the NAT pack” before outlining how to work from home – despite your connection provider
This month, Steve introduces “the NAT pack” before outlining how to work from home – despite your connection provider.
I’m intolerant of the usual approach to router and connection faultfinding. No, really. Even someone with my sweet and reasonable outlook can become sarcastic and spiteful after long enough on hold. But don’t settle back for a merry tale of quips to call centre operatives because the world has changed. What used to be a game of phone tag and discountnegotiation now has some real teeth: you need to work from home, leave enough bandwidth for streamed movies, pick the cheapest deal and get tech support out of departments almost totally denuded of staff. That’s a proper and worthy challenge.
So I’m asking you, please, to be careful before you follow advice on the internet connection support forums. As a case in point, let’s start with one from Virgin Media (read along at pcpro.link/314virgin). This isn’t to paint Virgin Media as a poor example – I don’t think it’s any better or worse than other big-name ISPs – but to take general note of the depressing and unhelpful difficulties people get into as they assemble their case for appealing for help.
In this particular example, Matt is trying to run a server for a game but is having problems with NAT: it’s showing as Moderate when he wants it to be Open. He’s clearly a technical guy, being familiar with terms such as DMZ and static IP addresses, but he’s also typical of this type of forumbased query. He brings together an incomplete summary of the fault behaviour or the equipment involved, along with a heavy dose of not very useful emotions springing from the nature of consumer rights, and the one-sidedness of contract law when it comes to changes being made to a service you pay for every month.
No! Don’t be drawn in! That’s half of my point here. What you read in support forums like this is almost entirely about the losers: once someone gets the right idea (or the right help), they stop posting. And, as a result, the advice, and the poster’s original complaints, quickly fall out of date.
This is because, based on a quick skim of connection support forums, everyone assumes a number of fixed and constant factors involved in the setup of your connection, your account and your router. In the case here, those fixed factors include a consistent set of router features, with port-forwarding, UPnP and domestic user time-based controls to keep their little darlings in bed and off Snapchat. Plenty of support forum threads leave you with the impression that these are current feature sets, and that the service still includes those options as part of the offering.
These web pages are timeless. People don’t want to spend their days marking out-of-date information as superseded, nor making a rat’s nest of links to take you to the most up-todate information. If you’re inclined to think about the router and internet connection game as being about immutable standards, diluted on their way to the customer, the endless labyrinth of support forum threads all with the wrong end of the stick could become pretty dispiriting.
This is particularly true of now, because many problems stem from the
demands of a work VPN: it wants a completely open, bidirectional route across the internet, from its gateway to your router and thence on to your PC or laptop. There are lots of people finding out, even now, that they cannot meet those demands… but all they know is that their VPN doesn’t work properly.
It seems a little cruel to say it, but it’s no longer possible to guarantee the kind of home internet service that will give you a functioning VPN with every possible make and model of head-office firewall. For one thing, we ran out of addresses a few years back. If there aren’t enough addresses to go round, even if you make use of CIDR and other network subdivision trickery so each household seems to occupy only one unique address, some people are going to end up in a backwater: a network provider’s private address pool, which suffers some damaging limitations when it comes to being globally unique or routable from any random model of business firewall.
In effect, the ISP reserves the right to roll forward on your assumed traditional configuration, taking the role of your NAT-capable router to itself and retreating with it to the data centre. You lose the ability to provide port-forwarding instructions, because where before your router only handled your home traffic, now the router it’s running is doing everything for a vast and undefined swathe of similar home connectors.
Mirage addresses
Actually, it’s much worse than that. Sometimes you might see routers whose IPv4 configuration appears to drive a coach and horses through every rule you thought you knew. Devices whose default gateway isn’t in the same subnet are my favourite example of this approach. In effect, the ISP has taken over as not just the owner and manager of the NAT config, but also as the presenter of the IPv4 configuration. This is because those IP addresses you can see for the hops between you and the outside world are mirage addresses, being presented by a completely invisible set of connection devices, not talking IPv4 to one another at all. What you see on “your” router configuration or traceroute in that case is a bit like a TV picture: the generated image bears no relation to the encoding or the transmission or the power required to get to your device. Much of the internet is like this now, irrespective of what you think you see as a user with an IPv4 connection; what you see is a mirage, a stuck-up picture that doesn’t describe what’s happening to your packets with any accuracy.
