My ISP is blocking my router through NAT - Can I get around this?

Discussion in 'Mac OS X Server, Xserve, and Networking' started by fresh.fruit, Dec 9, 2009.

  1. fresh.fruit macrumors newbie

    Joined:
    Dec 9, 2009
    Location:
    Sheffield, UK
    #1
    Am living in student halls and have been using a Linksys WRT54GL wireless router to connect my iMac (connected straight into the router), Powerbook and iPod touch to the internet and have been with no problems for over 2 months now.

    Then yesterday my mates (using routers) an I were all suddenly confronted with this message:
    "It looks like you are currently using a router or similar device to connect your computer to our network. The device appears to be performing Network Address Translation (NAT), which could mean it is being used to allow multiple computers to share one connection."

    and have been blocked from connecting to the internet through routers. I have been looking around for ages trying to find a way of either turning off the NAT (which doesnt seem possible on Linksys routers) or using a program to bypass the NAT.

    I don't know if am going the rightway about it or even if there is a way about it, any help much appreciated

    Thanks!
     
  2. AllieNeko macrumors 6502a

    Joined:
    Sep 25, 2003
    #2
    You have a NAT router. NAT is the technology routers use. NAT lets you share one IP with more than one user. Colleges really don't like that. They're not ISPs, they provide a limited, heavily restricted (but usually fast) version of the Internet. Your college just got REALLY strict. Sorry man. Use a 3G (or 4G if you can get it) data card is really your only way out of the college's walled garden...
     
  3. DivineEvil macrumors regular

    Joined:
    Feb 7, 2009
    #3
    Try to connect your iMac or Powerbook directly to the Lan cable that the ruter is now connected. See if you have internet. If you do this means that your ruter is blocked only by MAC address. Then just change it and you should have restored your internet access. After you connect the ruter back. Search google on how to change the mac address.
     
  4. Serif macrumors regular

    Joined:
    Jul 10, 2008
    Location:
    UK
    #4
    That's good advice. I'm scratching my head as to how the college is determining that you're using NAT. Sure, it's relatively simple to determine that the device at your end is a router if they van inspect the MAC address, but I can't see how they can determine that the router is configured for NAT other than doing something like deep packet inspection which seems fairly unlikely.

    Why not plug your computer directly into the connection and then see if you can share your (wired) connection over your airport. If that works then it would seem that they're seeing a router at your end and assuming you're therefore using NAT. Spoofing the MAC address of the router should then sort you out as mentioned above.

    If that doesn't work, then maybe they are doing packet inspection to see what is happening. If that's the case, do you have access to another system outside the college with a decent Internet connection? If so then using an SSH tunnel to provide a SOCKS proxy should get you back working.
     
  5. alphaod macrumors Core

    alphaod

    Joined:
    Feb 9, 2008
    Location:
    NYC
    #5
    I believe there is an option on Linksys routers to turn on bridge mode or turn off DHCP; that way it just acts as a wired to wireless connection medium.
     
  6. YanniDepp macrumors 6502

    YanniDepp

    Joined:
    Dec 10, 2008
    #6
    Airport Express can do this too.
     
  7. alphaod macrumors Core

    alphaod

    Joined:
    Feb 9, 2008
    Location:
    NYC
    #7
    Yeah, but the OP has a Linksys router.
     
  8. blacka4 macrumors 6502

    Joined:
    Sep 28, 2009
    Location:
    Pittsburgh
    #8
    why don't you plug your iMac into the wall and start up internet sharring with your airport in the iMac for your other devices?
     
  9. locust76 macrumors 6502a

    Joined:
    Jan 23, 2009
    #9
    Other than (as posted above) deep packet inspection, I think the only other way they might have been able to "detect" your router is to look up which MAC-addresses were in use and blocked or diverted certain groups of MAC (like those belonging to, ahem, Linksys).

    If you change your WAN-facing MAC address to something, say, from 3Com or Intel, then you might suddenly have internet again (might). The first 6 bytes of the address are what you need to change. In fact, try this address:

    00:1b:21:14:c9:0e

    (00:1b:21 belongs to Intel)
    it's the MAC address of my Intel PRO/1000 GT Desktop Adapter. Since I never plan on going to your school and hooking up my work computer to it, feel free to keep it ;)

    Hopefully this works for you! Also, be sure to disable any sort of remote access to your router from the WAN. That way they can't simply point a browser to your IP and snag you that way.
     
  10. corbywan macrumors regular

    Joined:
    Feb 4, 2008
    Location:
    Forest Grove, OR
    #10
    Is it your ISP or is it your college? It may or may not make an ethical difference. Here is why.

    Not to be the uptight prude here, but are we really trying to help a student violate the IT policies of his school? It's one thing to try and help him understand the technical reasons as to how this might be happening. It's another thing to help him violate an agreement he may or may not have read/agreed to when accessing the school network. Would we be doing the same thing if someone worked for our company and were trying to get around restrictions that were put into place for legitimate reasons? I know I'd be more than a little ticked.

