New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How do people offer NAT VPS?
randvegeta
Member, Host Rep
in Help
I am of course familiar with NAT and understand the concept that a VPS would be provided with a 'private' IP and share a public IP with other VPS users.
Im just wondering a few things.
1) What do people use such VPS for?
2) How do hosting providers automate the provisioning of such a service?
3) Does the VPS normally come with some dedicated port or range of ports to use?
Obviously setting up a VPS and port forwarding can be done easily but it all seems rather manual. Am I missing somthing?
Comments
It's about the same as any other VPS these days. lowendspirit.com coordinates a number of low end NAT hosts and lots of current practice evolved through there. i-83.net doesn't participate in LES but its offers and provisioning are similar.
The usual setup is you get an internal ipv4 address, a few dedicated ipv6 addresses or else a subnet, and a number of NAT ports forwarded from a shared public ipv4 address to your internal address. There is an HAProxy on ports 80 and 443, that proxies http(s) to your server using the host header and SNI, similar to a virtual host. And you can run direct listeners on the NAT ports and your ipv6 addresses. Nowadays, one of the NAT ports is automatically forwarded to your sshd, which also listens on your ipv6 addresses.
You can do pretty much anything with them that you can do with a normal vps except control the low numbered public ipv4 ports, so you couldn't run an smptd on port 25 for example. Plus, if someone else's service on the public ipv4 gets ddos'd, everyone else using that address is hosed too, so the vps are marketed primarily as ipv6 products with some ipv4 capabilities.
I have a bunch of them and they're lots of fun, though normally they're marketed as very cheap servers for testing and fooling around, and frankly the LES ones have tended to have reliability problems. Given that they usually cost under $4 a year I don't worry about this. That said, I use a few of the more expensive ones (i-83 storage plans) for more serious purposes now and they seem to be holding up ok.
1) Well, at least I use them technically for the same things as the ones with a dedicated IPv4. However, webdev stuff I usually put on services with a dedicated v4.
2) In what sense would that be so much different from another setup? The boxes get their network config setup pushed as every other machine would, with an local IP though. The forwarding should be just a few hooks in the host.
3) They usually do. I saw some providers with v6 only services, though.
But maybe @AnthonySmith or any of the LES guys will introduce you a bit further to the behind-the-scenes.
Literally everything you can use a server with dedicated IPv4, there are a couple of exceptions, IPv4 name server, mail server (though some pipe via IPv6).
There are very few things you cant achieve using a NAT VPS, it really is no different to your home router + PC if you think about it.
generate a set of iptables rule sets, add ipv4 local ranges as external ones in solusvm and it assigns them like they are routable anyway, there really is no magic to this part, few snat rules etc on the host node and your done.
Yes, which is handled as part of the answer to question 2
Yeah, I scripted it, pretty basic, generate a list of IP's in a file:
192.168.0.2
192.168.0.3
etc etc.
generate a list of ports in a file:
201:221
301:321
etc etc.
If you don't know how to generate these files then excel is your friend.
Then loops it through a script.
LET shitty firewall snipped half the script so see it here: http://pastebin.com/Z7Ai7w97
That will then generate you a full set of tcp rulesets for port forwarding, you can use the same for UDP, and then modify the port range a bit and ruleset for ssh redirect.
There is no magic to it
As a hosting provider myself (or ourselves?), I don't see any difficulty in allocating VPS internal (private) IPv4 addresses and then just using NAT for internet access.
But to run any kind of service on those VPS, or to even allow them to be accessible via RDP/SSH or whatever, a certain number of ports need to be allocated. Is this automated or manually done? No provisioning system that I am aware of interfaces with a router to setup the port forwarding. Manual setup is trivial but of course who wants to do that manually.
How many ports do users typically get any way?
I guess the main questions I am asking are, do all NATed VPS include port forward? If yes, how many ports? And how is it automatically setup by hosts? Custom script that send a few commands to the router?
Not sure if it still up to date but here is a way how to go about this:
http://www.danpros.com/2014/09/setting-up-nat-vps-on-centos-6-using-ip-tables-and-haproxy
Oh I don't mean to imply that I don't know how it COULD be done. I'm just wondering what is NORMALLY done by hosters that offer such a service since, as far as I am aware, this is not standard functionality in most automated provisioning systems.
So basically you will pre-assign the ports to forward to the customer. 20 or so per IP? Excluding all the 'reserved/allocated' ports?
e.g. you could assign:
192.168:32:1 => 10001 - 10020
192.168:32:2 => 10021 - 10040
192.168:32:3 => 10041 - 10060
Something like that?
Yep
No.
Varies between provider, for example we offer 20 + 1 SSH.
Like any other VM.
Not needed.
Port forward is only for IPv4. For example i-83.net gives you 20 ports (preselected by them) + 1 ssh (predefined by them). The big advantage is on IPv6 where you can use all ports and address is all yours.
Basically these are good choices for low cost with IPv6, without paying for dedicated IPv4. Considering IPv6 transition is slowly happening worldwide, NAT VPS becomes more and more popular, for IPv6.
Are the the port forwardings pre-prepared, as described above then?
As a provider that is running out of IPv4 addresses, I am only too aware of this and realize the benefits of offering IPv4 NAT or IPv6 WITH IPv4 NAT addresses. Heck then we would not be limited by IPs for growth but by our infrastructure...
