Why can't I have more than one IP on Jetstream? I need it to run my VPN!

This is a question I seem to be answering more and more regularly, so I decided to document my answer in a public location. Unfortunately to answer this question I need to background how ADSL in New Zealand works.

In New Zealand the DSL Network operates using the PPPoA standard. (Point to Point Protocol over ATM). The simple way of understanding it is as follows:

- It uses PPP, much like a Dialup Connection. When you login you're issued the information required to use the internet Automatically, via standard Radius.

IP Address
Subnet Mask
Gateway Address
Primary and Secondary DNS Servers

- It is carried via Asychronous Transfer Mode (ATM) at Layer 2. (For information on the OSI Reference Model with regard to Layers, refer to http://www2.rad.com/networks/1994/osi/layers.htm)

- This makes us different to Australia, and many parts of the USA and Europe which use PPPoE (PPP over Ethernet) systems to deliver ADSL. -- For an analysis of the Advantages and Disadvantages of either protocol refer to http://www.cisco.com/warp/public/794/pppoa_arch.html. This was the referenced article from a post to the NZ ADSL Discussion list at http://www.unixathome.org/adsl/archives/2002_02/0305.html.

One side effect of the use of PPPoA and its implimentation in NZ is that only One real world IP address can be assigned per Connection over ADSL (Jetstream). This is a limitation put in place by the Architecture - not by any ISP.

This does not preclude the use of VPNS. Many customers successfully impliment VPN Technology. How this is done depends on the equipment chosen and the type of VPN.

DSL Equipment in New Zealand can be classified into 3 types.

Internal ADSL Modem. (PCI Interface).
- Provides the PC with a Network Interface for the DSL Session, much like an Internal Modem.
- Real world IP is provided to the users PC and can be static.
- Requires a free PCI slot and installation by someone familiar with PC Hardware (eg a qualified technician.)
- Advantages:
  - Network Interface is on the PC.
  - Relatively familiar technology for those used to Dialup.
  - Cheap Hardware.
- Disadvantages:
  - Relies on the PC for security on the connection (Firewalling).
  - More difficult to share across multiple PCs.
  - Modems must be supported in software by serving OS.
  - Can be less reliable in fringe coverage areas due to the power supply limitations of PCI Bus.
External ADSL Modem. (USB Interface).
- Provides the PC with a network Interface for the DSL Session, much like an Internal Modem.
- Real world IP is provided to the users PC and can be static.
- Requires a free USB Port; easily installed by a user.
- Advantages:
  - Network Interface is on the PC.
  - Relatively familiar technology for those used to Dialup.
  - Slightly more expensive than PCI modems.
  - Easy Installation.
- Disadvantages:
  - Relies on the PC for security on the connection (Firewalling).
  - More difficult to share across multiple PCs.
  - Modems must be supported by software in serving OS.
  - Requires USB Support.
  - Occupies an additional power socket OR is limited by power able to be supplied through USB (depending on device type).
External ADSL Router. (Ethernet Interface).
- Terminates the ADSL Connection on a dedicated piece of hardware which is accessed via a LAN connection.
- PCs using the ADSL Connection connect to an Ethernet Network and address the ADSL Router as their Default Gateway, using RFC1918 Address space (192.168.* etc) generally.
- Traffic is carried using NAT (Network Address Translation) between the Internet and the users PCs.
- Advantages:
  - Client PCs need only support a standard Ethernet Connection using TCP/IP.
  - Connection easily shared across multiple PCs via standard Networking equipment, via the NAT.
  - Connection is Relatively Secure because of NAT.
  - Easily addressed by all manner of OSs because of the TCP/IP and Ethernet standards.
  - Tends to be more reliable in Fringe connectivity areas as the device is powered externally.<.UL>
- Disadvantages:
  - Can inspire a false sense of security because of the NAT.
  - Equipment is generally more expensive than the alternatives.
  - NAT can also 'break' some technologies (for example FTP, or any protocol requiring a point to point bidirectional connection) although there are work arounds for most issues.
  - This does make them more complicated to configure and troubleshoot, however, especially when attempting to run services at the client-side.
Example of External Router Setup, from Cisco.com

Based on the 3 above categories we can tell straight away that it is quite easy to terminate a VPN on either a PCI or USB type ADSL Device. The single Static IP can be specified as the target for the VPN termination and theres nothing stopping it from working first try. The ADSL Router solution, however, is the complication.

As is obvious, Routers are preferred by users in multiple-OS or multiple-PC environments for their relative ease of use for a shared connection. Standard TCP/IP ethernet connections are easily implimented and scaled so that the entire LAN may access the Internet. The NAT also provides a basic layer of security from Trojans, Worms and similar (because inbound traffic can't pass through the ADSL Router to the RFC1918 address space without having been specifically allowed to). Routers are also relatively easy to manage remotely, as most are controlled through a combination of Telnet, a Web Interface, or a Serial Cable Connection - all of which are standard means of administering routing equipment.

The NAT is what causes the big headaches. NAT is quite a clever technology - allowing multiple PCs to access the Internet using only one real world IP address. The problem is that because of the single IP, there is no way for inbound traffic to determine exactly which of the Internal computers is the actual target. The Real World IP being targetted is held on the ADSL router, and unless the ADSL Router has a way of knowing where to forward the traffic in the RFC1918 space behind, its going to stop there.

The way that this forwarding is handled is using a facility called 'Pinholing' or 'Port Forwarding' or 'Nat Redirection' or 'DMZ'ing - depending on how its implimented.

What happens is that the Router is configured to forward certain types of traffic to a specified location. This traffic type is usually identifed by a Destination Port and Protocol, and the specified location is the RFC1918 address of the target machine inside the network.

For example consider this:

The machine identified as "Firewall External Interface" is on the LAN segment immediately behind the Router, and holds the IP of 192.168.1.1. As an example we can assume that this machine is running a Web Server, and that the Real World Static IP address is being resolved in the DNS as www.example.com.

When a computer addresses www.example.com in their browser an outbound connection is made to the IP this resolves to on Destination port 80, TCP. This IP is held on the ADSL Router, and would ordinarily stop there. However when a Pinhole exists on the Router which says 'Traffic on Port 80 TCP, forward to 192.168.1.1' - This will transparently forward the connection through to the Waiting webserver on 192.168.1.1. The Requesting-PC never knows theyre actually talking to a seperate, second device behind the ADSL Router.

The forwarding rules can be as specific or as broad as the router itself permits. The term DMZ (De Militarized Zone) indicates that *all* Ports and Protocols have been forwarded. This is useful when you want to install a Dedicated firewall which then does the port forwarding/security of your network for you - as per the above example.

Now for the VPN Example!

The specifics of how to make this work will depend on the Protocol your VPN uses. You need to be able to create a Pinhole (or Pinholes) for the protocol you wish to use, through to the Internal IP of the computer that terminates the connection. For example, PPTP requires TCP Port 1723 to be forwarded.

By Mark Foster, February 2004.