Matt,

I find it incredably interesting and clever that you have managed to operate 
your network on private IP addresses.
However, the problem you are running into now is one common reason others 
have given in to using public IP addresses.

Having public IPs throughout your transport network is not necessary, we use 
all private IPs for all our radios.
But there is a large risk not giving end users, or small groups of end users 
their own public IP space.
The inherent problem is, that if one person causes an AUP violation, it 
risks ALL subs.
There becomes a point where you grow large enough that your volume then 
increases the chances of someone making a violation, where that risk puts to 
many existing customers at risk to everyone else.

The two most common situations are...
Sending Email.  and
Reported as a BitTorrent users.

Large ISPs are becomming much quicker to simply immediately block an IP 
assumed to be a potential threat.

The risk can be reduced by devidign your network into multiple smaller 
groups and assigning multiple public IPs each to one of these groups.
Now when there is a problem, fewer customers are effected, and lower odds 
that group will have one detected.

I can tell you in our world, if we have a business sub get their traffic 
blocked/compromised because of the usage of another business, it quickly 
leads to letter of cancellation.  Its a common reason that WISPs will 
eventually convert to public IPs, and leverage BGP to bypass being held 
hostage by upstream providers.
But even still it adds a level of inflexibilty for internal network  IP 
assignment.

Ironically, you probably have less BitTorrent problems, considering your 
Private IP sceam.

What this really is is a NetNeutrality issue. Yahoo,Google, and Hotmail have 
the rights to methods of Network Management. And there is a concensus 
between them that this method of network management is an acceptable best 
practice, and its your problem if you NAT all your users to a few IPs.

You'll also see problems with poor rankings with "IP Reputation" methods of 
Anti-spam.

Another issue to consider is that Hotmail, Yahoo, and Google prefer to know 
exactly where the end user resides, so they can better direct advertisement. 
NATing your customer base to a single NOC location, is distruptive to their 
long term advertizing goals for target marketing. Its likely this battle 
wont end here with this insodent.

IF your problems are primarilly Email related, you can try to signup for 
feedback loops to help, and make sure SPF records are valid, valid PTRs and 
stuff. But if just to web sites, well, not sure their is an answer other 
than to change the source IP address for the traffic.  In that scenario you 
may want to setup some sort of load balancing routine, to redirect  outbound 
sessions to different source IPs or Proxy servers.

A problem where we see it is with Hotels. We'll give a few IPs to the Hotel, 
and then NAT to all their rooms. When one of the overnight guests decides to 
download a copyrighted movie, we get an AUP notice, and ahve to react. 
Obviously for a Hotel, we ahve no way to contact that subscriber or know who 
it is for Hotel confidentiality reasons. Sometimes upstreams might just 
block that Public IP that serves them, if they didn't like our answer. Then 
the whole Hotel will have problems.  (The preferred solution is for us to 
block access to the offending host site). This is one reason many Hotel 
Hotspot providers try to ask for full Class C PUBLIC IP blocks for their 
circuits. Then only the one room gets blocked if they violate AUP.  This has 
not been a big problem, because my upstream is easy to work with and rarely 
blocks traffic. But this situation demonstrates my point.

Good luck with it.

Tom DeReggi
RapidDSL & Wireless, Inc
IntAirNet- Fixed Wireless Broadband


----- Original Message ----- 
From: "Matt Larsen - Lists" <li...@manageisp.com>
To: "WISPA General List" <wireless@wispa.org>
Sent: Wednesday, October 28, 2009 3:22 PM
Subject: Re: [WISPA] NAT issue with Hotmail/Yahoo/Google


