My ISP is blocking my router through NAT - Can I get around this?

[Ezio]

Any solutions for me guys? I haven't got an Imac. Oh and changing mac address doesn't make a difference, they are doing something to monitor my nat device (router).

Anyone know how to do this?
It would be possible to defeat this detection technique by creating a NAT gateway that didn't decrement the IP TTL.

This might help.

Thanks

 

[lostngone]

Any solutions for me guys? I haven't got an Imac. Oh and changing mac address doesn't make a difference, they are doing something to monitor my nat device (router).

Anyone know how to do this?
It would be possible to defeat this detection technique by creating a NAT gateway that didn't decrement the IP TTL.

This might help.

Thanks

Get a used cisco pix 501. Just make sure it has a halfway current IOS on it.

 

[Ezio]

Get a used cisco pix 501. Just make sure it has a halfway current IOS on it.

What is that? And what will it do to help? Sorry for sounding like an idiot but I have no clue what that is.

I'm sure there is an easy way around it as I can see many other routers performing in the halls that I live in.

Your best bet is to setup some type of proxy or get a firewall that will not decrement the TTL on all NAT'ed packets.

Is this something easy to do?
I think Mingoglia mentioned something about installing Squid? Would that help?

I have a linksys if that helps.

 

[yg17]

Get a used cisco pix 501. Just make sure it has a halfway current IOS on it.

What the hell does he need a Cisco firewall for? Talk about overkill.

Having worked in university IT and dealing with this exact problem, the reason for blocking NAT routers is simple: Too many students hook them up incorrectly and do stupid crap like plug one of the router's switched ports into the wall jack instead of the WAN port. What happens is other computers on the dorm network start getting IPs from your router's DHCP server, instead of the university's DHCP server, and because the student's router is not properly hooked up or configured, other students aren't able to get online. Depending on how the network is designed, your $30 Linksys router can take down an entire dorm network. If they have fairly small subnets (one for every 2 or 3 floors, like the university I worked at) you won't take down the dorm network, but you can knock out that subnet and create a huge inconvenience for other students and the IT staff. And it happened all the time.

There's a quick and easy solution: Disable DHCP and NAT in the router so it is effectively just a switch, or buy a switch, and plug the switch into the wall. All of the devices you plug into a switch will get their IPs from your university's DHCP server and everybody's happy.

Now, if his university only allows each student one connection at a time and disallows routers, he's pretty much screwed, but the above solution worked at my university and any other university that blocks routers but will allow a student more than one device.

 

[NiMiK]

Have you tried logging into the Linksys and cloning your iMac's MAC address? Might be worth a shot. Your ISP will see your MAC address that's setup in the router. BTW, what modem do you have?

 

[Ezio]

What the hell does he need a Cisco firewall for? Talk about overkill.

Having worked in university IT and dealing with this exact problem, the reason for blocking NAT routers is simple: Too many students hook them up incorrectly and do stupid crap like plug one of the router's switched ports into the wall jack instead of the WAN port. What happens is other computers on the dorm network start getting IPs from your router's DHCP server, instead of the university's DHCP server, and because the student's router is not properly hooked up or configured, other students aren't able to get online. Depending on how the network is designed, your $30 Linksys router can take down an entire dorm network. If they have fairly small subnets (one for every 2 or 3 floors, like the university I worked at) you won't take down the dorm network, but you can knock out that subnet and create a huge inconvenience for other students and the IT staff. And it happened all the time.

There's a quick and easy solution: Disable DHCP and NAT in the router so it is effectively just a switch, or buy a switch, and plug the switch into the wall. All of the devices you plug into a switch will get their IPs from your university's DHCP server and everybody's happy.

Now, if his university only allows each student one connection at a time and disallows routers, he's pretty much screwed, but the above solution worked at my university and any other university that blocks routers but will allow a student more than one device.

The ISP disallows routers, but disabling DHCP and NAT may work......
I have got passed this before but I can't figure out how and it's not as if it is impossible as other people around me have routers. So it can be done, it's just whether they have clocked my specific router or not?