But do not treat that as a get-out clause from my earlier advice! Yes, one might deduce from this that the ISPs could, via fakery, emulate any kind of traffic pattern that takes their fancy. My point is: you don’t really want them doing that. Especially not in lockdown. If ever there’s a time when you want your equipment to be just the same as everyone else’s, proof against helpful repair by blissfully ignorant temporary staff or returning quarantiners, it’s now. Custom hacks at the ISP are not the way forward.
So what is? It’s got to be manageable by your company techies. It’s got to use standard features familiar to your firewall feature lists, and it’s got to allow you to expand the company capability without weeks of fiddling and the risk of permanent downtime. What are the options here?
Option 1: IPv6. It’s been looming over us all for a long time, and the rest of the world has moved quicker than the UK in adopting it as a public protocol (mostly because of our early adopter take-up of IPv4). The problem in using IPv6 to solve all your firewall blues is that it adds at least two major projects to the process.
First, your techies have to implement IPv6 on their servers and firewalls at the least, and possibly all the way across the whole computing estate of the business. That sucks because, while everyone seems confident making statements about how network traffic intelligently routes to use the protocol of the requesting client, I can write a whole year of columns about debugging such situations mainly by turning off v6 and rebooting. So I wouldn’t blame any IT department or outsourcer whose instant response to this idea was a hearty “No!”
The second project is pushing your telecommuters over to a setup where their machines’ IPv4 traffic jumps down an IPv6 wormhole, ending up being given an apparently internal, fixed global address. This is straightforward when you’re working with a large IPv6 broker – such as Andrews & Arnold in the UK or Hurricane Electric in the US – but could produce considerable delays in making your office network v6 ready. Oh, and if you’re cloud-based, you might as well forget it. Changing a whole network layer is a major challenge in a data centre that already has multi-tenant, multi-firewall configurations to maintain.
Option 2: Put TeamViewer on all the work PCs. This isn’t technically a VPN but for very small businesses or those
“I wouldn’t blame any IT department whose instant response was a hearty ‘No!’”
who already have TeamViewer or similar remote desktop products rolled out (say, for bad app support by developers), it bears thinking about. It’s not especially clean, in that you might not want to run it for a whole year of absence, and you might hit difficulties when printing. However, it would let users into their machines in the exact state they left them in, poorly filed documents and all.
If your staff are operating on a one day in, four days out teleworking model then TeamViewer has some appeal – but if they’re not used to the types of delay that inevitably spoil the experience, or they’re reliant on audio, then this will be okay to tide them over but not a realistic longterm proposition. I expect this fix will gradually become more appealing, as competitive pressure builds up in the market of remote-access software over the next few months. Or until people are allowed to go back to normal work.
Option 3: SSL-based VPN. This is a big deal: even the worst home internet connection lets you connect to an SSLsecured banking site, or shopping, or pretty much anything else these days. SSL moves the encrypted or tunnelled traffic inside packets that look like web page data, to the interfering firewalls, routers, backbone switches and so on that make up the modern internet. Everyone wants to pass SSL packets because that’s where the money comes from! SSL is the trading default on the internet.
The take-up of SSL VPN has been a bit slow, though, mainly because you need a lot of surrounding servers to help maintain your SSL certificates, and much of that kind of service is all about the ecommerce connection and identity validation and so forth. If you have a certificate generated for
showmethemoney.com, this will probably not be suitable to load on to your firewalls. Few firewall types, in my experience, see how easy it is to generate showmethemoney.net certificates, registered and kept away from the ecommerce activities of the business. That’s a very great shame, because, armed with a suitable private certificate, an SSL firewall, and an army of eager homeworking personnel, this seems – to me, at least – to be the best way out of the current difficulties, and also a good way to show the service providers that leaving us in the lurch is far from a one-sided decision. cassidy@well.com