I see some of these questions pop up often on the HughesNet community support forums. Note: I am not affiliated with HughesNet (other than being a customer).
GEN4 (HT1000 modem) Networking FAQ
Q. Is the HT1000 a modem or a router?
The HT1000 is an interesting device. It seems to qualify as both a router and a modem. (So, a Rodem?) It gives out IP addresses via DHCP and IPv6 addresses via radvd/DHCP6. The modem functions as a DNS forwarder. It also has an onboard HTTP proxy (see Web Acceleration, far below). However, it does not provide any sort of NAT functionality. There is no port forwarding on the HT1000 because there is no NAT mechanism to forward ports through. This might sound appealing for remote access; however, the current residential GEN4 systems do not have public IP addresses, so it doesn’t matter either way. (Read further down.)
You have several choices when integrating this device into your network. You can plug a single computer directly into it. The computer will be configured via DHCP/DHCP6/SLAAC. You can connect up to 5 devices to it via a hub or switch. Or you can connect it to a router. Just be aware that it wants the IP address 192.168.0.1 for its status webpage. If your router also uses this IP address, change it before connecting it to the modem. Also be aware that it has no firewall.
Q. Why can I only connect 5 devices to the HT1000?
You can only connect 5 devices directly to the HT1000. Its built-in DHCP server imposes a limit on the number of leases it will give out because IPv4 addresses are disturbingly finite. If you are using a router, there is no limit from HughesNet as to the number of devices you can use with your HT1000, so long as the devices are connected to the router and not the modem.
Q. Does HughesNet filter any ports? -or- Can I configure port forwarding on the HT1000? -or- Is there a firewall on the HT1000?
No and no and no. However, even when directly connected to the modem, you’re behind a CGN (Carrier-Grade NAT) layer; HughesNet masquerades many customers behind a handful of massive NAT gateways. If you’re planning on remote access, you’re in for a disappointment. (See below.)
Q. Do I have a public IP address? -or- Can I access my computer remotely? -or- Can I access my security camera? -or- I have a dynamic DNS provider so I can still access my network at home, right?
The answer for the first is “no” and for the next three is “No, not without creative workarounds.”
The IPv4 address given to your networked devices via the HughesNet modem is not a public IP address. It is a private IPv4 address in a range reserved for ISPs via RFC6598 for use in Carrier Grade NAT (CGN) systems. So, most customers with home routers are behind two layers of NAT–sometimes called “double NAT.”
CGN functions much like your home router; many computers are “hidden” on a private network behind a single public IP address (which may be dynamic or static) using a mechanism called Network Address Translation (NAT). In this case, the scenario has been scaled up. Many HughesNet customers are situated behind large NAT gateways run by HughesNet. The network traffic of all the customers behind each gateway appears, to the rest of the Internet, to originate from one IP address. This practice is common among cellular wireless providers and some other ISPs. Among other reasons, it attempts to stave off IPv4 starvation/exhaustion by assigning many customers to one IP address, as opposed to giving each customer their own IP address.
Opening a port on your home router will not help, because the upstream HughesNet NAT gateways break end-to-end connectivity.
There are various workarounds, depending on what you want to do:
- OpenVPN (complete access to your network)
- SSH reverse port forwarding (useful for forwarding one or two services)
- LogMeIn Himachi (easy setup for a simple VPN)
- TeamViewer (remote control of one or two computers)
It’s worth noting that the IPv6 addresses handed out by the modem are reachable from the Internet, although the prefix may change if your modem roams between gateways. If your network is IPv6 ready, you can take advantage of HughesNet’s IPv6 infrastructure.
Q. So, can I get a public IPv4 address with the GEN4 system?
“Maybe.” You’ll have to call HughesNet and find out if it’s available in your area. Mind you, it seems that it’s only available for business class plans…
Q. What’s the difference between a static and dynamic IP address, or between a public and private IP address?
A static IP address is one that can be expected to never change. This may be handed out via DHCP or set manually. A dynamic IP address is one that may change, although it often does not.
Note that an IP address can be dynamic but public, or static but private, or any combination of the above. A static IP address is not a requirement for accessing your computer from the Internet–but a public IP address is.
The addresses given out by the HT1000 modem are dynamic, private IP addresses.
Q. What’s up with HughesNet’s “DNS Acceleration”?
The HT1000 runs a little caching DNS server. (Hint: it looks like it’s DNSMasq.) When any DNS reply passes through the modem, it is cached. Future queries for that domain name are then served from the modem. This reduces the need for repeated tiny DNS queries to go out over the satellite link and back, with an average round trip time of about 700ms. A laudable effort to improve responsiveness, but it has a major flaw: you cannot clear the cache short of rebooting the modem.
By default, the modem advertises itself as a DNS server via DHCP options. It then takes any queries sent to it and forwards them to HughesNet’s DNS servers. It seems you can specify your own DNS servers (see below), but the cache will still see the reply to any query and holds the reply until it expires, or until the modem is rebooted.
Q. Can I specify my own DNS servers? Can I use OpenDNS/Symantec Parental Controls?
Yes; specify an alternate nameserver on your router or computer. Try OpenDNS or Google Public DNS, or any other DNS server of your choosing.
Some parental controls will work. For example, OpenDNS has some filters built in to its nameservers and requires no setup beyond specifying their nameservers. DNS-based filters that require the customer’s IP address (usually ones with custom rules and options) will not work, because many HughesNet customers are placed behind a small number of IP addresses; it is impossible for the DNS service to tell which client made the query.
Q. What routers are compatible with the HT1000?
Any decent home/small business router will do, so long as you change its IP address (and the IP address range it reserves for clients) so that it doesn’t interfere with the HT1000, which grabs 192.168.0.1. (See RFC1918 for your choices. People don’t use the 10.0.0.0/8 netblock very much…)
I personally like routers running the open-source DD-WRT firmware for added flexibility and features. Other open-source firmware packages include OpenWRT and Tomato. A few routers come with DD-WRT pre-installed. (Note that I don’t recommend installing it yourself unless you know you have a supported router and you know what you’re doing. It’s easy to render a perfectly good router non-functional!)
- Cisco E1200 v2 (I’ve never had the chance to test one of these).
Routers I’ve personally used and like:
- Homemade Linux box (900MHz Celeron, 512MB RAM, 2x Realtek 10/100 NIC, 1x dual 1Gbit Intel NIC) running CentOS 6
- Belkin F5D7231-4 v1213 802.11g router running DD-WRT
- Linksys WRT55AG v2 dual-radio 802.11 a/g router. (Supports up to WPA AES, no WPA2.)
If you feel adventuresome, you can often find old Wireless-G routers at thrift stores for very little money…
And if you’re the tech type: find an old PC, add an extra network card or two, slap Linux on it, and build your own router. Some software you might find useful:
- Firewall: iptables (wrapper scripts like Ubuntu’s ufw may be helpful for beginners) with a MASQUERADE rules on the WAN interface.
- DNS: dnsmasq, or ISC BIND if you want to go nuts. Specify the modem (192.168.0.1) as a forwarder or your preferred DNS provider (OpenDNS, Google Public DNS)
- DHCP: dnsmasq (newer versions will do DHCP6 as well), or ISC DHCPD if you want a more traditional solution.
- VPN: OpenVPN
- hostapd if you want to make your own wireless hotspot.
- FreeRADIUS for WPA2 Enterprise wireless security.
- SNMP daemon and Cacti for bandwidth monitoring.
- Ntop for network/bandwidth monitoring.
All of this software is free and open-source. Most of these programs are present in your distribution’s package manager.