Have you tried logging into the Linksys and cloning your iMac's MAC address? Might be worth a shot. Your ISP will see your MAC address that's setup in the router. BTW, what modem do you have?

I've tried cloning Mac Address it worked last year when I was at the same place, but not now from what I think as I did fiddle around with that at the start and it worked however with the problem happening again it must not be because of the Mac address but something else that I did.

The Internet does goes through the router it's just that they block me using it as my router says that it should be working.

Modem? I plug it straight into a wall......that help?


Thanks for the help guys, really thankful.

 

[yg17]

Just buy a switch. They're cheap and there's no configuration, it's plug and play.

 

[lostngone]

What the hell does he need a Cisco firewall for? Talk about overkill.

If you read the entire thread you will see that they are shutting his connection down because he is using a NAT router. There are a few ways they can scan for this, one way is to record MAC addresses the other is OS finger printing and watching the TTL on packets. The reason I told him to get a 501 it is fairly cheap(around 100) and it has the option to not decrement the TTL on packets that it passes. There may be a cheaper product that does this but I don't know of any.

 

[lostngone]

What the hell does he need a Cisco firewall for? Talk about overkill.

If you read the entire thread you will see that they are shutting his connection down because he is using a NAT router. There are a few ways they can scan for this, one way is to record MAC addresses the other is OS finger printing and watching the TTL on packets. The reason I told him to get a 501 it is fairly cheap(around 100) and it has the option to not decrement the TTL on packets that it passes. There may be a cheaper product that does this but I don't know of any.

 

[Ezio]

Just buy a switch. They're cheap and there's no configuration, it's plug and play.

Unfortunetly I need it to be wireless.

If you read the entire thread you will see that they are shutting his connection down because he is using a NAT router. There are a few ways they can scan for this, one way is to record MAC addresses the other is OS finger printing and watching the TTL on packets. The reason I told him to get a 501 it is fairly cheap(around 100) and it has the option to not decrement the TTL on packets that it passes. There may be a cheaper product that does this but I don't know of any.

£100?
Wowza, there has to be another way lol, I doubt the 5 or so other router users across the halls have payed that much on top.

Thanks again guys.

I may just untick a load of boxes until I get it to work, worked before.....

 

[yg17]

Try this: Disable DHCP and plug the cable from the wall into one of the 1-4 ports on the back of the router normally for the computers. The router probably isn't smart enough to switch across the WAN port, so when using a router as a switch, the WAN port is useless. Once you do this, you won't be able to get into the router config page so you will have to reset it to factory settings. There's probably a button on the router for that. It'll leave you with 3 ports plus wireless. If you need more ports, then you can plug a switch into one of the ports.

 

[Ezio]

Try this: Disable DHCP and plug the cable from the wall into one of the 1-4 ports on the back of the router normally for the computers. The router probably isn't smart enough to switch across the WAN port, so when using a router as a switch, the WAN port is useless. Once you do this, you won't be able to get into the router config page so you will have to reset it to factory settings. There's probably a button on the router for that. It'll leave you with 3 ports plus wireless. If you need more ports, then you can plug a switch into one of the ports.

By doing this I should be able to use my router wirelessly?
Oh and I when I restore it to factory setting I will be able to put some form of encryption on it right?

What does using a router for a switch mean anyway?

Thanks by the way.

 

[yg17]

By doing this I should be able to use my router wirelessly?
Oh and I when I restore it to factory setting I will be able to put some form of encryption on it right?

What does using a router for a switch mean anyway?

Thanks by the way.

Yes, it will allow you to use it wirelessly. Set up all of your wireless encryption settings, then disable DHCP.

What it means is you need a switch, not a router, to accomplish what you're trying to do. A router can be configured to act as a switch by disabling DHCP and plugging it into one of the numbered LAN ports. It's not ideal since you effectively end up with a 3 port switch (whereas for the same amount of money that you paid for the router, you could get an 8 port switch) but it will get the job done.

 

[dmmcintyre3]

ddwrt has the option to change the TTL

http://www.dd-wrt.com/wiki/index.php/Iptables_command#Modifying_the_TTL

If your router is supported you can fix it for free

 

[Ezio]

Yes, it will allow you to use it wirelessly. Set up all of your wireless encryption settings, then disable DHCP.

