rajid
By:
rajid

Working around ISP blocked ports

July 11, 2017 503 views
Networking

I currently have a Cox Business connection to my house, because I have my own server for email, web, dns, etc. If I had a Cox residential connection, it would be a lot cheaper, but would have blocked ports for email and web, plus the IP address would not be fixed. I'm ok with a moving IP address, as long as it doesn't move too often, but the blocked ports for email and web are a non-starter.

If I got just the simple $5/mon droplet, with a static IP address, I could have a very simple program to port-forward email and web connections to my home system over different non-blocked ports. Since it would be my own program, I could even include the capability to be notified of my home IP changing, such that it would automatically forward to the new addr.

Obviously, this would be working around the ISP's residential restrictions. Obviously, if they did DPI, they would easily discover this. Can anyone think of other reasons why this "evil plan" may not work?

2 Answers

@rajid

I don't see any major issue with the setup that you're proposing, though I'm generally against running anything locally when it comes to using my ISP (Charter Communications) :-).

Even on a business account, dealing with their support team is a nightmare and I don't want anything that I rely on (beyond a physical connection to the internet) to be affected by internal decisions on what is or isn't right by their standards.

In the event I setup a mail server and they decide to enforce a more restrictive block, then I'm going to end up having to find another solution to keep things running smoothly and there's a limit to what I'm willing to use as a work around before it becomes more complex than it needs to be.

I'd much rather deploy a few Droplets and use them for web, db, mail, etc (even though I generally use a third-party for mail to prevent the need for running a fully functional mail server) that way the IP's are static and the results are predictable.

..

I also take a few things in to consideration along the way. If you receive a massive attack on one or more servers you run locally, is your ISP going to work with you and keep you going, or are they going to tell you to find another solution?

At DigitalOcean, we do work with customers as best we can when something like this comes up. It happens a lot at our size. Unless it's a unique case where the customer is really abusing the service (illegal torrents, spam, etc), we do what we can to keep them going and make suggestions along the way.

ISP's generally tell you to go elsewhere in my experience (Charter and Comcast are prime examples).

I could rate limit the traffic between the droplet and my home system. Currently, my ISP connection allows 2Mb up, so limiting to that would be fine. My server is for my own use (with some mailing lists for friends), so it doesn't get a lot of traffic.

I'd actually be ok with running all services on a droplet, but (1) I haven't found a wiki which is as simple for users as the Apple wiki, (2) I don't know of any open source Calendar and Contacts server, and (3) I'd lose Apple email push notifications. Everything else which Apple uses is really open source and would run under Linux.

Notification of a home IP addr change could easily by done with a simple open TCP connection with keepalive. When it establishes, it would tell the droplet the peer IP address automatically. When it drops, the home system would just reestablish it. All else is done for me by the TCP stack.

  • Hi @rajid

    Would you be able to setup a VPN tunnel between the server and your droplet? Then all traffic would go through that tunnel, so your server would actually think it's public IP is whatever the droplet is - and all traffic going in to the droplet could be forward to the server.
    And on the plus side, everything would be encrypted, so Cox wouldn't be able to do any DPI - only that you have a VPN link to a droplet.
    But you would get a slower connection, since everything would be routed over VPN.

    @jtittle There's a reply from @rajid

Have another answer? Share your knowledge.