    If it's an ISP and you agreed to their terms of service, then you made an agreement to not use such a device to get more from their service than they are willing to give you. Just because it has been working doesn't mean it was OK to do. It's like a software patch. I was able to do this, then they patched it, it broke what I was able to do but really wasn't supposed to be able to do, now it works like it is supposed to. (Something Apple told me when Address Book Sever stopped doing a particular thing.)

    Anyway, not trying to be the forum conscience, not trying to cast the first stone because I am not without sin. It just occurred to me, as I was about to post a suggestion to get around the problem, that I was about to help someone break the rules.
     
  11. Zortrium macrumors 6502

    Joined:
    Jun 23, 2003
    #11
    The only reason I can think of to disallow routers is to prevent someone from, for example, setting up an unsecure wireless router that'll let anyone onto the router rather than just people registered with IT. This was the case at my school -- wired connections were registered by MAC address and wireless connections required a username and password, and an open wireless router would allow someone to bypass either.

    That said, if you take steps to lock down the router to only allow your devices (a variety of options here, such as a good wireless password and MAC address filtering), I can't think of any good reason to disallow it. As other posters have suggested, changing your MAC address is probably the easiest way to get around the restrictions.

    The easiest thing to try is just cloning the MAC address of your computer onto the router so they both report the same MAC address. If you're running an alternative firmware on your router, which you ought to be, (I recommend Tomato), doing this is trivial.
     
  12. lostless macrumors 6502

    Joined:
    Oct 22, 2005
    #12
    Using the router as a pure access point ignores all router functions. You do this by plugging the cable from wall into any port, other than the WAN port. Make sure to turn off DHCP from the router. The NAT only occurs with data coming from the WAN port to any device connected to the router. Using the router like this acts like a hub with a access point attached to it. But any device connected to it will get its IP address from the collage server, not the router as it would using NAT. So if he collage only gave you 1 address to use, only 1 device will be able to connect to the network in this fashion.
     
  13. fresh.fruit thread starter macrumors newbie

    Joined:
    Dec 9, 2009
    Location:
    Sheffield, UK
    #13
    Hey guys, thanks for all your help, I appreciate it an I also appreciate what corbywan is saying but if it does make a difference am in private halls and supplied the internet via a private company, not the uni. (Also am a broke student kindly sharing my connection with a flat mate as opposed to filling the pockets of the big dirty company ripping students off :) and i want my other devices online too)

    Ive tried all of your suggestions, I had to clone my MAC address to get connected in the first place as they only provide you with one MAC address connection (you can buy more but obviously only have one connected at a time) so i don't think that's the problem (an i tryed you IP locust76 thanks). When i try turning off DHCP and connecting the router to the internet via the LAN port I dont get a connection and cant load any pages. Also my airport seems to have stopped working to saying "Airport has a self-signed IP address 169.254.112.XX and you will not be able to connect to the internet" (Ive had this before but restarting my mac usually got it working)

    I also had a quick look into SOCKS and SSH tunnels (which is scary stuff for me) an am I right in saying that ill have to have a program running when i want my devices to connect? - if so, like the Airport option, its not ideal as Id like to be able to get connected via my other devices without my iMac being on..

    I take it there isnt an easy way I can block Deep Packet Inspection an even if i could would this help at all?

    Thanks again
     
  14. Zortrium macrumors 6502

    Joined:
    Jun 23, 2003
    #14
    Your post isn't entirely clear -- are you saying that you cloned the router's MAC address to one that you CAN connect with using your iMac and it still didn't work?

    A crappier but still viable alternative to using the router at all is to just share your iMac's ethernet connection over AirPort. The primary downside of this is that the iMac would need to be on and awake at all times and the network wouldn't be very secure, since you can only set a WEP password.
     
  15. corbywan macrumors regular

    Joined:
    Feb 4, 2008
    Location:
    Forest Grove, OR
    #15
    fresh.fruit - I appreciate you response and I see your dilemma. I don't know if this is what your ISP is doing, but it sounds like what one I used to use did here in the states. The ISPs server linked the MAC address the computer to the "modem" they gave me, meaning that when I moved and took the modem with me, hooked it up at my new place, my computer got the same IP address. When I tried to connect a router or other computer it would say that the device isn't authorized, that there is already a device connected on that modem. Somehow they were linked. I had to call support and ask them to do a release on my connection so I could connect something else.

    What you might need to do is something similar. Call support and ask them to "clean the IP/MAC slate" so to speak, connect that router with the cloned address (perhaps of your Mac?) and see if that will work. I may not be explaining it well, but there is a chance it will work.
     
  16. Ezio macrumors newbie

    Joined:
    Dec 17, 2009
    #16
    Hi, my friend has just ran into that exact problem. When he first set up the router that notification came up and I changed some of his settings most notibly the mac address of the router and that seemed to work.

    However he has now told me that it has happened again and his ISP seem to be blocking the internet through his router, I've tried what I did before but I haven't had any results, so it must have been something else that I did before.

    I'm sure its possible to bypass I just need the right info. I usually I'm pretty good with things like this but this time I am really stuck.

    Anyone have a clue to help us guys?

    Thanks
     
  17. fresh.fruit thread starter macrumors newbie

    Joined:
    Dec 9, 2009
    Location:
    Sheffield, UK
    #17
    Ezio - Ive tried most of the above stuff but with no luck, do you know how SOCKS and SSH tunnels work an could that be an option? Also a mate of mine said something about using a HUB and buying some more MAC addresses to connect more devices..?

    Zortrium - I can connect my iMac directly to the port an the internet works but it doesnt when connected via my router..

    corbywan - I can change the mac address from my end myself but I don't think its anything to do with the mac address as I managed to overcome that problem during the start of my tenancy.

    Also my Airport doesnt work anymore so can even connect iPod to internet or poerbook without having to change the mac address on the IPS's website everytime :(
     
  18. Ezio macrumors newbie

    Joined:
    Dec 17, 2009
    #18
    I know nothing of the sorts I'm afraid, I do know that it is possible without going into too much technical details as like I said before I was able to bypass it for him before, when he had that message.

    Oh and the hub thing is possible yes. You would have to ring your ISP and ask them for the extra service which would cost you probably under £50 and you'll probably only be allowed to register 2 more devices taking the total up to 3. I don't know what a "hub" is though so I don't know if you would have to buy that seperately spending more money, as I can't think of any other way you could connect many devices without a new piece of tech.

    Hope that makes sense. At least my mate isn't alone.....:D
     
  19. Ezio macrumors newbie

    Joined:
    Dec 17, 2009
    #19
    If nobody knows, does anyone know of a good site that could help me with such a problem please?

    Cheers
     
  20. Maserati7200 macrumors 6502a

    Maserati7200

    Joined:
    Mar 17, 2009
    Location:
    11230, Midwood, Brooklyn, NY, USA, North America
    #20
    Yeah, do that, seriously. Go to system preferences and click sharing, then click share your connection via ethernet to airport. Works, and it's easy.
     

    Attached Files:

  21. sjinsjca macrumors 68000

    sjinsjca

    Joined:
    Oct 30, 2008
    #21
    Your college is assholic for requiring direct connection of at most one computer to its internet connection, and for another reason besides the obvious: NAT is also a layer of protection (a firewall, basically) against probes from outsiders, including malware botnets. That's not a big issue for us Macophiles (yet) but it's a concern for Windows users.
     
  22. Ezio macrumors newbie

    Joined:
    Dec 17, 2009
    #22
    Any alternatives guys?
    I have bypassed this before but I can't figure out how......:(
     
  23. lostngone macrumors demi-god

    lostngone

    Joined:
    Aug 11, 2003
    Location:
    Anchorage
    #23
    Changing your MAC address won't do anything if your college IT staff knows anything...

    Your best bet is to setup some type of proxy or get a firewall that will not decrement the TTL on all NAT'ed packets.

    Here is an article on how your school is most likely catching you.

    http://www.sflow.org/detectNAT/
     
  24. mingoglia macrumors 6502

    Joined:
    Dec 10, 2009
    #24
    Bing bing bing, we have a winner! Let me first start out by saying poster number 2 doesn't know what a router is. A router doesn't necessarily have to do NAT. We'll let you slide though as the consumer market is flooded with devices that they call "routers" which are more than routers if they do NAT. It's a very common mistake.

    Second off, your school is doing exactly what others have said, they're analyzing the MAC address and determining what type of device it is. The solution here is to either get another machine that has a network adapter that's typically found in a computer to NAT the traffic (Internet sharing is the friendly Apple way of saying this) or to have a device that has the ability to change it's Mac address.

    The Internet sharing option is the route I'd take. With this option your computer will be doing all the talking therefore it'll be using a MAC address just like any other Apple computer. I'm assuming since it's an iMac that it has wireless built into it? If so, your computer will just replace your Linksys device as a wireless access point. You'll basically have two IP ranges at this point. You'll have the single address that the school gives you on your adapter on your iMac, then the Internet sharing will hand out an additional non-internet routable range for your internal network. Problem solved. :)
     
  25. mingoglia macrumors 6502

    Joined:
    Dec 10, 2009
    #25
    An interesting article and is true. I really wouldn't give the typical IT staff at a University that much credit, but it's certainly possible (watching TTL, I believe watching Mac addresses is certainly possible and easy to monitor). :) You did certainly bring up a good alternative with the proxy/firewall. Since the Mac is based on unix, I'd imagine Squid installs just as easy as it does on my FreeBSD servers. It literally installs in less than 10 mins and has an enormous amount of flexibility. After you determine the new NAT through your iMac doesn't work I'd still set up the separate network but instead of using Internet sharing just set up squid on the iMac and set your devices to use it as a proxy like lostngone suggested.
     

Share This Page