What it means is you need a switch, not a router, to accomplish what you're trying to do. A router can be configured to act as a switch by disabling DHCP and plugging it into one of the numbered LAN ports. It's not ideal since you effectively end up with a 3 port switch (whereas for the same amount of money that you paid for the router, you could get an 8 port switch) but it will get the job done.

So in affect I'll be able to hook up my 2 consoles and 2 laptops all wirelessly?

This sounds great.
Thanks again.

ddwrt has the option to change the TTL

http://www.dd-wrt.com/wiki/index.php/Iptables_command#Modifying_the_TTL

If your router is supported you can fix it for free

How do I find out if my router allows for this?
And how do I do it? That link seems a tad daunting.....
Thanks for the help.

 

[dmmcintyre3]

How do I find out if my router allows for this?
And how do I do it? That link seems a tad daunting.....
Thanks for the help.

http://www.dd-wrt.com/wiki/index.php/Linksys_WRT54G/GL/GS/GX#Identifying_Your_Version

I think you just install it and run the command on the earlier post by me, but I'm not sure.

 

[kingfisher100]

i think im at the same college as this guy. I was using a router until last month when it got detected by NAT.. judging from his location i reckon were in the same halls.

anyway, i've tried resetting my d-link router and changing the mac address to match my computer, which is what i was doing previously. its still not working. i spoofed my computers mac address to match the routers native mac address and that doesnt work either. currently i've spoofed my laptops mac to match my ps3, and now i can get both online easily by switching the wire round. doesnt this mean that the same thing should be possible with the router??

 

[Metatron]

They have port security on and will not allow more than one device per port. Like a previous post indicated, getting something like an old PIX 501 to do your dirty work would be nice, but I doubt the user can properly configure it.

 

[Ezio]

I'll try the the suggestions tomorrow when I see him, hopefully it can work.

Oh and Kingfisher it is possible to bypass as people in his hall still use their router, plus I got around this message before in October.

There has to be a way.

 

[Ezio]

Yes, it will allow you to use it wirelessly. Set up all of your wireless encryption settings, then disable DHCP.

What it means is you need a switch, not a router, to accomplish what you're trying to do. A router can be configured to act as a switch by disabling DHCP and plugging it into one of the numbered LAN ports. It's not ideal since you effectively end up with a 3 port switch (whereas for the same amount of money that you paid for the router, you could get an 8 port switch) but it will get the job done.

Ok so he has now turned his router into a switch, however the internet only works when he has his laptop plugged into the router.......how would he make it wireless so he doesn't have to?

Cheers

Update,

I don't think a switch would work as he has told me his ISP only allows one device's mac address to be registered, so even if the switch was working other devices couldn't use the internet because of their different mac address......does that make sense? And I'm I right in saying it?

 

[Ezio]

Anyone able to help?

 

[Winni]

Unfortunetly I need it to be wireless.

Then buy a Mikrotik router, they support wireless bridging.

Mikrotiks are the most powerful class of devices money can buy - and guess what, they don't even cost you an arm and a leg.

However, just like with Cisco devices, you need to know what you're doing and you need a very thorough understanding of the TCP/IP protocol.

 

[jtmx29]

You're ISP or campus is controlling what MAC address can get internet. What you would want to do would be clone the MAC address of your modem to your router. This will allow you to get internet on your wired/wireless router. It sends the IP's via DHCP through the modem to the router instead of a single NIC. NAT doesn't have anything to do with problem stated.

 

[CarlJ]

I know it's a wacky and unpopular idea, but instead of following all these schemes for sneaking around the policies your university has set up, and valiantly "fighting against the man", how about seeking out and talking to your university's Residential Networking (commonly called ResNet) group... tell them what equipment you have and want to hook up, and ask how you can work with them to get everything on-line. They might be more accommodating than you expect.

They're not some big faceless dictatorial group, but they likely have concerns that are not clear to you. One common one is, they need to know who is responsible for every device connected to the network. If you using a router that's doing NAT, that makes it harder for them to tell what devices are behind it. If you're running an open access point, and someone nearby uses it for filesharing, that can land you in (potentially legal) trouble, because you're the registered owner of the router.

And in case you're thinking "Oh, filesharing... ResNet must be the servant of Hollywood", no, generally they're not. They're not the moral police, but they have to be able to pass the responsibility for a device's behavior on to the owner of the device; if you go changing MAC addresses, you aren't ultimately hiding, you're just making their job harder (and annoying them and making yourself look more suspicious).

If a device on the network gets infected and goes rogue (or is just misconfigured by someone who's *ahem* twiddling settings they don't fully understand based on something they read somewhere)... it can make a real mess of the nearby bits of the network, and ResNet has to be able to track down what it is, where it is, and who owns it, in a big hurry -- they're not trying to be mean, they're trying to keep the network up and working properly for everyone.

Misconfiguring or miswiring a router or access point so it, say, starts handing out IP addresses to other devices on the network, or starts bridging traffic between different parts of the network, can create huge trouble for other nearby users, and headaches for the ResNet staff.

(And just FYI, I work for the networking group at a university -- not in the ResNet group, though I did write the registration software they're using. And our ResNet group has cheerfully put some pretty obscure pieces of equipment on our network, just as long as they're properly configured and registered.)

 

[Ezio]

Then buy a Mikrotik router, they support wireless bridging.

Mikrotiks are the most powerful class of devices money can buy - and guess what, they don't even cost you an arm and a leg.

However, just like with Cisco devices, you need to know what you're doing and you need a very thorough understanding of the TCP/IP protocol.

Thanks for the help. I will look into that. Many people around the halls have a wireless router and they don't seem to be having the problem, and I doubt all 10 or so know more than me about this problem.

It's strange how this network has a problem but other people are fine.

You're ISP or campus is controlling what MAC address can get internet. What you would want to do would be clone the MAC address of your modem to your router. This will allow you to get internet on your wired/wireless router. It sends the IP's via DHCP through the modem to the router instead of a single NIC. NAT doesn't have anything to do with problem stated.

It's not that, it was possible before but they are detecting it through NAT. I have done that and they said the network is using a NAT device.

Thanks though.

I know it's a wacky and unpopular idea, but instead of following all these schemes for sneaking around the policies your university has set up, and valiantly "fighting against the man", how about seeking out and talking to your university's Residential Networking (commonly called ResNet) group... tell them what equipment you have and want to hook up, and ask how you can work with them to get everything on-line. They might be more accommodating than you expect.

They're not some big faceless dictatorial group, but they likely have concerns that are not clear to you. One common one is, they need to know who is responsible for every device connected to the network. If you using a router that's doing NAT, that makes it harder for them to tell what devices are behind it. If you're running an open access point, and someone nearby uses it for filesharing, that can land you in (potentially legal) trouble, because you're the registered owner of the router.

And in case you're thinking "Oh, filesharing... ResNet must be the servant of Hollywood", no, generally they're not. They're not the moral police, but they have to be able to pass the responsibility for a device's behavior on to the owner of the device; if you go changing MAC addresses, you aren't ultimately hiding, you're just making their job harder (and annoying them and making yourself look more suspicious).

If a device on the network gets infected and goes rogue (or is just misconfigured by someone who's *ahem* twiddling settings they don't fully understand based on something they read somewhere)... it can make a real mess of the nearby bits of the network, and ResNet has to be able to track down what it is, where it is, and who owns it, in a big hurry -- they're not trying to be mean, they're trying to keep the network up and working properly for everyone.

Misconfiguring or miswiring a router or access point so it, say, starts handing out IP addresses to other devices on the network, or starts bridging traffic between different parts of the network, can create huge trouble for other nearby users, and headaches for the ResNet staff.

(And just FYI, I work for the networking group at a university -- not in the ResNet group, though I did write the registration software they're using. And our ResNet group has cheerfully put some pretty obscure pieces of equipment on our network, just as long as they're properly configured and registered.)

Sounds interesting, however the halls that my friend is in doesn't have any contract with the university and where he is I don't think he's heard of any such group, but it is worth looking into.

Thanks.