Oleksiy Kovyrin

Yet Another Admin's Blog

How To Get “Provider Independent” IP Address For Your Home Server?

Posted by Oleksiy Kovyrin under Networks · русский

Some years ago I decided to stop using public mail services and decided to buy my own domain and to setup my own mail server at home to handle all of my email. Work was completed very quickly and I got my own working e-mail server and my own mail domain! Some time there was no problems and I was glad to have an opportunity to have full control over my own mail flow.

But little bit later my ISP decided to make my Internet connection cheaper (for them) and they were assigned private IP address to my home Internet connection (192.168.192.2). As you can predict, from that moment my mail server was not reachable from real world and my mail domain was down.

First available solution was to point my MX record to some real mail server in real Internet and to use fetchmail or something like it ti fetch my email to home server. But this solution was not so flexible, and I decided to take one of IP addresses from IP pool of my employer (I am working for hosting company and company owner approved configuration described here) and to assign it to my home server to make my SMTP server available from real world. “It is impossible”, you can say, “You can not set foreign real IP to interface in PRIVATE network of another ISP!”. Yes, it is true, but using some tricks with Linux policy routing an some tunnelling I can do it! This article is about how it has been done by me.

First of all, I selected one IP (RE.AL.AD.DR) in my employer IP network and created ip-over-tcp tunnel from my home server to one of the employer’s servers. It has been done using great UNIX tool vtun by Maxim Krasnyansky. Config files will be presented later in this article.At this step I got following interfaces on world server and home server sides:

  • World server side: 
    #ifconfig tun0
tun0 Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
     inet addr:10.200.0.1  P-t-P:RE.AL.AD.DR  Mask:255.255.255.255
     UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1450  Metric:1
     RX packets:8 errors:0 dropped:0 overruns:0 frame:0
     TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
     collisions:0 txqueuelen:10
     RX bytes:546 (546.0 b)  TX bytes:494 (494.0 b)
  • Home server side: 
    #ifconfig tun0
tun0 Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
     inet addr:RE.AL.AD.DR  P-t-P:10.200.0.1  Mask:255.255.255.255
     UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1450  Metric:1
     RX packets:8 errors:0 dropped:0 overruns:0 frame:0
     TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
     collisions:0 txqueuelen:10
     RX bytes:494 (494.0 b)  TX bytes:546 (546.0 b)

There are two different ip addresses in above quotes:

  • RE.AL.AD.DR – real IP address which is being setup on home server side.
  • 10.200.0.1 – randomly selected (by me) fake IP address for world server side.

Next, I need to force my home server to send answers to all queries to RE.AL.AD.DR services via tunnel interface. This aim was achieved by using following Linux policy routing configuration commands in tunnel up script:

 ip "rule add fwmark 65 table hof";
 ip "route add default via 10.220.0.1 dev tun0 table hof";
 firewall "-t mangle -A PREROUTING -s RE.AL.AD.DR -j MARK --set-mark 65";
 firewall "-t mangle -A OUTPUT -s RE.AL.AD.DR -j MARK --set-mark 65";

These commands are adding new routing table with name hof (for which I need to have specific line in /etc/iproute2/rt_tables file with table name and any selected table id), adding default route to this table via world server’s end of tunnel and marking all packets from RE.AL.AD.DR to be marked for routing via hof routing table.

Last step is to setup world server to arp-announce RE.AL.AD.DR with its MAC-address to ethernet network with default router. I have used farpd utility from debian official repository. With this tiny tool you can arp-announce any IP address to network connected to specific interface by running following command:

/usr/sbin/farpd -i eth0 RE.AL.AD.DR

That is all! At this point I was able to setup any software on my new IP address (RE.AL.AD.DR) and this software were available from the outside world. As for now, I can switch my ISPs any number of times – this is no matter because my IP is always moving with me.

As I promised before, vtun config files are available there for your convenience:

  • World server side: here
  • Home server side: here

Good luck with your experience with setting up your dedicated “provider-independent” IP addresses! :-)

Related posts:

  1. Monitoring nginx Server Statistics With rrdtool
  2. Using Nginx As Reverse-Proxy Server On High-Loaded Sites
  3. How to clone virtual machine with VmWare Server
  4. How To Get Data For Mrtg Without Running SNMP Daemon?
  5. Typical Configurations Overview For Nginx HTTP(S) Reverse Proxy/Web Server

38 Responses to this entry

Charlie Hayes says:

Why not find a better ISP that is willing to give you a real public IP?

Scoundrel says:

2Charlie Hayes: When this configuration has been created, I was not able to pay a lot of money for high quality internet connection with real IP. I worked in small ISP as duty unix admin…

[GEEKS ARE SEXY] Tech. News says:

Oh sweet…

“Why not find a better ISP that is willing to give you a real public IP?”

Because you have no control over what your ISP decides to do… Hmm, in this case, if you loose your job, you loose your IP. Bah.. you cannot have everything.. At least, this solution is cheaper for him.

Kiltak
[Geeks Are Sexy] Tech. News

UR-A-Linooser says:

I am sure your employer really liked that you used their address space and probably company time, bandwidth an network resources to help you host your mail.

Will says:

There are lots of ways do do the same thing using IPSEC, GRE, IP-in-IP, even SSH and a proxy, but this kind of thing is a violation of pretty much every companies Internet usage policy, which most people sign when hired. If your company is cool with it, great. But for 99.9% of the people, doing something like this can result in termination of employment and/or legal action. Most may say it won’t happen, but trust me, I know firsthand that it does.

Paula Abdool says:

I thought this article was going to be about getting ARIN to provide /32 that he could put in his back pocket and trip around with. Not sure how this is provider independant, cuz *someone* is SWIPing the IP block out to his employer… therefore being a provider?

Scoundrel says:

2Will: As I said, my employer knows about this configurations and that is rhy I can say: “My company is great!” :-)

Jeremy L. Gaddis says:

“provider-independent”, huh?

What happens when your employer is forced to renumber or their provider changes or something similar occurs? You’ll just be renumbering again. Just get a decent ISP and skip all the bullsh*t.

Jeremy L. Gaddis says:

Go check out this guy’s “Resume/CV” page and scroll down to his “Employment History”. He’s presently employed by “New Age Opt-in”. Sounds like a spammer to me!

Scoundrel says:

Jeremy, why do you trying to say something bad? As you can read here:

Opt-in e-mail advertising or permission marketing is a method of advertising by electronic mail wherein the recipient of the advertisement has consented to receive it.

New Age Opt-In company sends mail only to people which are subscribed to it!

DD32 says:

Scoundrel: Unfortunatly thanks to the actions of some people, ANY opt-in company will be scutinized(And remember that Digg Users are really… yeah.. about things like that) Since most of the fake ‘opt-in’ companies claim that too its all too common.

-=DD32=-

SFDK says:

Yes, IP will be independent from ISP you’re using at home.Decent ISP is good but not each and every ISP offers statical real IP addresses.Some are using dynamic IPs only.LAN Ethernet ISPs are often preferring private IPs because they’re at begin of their way so it costs too much to pay for IP range.Also as you maybe aware, IPv4 uses 32 bits for addressing.When each device needs its IP (yeah, each mobile phone, for example) there is simple not enough IP addresses so such situation will be even worse in future.

Zach says:

As said many times on NANOG, “I highly encourage my competitors to do this.”

TCP in TCP tunnels are bad ideas in general. It shouldn’t take too much googling to figure out what the rubber band effect is.

baron says:

OpenVPN would be a much better solution. Configuration is extremely simple, it uses tun/tap devices, and it encrypts the connection over SSL.

Scoundrel says:

2baron: What type of tunnel will be used is not significant. The idea of this article is how to use linux policy routing in real life.

deho says:

ДлÑ? раÑ?Ñ?мотренного примера задачу можно решить проще и без iptables/packet mangling.

ВмеÑ?то

ip “rule add fwmark 65 table hof”;
ip “route add default via 10.220.0.1 dev tun0 table hofâ€?;
firewall “-t mangle -A PREROUTING -s RE.AL.AD.DR -j MARK –set-mark 65″;
firewall “-t mangle -A OUTPUT -s RE.AL.AD.DR -j MARK –set-mark 65″;

доÑ?таточно указать

ip rule add from RE.AL.AD.DR table hof
ip route add default via 10.220.0.1 dev tun0 table hof

а вмеÑ?то

/usr/sbin/farpd -i eth0 RE.AL.AD.DR

можно иÑ?пользовать вÑ?троенные в Ñ?дро возможноÑ?ти по прокÑ?ированию arp:

ip nei add proxy RE.AL.AD.DR dev eth0

в общем, Ñ?татейка так Ñ?ебе ;-)

Jiri Novotny says:

Very nice and informative article. We are a small internet provider in Czech republic, we don't want to waste our finances to register LIR and don't want to spend our time negotiating with RIPE to get an additional blok of ipaddresses. You offer much cheaper and faster solution that is suttable for company like ours! We definitely should make a deal with you =)

ipaddr.ru says:

Hi Jiri! If you want to get an independent address space without signing LIR contract, just call us +420721207705 and we can arrange meeting. We can request resources from RIPE for you.