Welcome to the new FlexRadio Community! Please review the new Community Rules and other important new Community information on the Message Board.
If you are having a problem, please refer to the product documentation or check the Help Center for known solutions.
Need technical support from FlexRadio? It's as simple as Creating a HelpDesk ticket.

Port Forwarding Issues - Remote Connection

Working with a radio that is in a semi remote location. The only internet option is 4G via EE which provides good speeds and latency, but is behind carrier grade NAT (CG-NAT). This means its not possible to open ports directly (either via UPnP or manually) and remote access does not work.

As a fix there is a pfsense router that forwards all radio traffic (both for the receiver and head end for the FLEX-6600M) over a VPN to cloud server. This server has the 21000 tcp and 22000 udp ports open and forwarded to the radio head end (the pfsense has a firewall rule to forward 21000 to 4994 and 22000 to 4993 respectively). Doing an external port scan of the cloud server IP shows both ports as "open" when the radio is on.

However I can not get smart link to connect when outside the local network. Has anyone had the same experience and is there anything being done wrong?
Tagged:

Best Answer

  • runtimesandbox
    runtimesandbox Member ✭✭
    Answer ✓
    Have managed to resolve this. I was mapping the external port to the internal port (22000 ---> 4994 tcp) on the firewall, which whilst tested okay in the SDR software didn't allow it to connect.

    Doing a direct port all the way through has solved the issue

Answers

  • rickd
    rickd Member ✭✭
    I'm having the same issue here, being behind carrier grade NAT. I was trying to solve this with NGROK, only to find out that it doesnt forward UDP ...
    I have pfsense and I can run a server in the cloud.
    How did you setup the cloud server? My flex seems to always use the public IP of my provider?

    I would appreciate if you could share a bit more of your setup ...

    Cheers,
    Rick
  • runtimesandbox
    runtimesandbox Member ✭✭
    I setup a $5/month Digital Ocean droplet (referral link if you want to get $100 in credit https://m.do.co/c/fb3f5037c733) running an openvpn server using this script - https://github.com/angristan/openvpn-install (note i tried the pivpn script but this didn't work, due to ciphers it uses)

    I then connected pfsense to this as a new interface and used policy based routing to route the IP of the radio over the vpn tunnel. This is great video on setting that up https://www.youtube.com/watch?v=TglViu6ctWE&ab_channel=LawrenceSystems

    The final step was to create iptables rules to forward the ports from the external IP to the vpn tunnel. This opens up ports and will fully rely on the pfsense firewall for security

    ```
    iptables -t nat -A PREROUTING -p tcp --dport 4994 -i eth0 -j DNAT --to-destination 10.8.0.2
    iptables -t nat -A PREROUTING -p udp --dport 4993 -i eth0 -j DNAT --to-destination 10.8.0.2
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE



    iptables -I FORWARD -i eth0 -p tcp -d 10.8.0.2 --dport 4994 -j ACCEPT
    iptables -I FORWARD -i eth0 -p udp -d 10.8.0.2 --dport 4993 -j ACCEPT
    ```

    10.8.0.2 being the ip address of pfsense on the vpn link

    Hope this helps!
  • rickd
    rickd Member ✭✭
    @runtimesandbox Excellent! thanks a lot ... I have some leave coming up next week and I think I found myself something to do!

    One last question for now, how did you get the radio to use the other public IP? or will that automatically update once you force the traffic from the radio through the VPN?
  • runtimesandbox
    runtimesandbox Member ✭✭
    [{"insert":"Yep once you configure the policy based routing it will go out via the public cloud instance and will automatically pick up that external IP.\nGood luck!\n"}]
  • rickd
    rickd Member ✭✭
    @runtimesandbox thanks again for your help....
    Got it all working now (required to do a factory reset on my production pfsense, but thats another story!)
    This is a perfect solution, together with my free $50 per month from Azure ... doesnt cost me anything ...

    73
    Rick
  • runtimesandbox
    runtimesandbox Member ✭✭
    Glad you managed to get it working! took me some messing around but does seem to be a great (and reliable!) solution
  • rickd
    rickd Member ✭✭
    yes now the gremlins are gone from my normal pfsense server it is a great tool! Before I did a factory reset it was working fine on the test server (VM), but not the real one ... one moment it was and the next momement i couldnt get it back to work...
    Now I got rid of ngrok right away and moved the other services to this as well!
  • @rickd does your setup still work and what version of smartSDR are you running?

    Something seems to have changed lately (and not with my pfsense or cloudserver) and I can no longer connect remotely.. all still working for you?

  • rickd
    rickd Member ✭✭

    @runtimesandbox sorry for the late reply, i was on an overseas business trip and the radio was off.

    I just checked and its still working for me from my phone on 5g ... So it looks like something changed on your site (maybe pfsense update?)

    I hope you manage to get it resolved ...

  • Thanks @rickd - can i ask if you are still using openvpn for the vpn link?

  • rickd
    rickd Member ✭✭

    @runtimesandbox yes I do, nothing has changed for me...

    possible maybe something has changed on the linux box you are connecting to? Im using vultr and that is still working. Although i have to admit i have not updated the OS on that box for a long time ...

  • Thanks for the screenshots. If you have time, could I get a screenshot of your firewall rules to compare against mine?

  • rickd
    rickd Member ✭✭
    edited September 2022

    @runtimesandbox this is what you are looking for right? the one in pfsense?

    Im on a trip again and I reinstalled my laptop a while ago and i dont have the key with me right now to login to the linux box if you need those (which are basically the same as yours above anyway)...

    I can get them, but after saturday ...

    133 is my flex

    127 is my kiwi, probably not relevant in your case.

    I also forward openvpn on port 1199 to my pfsense, so i can connect to my home network from away ...

  • Cheers! