7 Jun
2016
7 Jun
'16
3 a.m.
Ok... all important points to understand and we
absolutely rely and
appreciate all your help on running the current AMPRGW solution. Before
even jumping to conclusion, we'd need to know if GRE really would be
more successful than IPIP. In Brian, N1URO's situation, I'm curious if
a Comcast "Business" class service would remove some of these
intentional filtering issues.
I don't think it will be an appreciable improvement.
I have experimented with GRE as the tunneling protocol (chosen exactly for this reason)
to connect local stations to our Dutch gateway, and at first the results looked
promising,
but it did not take long before I got to the first case where plain GRE would not work
over a consumer NAT router. I think it is (at least here) never caused by intentional
ISP filtering, it is just caused by limitations of NAT routers that were only designed
for typical outgoing TCP and UDP connections only. In the mentioned case the router was
not even provided by the ISP, making malice even less likely.
I then changed setup to GRE over IPsec which works fine until now when in NAT-T mode,
but of course this is only suitable for use in a star configuration with connections
initiated from the users to some gateway. Not a replacement for the tunnel mesh.
I heard in Germany L2TP is used, I'm not sure if it is over IPsec or not.
Anyway, I use L2TP over IPsec (sometimes over NAT-T) at work, it works over any
connection
but here as well it is a star topology.
We also offer OpenVPN connectivity at our gateway, in UDP mode only, and this too is
problem-free w.r.t. ISP routers. I don't believe a provider would (or even can?)
filter
OpenVPN, certainly not when it would be run in TCP mode on port 443.
However, what is common in all these solutions is the star topology where the user behind
the crippled router connects outward to a well-connected system.
Of course we don't want to make the entire network into a star, but it could be an
idea to deploy more regional gateways like our national gateway, that are interconnected
by IPIP tunnels and optionally are BGP-routed on internet, and that offer services like
mentioned above and discussed before in this thread to regional users who for some reason
cannot run IPIP.
It works well here.
It is possible to deploy these on virtual servers that are quite inexpensive these
days, certainly when not doing BGP (not all those hosters will offer BGP of a /16 or
similar network via their routers, at an affordable price)
In my experience it is possible (although not for "I am not a programmer" types)
to get
this working well on a Linux box. Setting up the VPN services and routing is quite well
described. Setting up a firewall requires some thought and monitoring, see the recent
incident with portmap. But this list is available for exchange of such information.
Rob