Port Forwarding Issues - Remote Connection

runtimesandbox

Working with a radio that is in a semi remote location. The only internet option is 4G via EE which provides good speeds and latency, but is behind carrier grade NAT (CG-NAT). This means its not possible to open ports directly (either via UPnP or manually) and remote access does not work.

As a fix there is a pfsense router that forwards all radio traffic (both for the receiver and head end for the FLEX-6600M) over a VPN to cloud server. This server has the 21000 tcp and 22000 udp ports open and forwarded to the radio head end (the pfsense has a firewall rule to forward 21000 to 4994 and 22000 to 4993 respectively). Doing an external port scan of the cloud server IP shows both ports as "open" when the radio is on.

However I can not get smart link to connect when outside the local network. Has anyone had the same experience and is there anything being done wrong?

runtimesandbox

Have managed to resolve this. I was mapping the external port to the internal port (22000 ---> 4994 tcp) on the firewall, which whilst tested okay in the SDR software didn't allow it to connect.

Doing a direct port all the way through has solved the issue

rickd

I'm having the same issue here, being behind carrier grade NAT. I was trying to solve this with NGROK, only to find out that it doesnt forward UDP ...
I have pfsense and I can run a server in the cloud.
How did you setup the cloud server? My flex seems to always use the public IP of my provider?

I would appreciate if you could share a bit more of your setup ...

Cheers,
Rick

runtimesandbox

I setup a $5/month Digital Ocean droplet (referral link if you want to get $100 in credit https://m.do.co/c/fb3f5037c733) running an openvpn server using this script - https://github.com/angristan/openvpn-install (note i tried the pivpn script but this didn't work, due to ciphers it uses)

I then connected pfsense to this as a new interface and used policy based routing to route the IP of the radio over the vpn tunnel. This is great video on setting that up https://www.youtube.com/watch?v=TglViu6ctWE&ab_channel=LawrenceSystems

The final step was to create iptables rules to forward the ports from the external IP to the vpn tunnel. This opens up ports and will fully rely on the pfsense firewall for security

```
iptables -t nat -A PREROUTING -p tcp --dport 4994 -i eth0 -j DNAT --to-destination 10.8.0.2
iptables -t nat -A PREROUTING -p udp --dport 4993 -i eth0 -j DNAT --to-destination 10.8.0.2
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE



iptables -I FORWARD -i eth0 -p tcp -d 10.8.0.2 --dport 4994 -j ACCEPT
iptables -I FORWARD -i eth0 -p udp -d 10.8.0.2 --dport 4993 -j ACCEPT
```

10.8.0.2 being the ip address of pfsense on the vpn link

Hope this helps!

rickd

@runtimesandbox Excellent! thanks a lot ... I have some leave coming up next week and I think I found myself something to do!

One last question for now, how did you get the radio to use the other public IP? or will that automatically update once you force the traffic from the radio through the VPN?

runtimesandbox

[{"insert":"Yep once you configure the policy based routing it will go out via the public cloud instance and will automatically pick up that external IP.\nGood luck!\n"}]

rickd

@runtimesandbox thanks again for your help....
Got it all working now (required to do a factory reset on my production pfsense, but thats another story!)
This is a perfect solution, together with my free $50 per month from Azure ... doesnt cost me anything ...

73
Rick

runtimesandbox

Glad you managed to get it working! took me some messing around but does seem to be a great (and reliable!) solution

rickd

yes now the gremlins are gone from my normal pfsense server it is a great tool! Before I did a factory reset it was working fine on the test server (VM), but not the real one ... one moment it was and the next momement i couldnt get it back to work...
Now I got rid of ngrok right away and moved the other services to this as well!

runtimesandbox

@rickd does your setup still work and what version of smartSDR are you running?

Something seems to have changed lately (and not with my pfsense or cloudserver) and I can no longer connect remotely.. all still working for you?

rickd

@runtimesandbox sorry for the late reply, i was on an overseas business trip and the radio was off.

I just checked and its still working for me from my phone on 5g ... So it looks like something changed on your site (maybe pfsense update?)

I hope you manage to get it resolved ...

runtimesandbox

Thanks @rickd - can i ask if you are still using openvpn for the vpn link?

rickd

@runtimesandbox yes I do, nothing has changed for me...

possible maybe something has changed on the linux box you are connecting to? Im using vultr and that is still working. Although i have to admit i have not updated the OS on that box for a long time ...

runtimesandbox

Thanks for the screenshots. If you have time, could I get a screenshot of your firewall rules to compare against mine?

rickd

@runtimesandbox this is what you are looking for right? the one in pfsense?

Im on a trip again and I reinstalled my laptop a while ago and i dont have the key with me right now to login to the linux box if you need those (which are basically the same as yours above anyway)...

I can get them, but after saturday ...

133 is my flex

127 is my kiwi, probably not relevant in your case.

I also forward openvpn on port 1199 to my pfsense, so i can connect to my home network from away ...

runtimesandbox

Cheers! Interesting about the openvpn back to your network, i tried it with wireguard but didn't have any luck. Might give it another shot with openvpn although i have started using tailscale which works really well (except for the radios as its wireguard based and doesn't support UDP broadcast)

rickd

@runtimesandbox let me know if you need help with the openvpn server part ...

Should be easy enough to give you some screenshots of my setup...