>I believe that we have fixed this by using the StarOS policy routing to
> split up some of our subnets to SourceNAT through a different IP address
> on our NAT server.
>
> If we are going to get into the public vs. privates discussion, well....
>
> I have used NAT for customer IP addresses from day 1.   I used to use
> publics, but it was a tremendous pain in the ass, and would be very
> difficult to implement on my current network design (routed subnets at
> every single location) so I have no interest in giving each customer
> their own public IP address.   There are about 160 private subnets on
> the access points in my network, so I have no intention of switching to
> publics anytime soon.   I also loathe PPPoE and have worked with a
> couple of people who tried to convert to it and converted back as soon
> as they could because it just didn't work as well as advertised.   YMMV,
> but I'm just fine not using it.
>
> NAT has been very beneficial to my customers as a whole, since they are
> not directly exposed to the Internet and we have far fewer
> virus/trojan/backdoor issues because of it.    We do have a few folks
> who need a public IP, and route several subnets of public IP addresses
> out to towers where public IP addresses are needed.   That is fine with
> me, because we charge extra for the IP addresses.   Just another reason
> for power users to move up the pricing ladder if they want the extras.
>
> Not using publics has also been a godsend as far as maintaining
> flexibility between backbone providers and utilization of secondary
> links in the event of failures.  Sometime in the next month, I'm
> switching my primary backbone to go through a new provider that is
> delivering 50meg for the same price that I was previously paying for 15.
>  Moving traffic to that backbone will be as simple as changing one line
> in a policy routing statement.   If I was using publics, I would still
> be stuck with the previous provider.   I don't like being hostage to
> outside network providers if I can avoid it.   In addition to my primary
> backbone link, I also have backbone links with two other neighboring
> WISPs and the ability to route traffic to the Internet through them in
> the event of an outage on my network between my APs and my NOC.  They
> can do the same thing through my network.    Just last week, a set of
> rolling power outages took out two towers that were the redundant paths
> to five APs on the far eastern side of my network.   OSPF figured it out
> and routed them out through my neighbor's network until the towers came
> back up and it switched back.   Same thing happened on his network last
> month, and we handled the majority of his traffic until his backbone
> link was back up.   That is not a very simple thing to implement with
> public IP addresses, but it was pretty easy to make it happen with 
> privates.
>
> So yeah, I have my reasons for using NAT.   Switching to publics is a
> rhetorical answer, not a useful one.
>
> Matt Larsen
> vistabeam.com
>
>
>
> Mike Hammett wrote:
>> I believe Matt has around 5k subs, maybe I'm wrong.  At 5k subs, his cost
>> per year per IP address is $0.45.  That's under $0.04/month.  I'd 
>> consider
>> that a reasonable expense.
>>
>>
>> -----
>> Mike Hammett
>> Intelligent Computing Solutions
>> http://www.ics-il.com
>>
>>
>>
>> --------------------------------------------------
>> From: "Scott Reed" <scottr...@onlyinternet.net>
>> Sent: Wednesday, October 28, 2009 1:23 PM
>> To: "WISPA General List" <wireless@wispa.org>
>> Subject: Re: [WISPA] NAT issue with Hotmail/Yahoo/Google
>>
>>
>>> <RANT>
>>> So, as with so much that goes on the lists, not just this one, "oh, you
>>> aren't doing it my way so the fix is do it my way."  What a bunch of
>>> baloney!!
>>> There are lots of ways to do almost everything we do as ISPs.  What
>>> really needs to happen is for people to read the post, think about what
>>> the real question is and then, if and only if, the can pose a solution
>>> to the real problem, post a suggestion.
>>>
>>> But, since the only posts I have seen to Matt's is give everyone a
>>> public address, I have a few questions:
>>>
>>> So, who is going to buy Matt a block of IPs to fix this non-NAT issue?
>>> I ask, because I do as Matt does and if that is the fix, I need someone
>>> to buy me a block as well.
>>> But the issue isn't really NAT, is it?
>>> The real question is how does he deal with the current issue on his
>>> current network?
>>>
>>> </RANT>
>>>
>>> Matt Larsen - Lists wrote:
>>>
>>>> We are having a problem with certain sites that are rejecting our
>>>> customers because they say the IP address has sent too much traffic 
>>>> over
>>>> the last 24 hours.   This is a problem, as 98% of our customers are
>>>> behind a single NATted IP address.   I am just changing the IP address
>>>> of the NAT server every 12 hours now, but am looking for a better
>>>> solution.   Anyone have any similar issues?
>>>>
>>>> Matt Larsen
>>>> vistabeam.com
>>>>
>>>>
>>>>
>>>> --------------------------------------------------------------------------------
>>>> WISPA Wants You! Join today!
>>>> http://signup.wispa.org/
>>>> --------------------------------------------------------------------------------
>>>>
>>>> WISPA Wireless List: wireless@wispa.org
>>>>
>>>> Subscribe/Unsubscribe:
>>>> http://lists.wispa.org/mailman/listinfo/wireless
>>>>
>>>> Archives: http://lists.wispa.org/pipermail/wireless/
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>>
>>>> No virus found in this incoming message.
>>>> Checked by AVG - www.avg.com
>>>> Version: 8.5.423 / Virus Database: 270.14.36/2465 - Release Date:
>>>> 10/28/09 09:34:00
>>>>
>>>>
>>>>
>>> -- 
>>> Scott Reed
>>> Sr. Systems Engineer
>>> GAB Midwest
>>> 1-800-363-1544 x4000
>>> Cell: 260-273-7239
>>>
>>>
>>>
>>> --------------------------------------------------------------------------------
>>> WISPA Wants You! Join today!
>>> http://signup.wispa.org/
>>> --------------------------------------------------------------------------------
>>>
>>> WISPA Wireless List: wireless@wispa.org
>>>
>>> Subscribe/Unsubscribe:
>>> http://lists.wispa.org/mailman/listinfo/wireless
>>>
>>> Archives: http://lists.wispa.org/pipermail/wireless/
>>>
>>>
>>
>>
>> --------------------------------------------------------------------------------
>> WISPA Wants You! Join today!
>> http://signup.wispa.org/
>> --------------------------------------------------------------------------------
>>
>> WISPA Wireless List: wireless@wispa.org
>>
>> Subscribe/Unsubscribe:
>> http://lists.wispa.org/mailman/listinfo/wireless
>>
>> Archives: http://lists.wispa.org/pipermail/wireless/
>>
>>
>
>
>
> --------------------------------------------------------------------------------
> WISPA Wants You! Join today!
> http://signup.wispa.org/
> --------------------------------------------------------------------------------
>
> WISPA Wireless List: wireless@wispa.org
>
> Subscribe/Unsubscribe:
> http://lists.wispa.org/mailman/listinfo/wireless
>
> Archives: http://lists.wispa.org/pipermail/wireless/
>
>
> -- 
> Internal Virus Database is out-of-date.
> Checked by AVG.
> Version: 7.5.560 / Virus Database: 270.12.26/2116 - Release Date: 
> 5/15/2009 6:16 AM
>
> 



--------------------------------------------------------------------------------
WISPA Wants You! Join today!
http://signup.wispa.org/
--------------------------------------------------------------------------------
 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/

Reply via email to