Service restrictions

Blocking objectionable websites

Trusted agencies provide Spark with verified lists of some of the internet’s most harmful websites. Spark then blocks these websites from our network, to help protect New Zealanders. This includes websites containing child abuse material. It also includes websites aimed at defrauding New Zealanders of money or information.

The New Zealand National Cyber Security Centre (NCSC) identifies and verifies some of the fraudulent websites we block. We then provide high-level, anonymised reporting to the NCSC on the total number of attempted visits to each of these websites. For example, ‘A’ website had seven attempted visits; ‘B’ website had 15 attempted visits. The NCSC uses this information to understand what they can do to help protect New Zealanders.

Port filtering

By default Spark blocks some ports which are typically not used or needed. This is international best practice to help with security and prevent the spread of spam, worms and viruses.

The ports that are blocked are:

Most people won’t need to opt out of port filtering, but you can opt out if you have a genuine need to use any of these ports. If the reason is to get your email service to work, we recommend you first check if your email service can support Secure Socket Layer (SSL) technology. If you enable SSL you won’t need to opt out of port filtering.

You should opt out of port filtering when you:

• Use a desktop email application (such as Outlook or Thunderbird) and your email service is with a provider that doesn't support SSL, or
• Have an older printer with a ‘scan to email’ function that doesn't support SSL.

You don't need to opt out of port filtering if you:

• Use a web-based email service such as Xtra Mail, Gmail, Hotmail or Yahoo, or
• Use a hosted email service that supports SSL, such as Xtra Mail, Spark business Mail or Office 365.

Opt out of port filtering

Restricted traffic

To make sure there's enough capacity for all of our customers, Spark restricts the following:

• The amount of Domain Name System (DNS) traffic a customer can send to Spark-owned DNS servers.
• The amount of Network Time Protocol (NTP) traffic a customer can send to Spark-owned NTP servers.
• The amount of Automatic Configuration Server (ACS) traffic a customer can send to Spark-owned ACS servers.

Spark Wireless Broadband IP addresses (CG-NAT)

Every broadband connection has an IP address. Think of this like your postal address on the internet for data traffic. The address is provided as part of your connection and most of the time you don’t need to worry about it.

Spark's Wireless Broadband doesn't give each connection a unique IP address. Instead, it uses a pool of IP addresses. It uses a system called Carrier Grade – Network Address Translation (CG-NAT) to share these addresses among multiple users. This enables us to conserve the amount of IP addresses we need.

What does this mean for my Wireless service?

Generally, you won’t notice any differences. The systems are designed so you can still browse, stream, email, work, and play, and generally use the internet without any issues.

However, there are some applications and ways of working which might not work as well with CG-NAT. For example, you can’t port-forward (this is generally not recommended anyway as it poses security risks) or run a lot of concurrent connections.

For example, some file-sharing applications download files from hundreds of different users around the world, and thus use higher numbers of concurrent connections. Extreme use of any software which uses a lot of concurrent connections may not work optimally.

Additionally, users with very large households or businesses with a high number of users may also generate a high number of concurrent connections.

If this applies to you, we recommend you add a Static IP to your plan. For information on pricing and to buy a Static IP, see Order a Static IP