This ISP account has been acting up lately. It will happily keep its connection up for hours and sometimes days, even with heavy usage. But once I begin to share this connection with my wife’s computer, it will start dropping connection every minute. After I turn off [NAT](http://en.wikipedia.org/wiki/IP-masquerading), the connection will be back stabilizing again. It looks like as if the ISP knew when I’m doing NAT or not.
At first I didn’t know if this is even possible, primarily because I’m using kernel 2.6. In previous version of Linux, any NAT connection will originate from port 61000 to 65095 I believe. It was easy to detect if a connection comes from behind a Linux NAT box or not simply by observing remote port number even if this is not completely accurate. In 2.6 however, NAT connections share the same port space as normal connections from the NAT box itself.
But if my ISP is doing this to me, then there should be another way for them to determine if I’m doing NAT or not. After a bit searching, I found the program [p0f](http://lcamtuf.coredump.cx/p0f.shtml). I remember p0f from several years ago, it is a small program that passively detects remote operating system by observing network patterns. It seems that it has evolved into a tool that can detect the presence of NAT gateway according to several factors:
* Differences in OS fingerprints from the same IP
* Differences in NAT and firewall flags set
* Link type differences
* Distance differences
* Timestamp differences
* Time from previous occurence
So it is possible alright. But why are they doing this to their customers? Probably to avoid the connection being used on cheap ‘warnets’. However my Internet usage is completely legitimate. I’m not using this on a ‘warnet’ and I don’t appreciate being disconnected just because my wife needs to use her Yahoo Messenger account.
So, is there any workaround? Of course there is: simply use application level proxy such as [Squid](http://www.squid-cache.org/) for HTTP/FTP and [SOCKS](http://en.wikipedia.org/wiki/SOCKS) for everything else. It needs a little more configuration for every client (OK, maybe not a little), not as transparent as with straightforward NAT gateway, but it works.