Beyond the Nat: Cgnat, Bandwidth, and Practical Tunneling

(blog.rastrian.dev)

15 points by rastrian5 days ago

3 comments

  • idatum8 minutes ago
    If you are already running a VPS, the SSH -J option is useful if you don&#x27;t want to expose your SSH to your home public address.<p>You create an SSH reverse tunnel (-R option) from a server in your home network to your remote VPS. This gives you a localhost port on your VPS to your server SSH port. Something like:<p><pre><code> ssh -NT -R 2222:localhost:22 vpsuser@yourvps.com </code></pre> From your laptop, use your your VPS address and localhost port in the -J option. Something like:<p><pre><code> ssh -J vpsuser@yourvps.com:2222 homeuser@yourhome.com </code></pre> I only allow ssh key auth and only my laptop is trusted by my home server. The home server doesn&#x27;t need to trust the VPS &quot;jump server&quot;.
  • teeray1 hour ago
    &gt; Home internet in the 90s felt simple. You plugged into Ethernet, got an IPv4 address, and you could expose a service directly.<p>Maybe the 2000s, yes. This experience in the 90s was reserved for businesses and schools that could afford a T-carrier connection. The rest of us had dialup.
    • reincarnate0x1441 minutes ago
      Even on dialup it was common to get a public IPv4 address, depending on what service. The service I had in like 95-98 didn&#x27;t promise static IPs but I effectively got the same address for weeks at a time, I&#x27;m assuming due to whatever logic was mapping accounts to addresses. They also gave you access to a FreeBSD shell if you wanted to read email via elm or pine or the like, one of the first places I saw SSH!
    • kstrauser1 hour ago
      I had dialup with a static IP and inbound access to listening ports.
  • kmbfjr25 minutes ago
    New fiber provider across town does CGNAT and no IPv6.<p>I guess that works for most people except gamers and people who get rate limited because of the actions of others.<p>Article is correct, IPv4 didn’t die hard.
    • reincarnate0x1411 minutes ago
      It&#x27;s bizarre to me that there is still so much effort spent on resisting IPv6 implementations, we were converting some industrial control networks to it almost 10 years ago and those organizations are basically defined by ancient equipment. Rather than byzantine v4 NAT coordination we mapped entire plants and substations to V6 addresses and put in 6to4 for the PLCs that were old enough to vote, so that multiple sites that all used the same 10.x.y.z blocks because of course they did could be routed together. Had V6 available from my house to pretty much anywhere I cared about in 2017.