Don't forget windows-mountable SMB share. Cant change the (client) port from which windows requests the share...
Windows supports IPv6, run a VPN connection to the IPv4 if you don't want to be bothered to setup ipv6 and use SMB over the VPN.
I'm strongly considering utilizing the same setup for saving expenses on my network needs. Although I do have a handful of dedicated machines, setting up various ports to be forwarded to KVM on an internally bridged network would minimize my own IPv4 needs, and mitigate attacks which may actually compromise the virtual system other than exposed services. I wonder how screwy nmap would be when it detects multiple operating system footprints from the same host :-)
Yes.
Come over to lowendspirit.com and its forum, spend a few euro on an LES plan and try it out for yourself
Almost everything can be done with NAT VPS. I hosted an Asterisk (VOIP) server on it for family use. Most people won't choose them for production since they don't want their users to specify non standard ports (in URLs, services etc. )
They don't necessarily automate it (although it's easily possible). I had 2 NAT VPS (free ones) which initially came only with SSH port. Further port range allocation was manual according to my needs
Yes, otherwise they would't be usable for hosting services without incoming connections
Any real money to be made selling NAT VPS? Is it popular enough?
Given IPs (v4) are a big limiting factor, selling cheap VPS is just not worth while. Anyone interested in cheapo HK or LT based VPS on NAT?
Yes and no, so far everyone who has tried to launch it as their primary business model has crashed and burned despite all the best advice.
Every 'obscure/interesting' location has failed badly because not enough people are actually interested due to them not actually being very useful, Hong Kong being the latest to fall, Singapore and Russia also failed.
You will find that there are a group of 10 - 30 people that make a lot of noise about obscure locations and hype it up, then half of them buy it, and no one else
If you run NAT as an SLA'ed service with regular support then you need to be charging close to regular prices, and someone will always do it cheaper.
So yeah, the whole NAT thing has had its day imo, it has a good but limited hard core following who are only really using it because they know what they are doing, it is never going to be that popular to others as I would say 90% of people would just pay the extra for the dedicated IP.
If you can specialize though, that could work, like NAT based storage for example.
How did the asterisk server work out? I'm thinking of doing this too, worried about the shared IP address being DDoSed or if someone if transferring a lot of data (VPN/torrent) and the disruption that could result especially as VoIP is time sensitive.
It would get disrupted during DDOS, some locations have protection though, although I think you probably highly overestimate how much data people actually use, 95% of people/users use 5% of their BW.
1 main port for system was used at sip.conf and 10 other UDP ports were used for RTP at rtp.conf (for RTP Asterisk uses only even ports from a given range, so provider manually allocated to me several sequential even ports like 10002,10004, 10006 etc.)
I had 3 DID numbers from Callcentric registered (registration string at sip.conf), peers and used 4 providers for PSTN outgoing call.
Family used the server mainly for IP calling from smartphones and DISA calling to abroad and I used it also for coding tricks & experimenting with things (callback, unblocking CID and many more... )
Haven't suffered DDOS or other attacks on my box but provider was a free one and I remember several downtimes.
I bought most of the obscure locations and it took quite a long time to realize that they weren't that useful . I did get some use from some of the EU ones but not really the rest. Particularly Virtwire's other DE site (I mean the non-Hetzner one; I don't remember exactly where it was) had some unusual IP geolocation that came in handy. And there's a thread up about using NL networks to enroll at TransIP.
That's kind of how UDP works.
Most exotic locations have expensive bandwidth (hence their exotic-ness), so ddos-protection will either be expensive or non-existent. That makes sharing an IP with one or more noisy neighbors a hassle.
That's not so much different to having a static IP where bandwidth is expensive.
I believe I saw a thread with some guy looking to sell NAT DEDI servers using his home broadband line in SG. Situation in SG is similar to HK where bandwidth is relatively expensive and broadband is relatively cheap.
If you have a provider with 100Mbit of IP Transit, then any DDoS attack would take down the whole network. Many providers in Asia do not actually have that much since the cost may be north of US$5,000! On the other hand, you can snag yourself a 1G broadband line for just $50-$100 /month. Now of course you can't really expect to use 1G (internationally) but still. All of a sudden, if NAT based VPS were running off of Home/Business broadband lines, then even exotic and high cost places like HK and SG can be very cheap indeed!
@randvegeta using a nat vps offer allows to hide a database server for exemple.
In a two servers couple (web+DB) you can create NAT rules to access the web server from outside while DB server is only talking to the web server.
We use cloudstack as backend NAT rules are easy to setup but it must be done manually or you can use API if you like to automate stuff.
I have some Natted VM's on Dedi/Co-Lo'd boxes because they need only a small subset of ports open inbound and it would be silly to burn IPv4's on those when they really don't need them. But I've not explicitly purchased any NAT VPS's.
I've been finding a lot of the time that I don't need ipv4 at all. For stuff like backend services it's easier and probably more efficient to use ipv6 than to mess with NAT.
For backend RFC1918 IPv4 or IPv6 works for me most of the time since the front end server will be able to route to it anyways.
Still have a few services that need to be available on IPv4 for people who's ISP's still don't offer V6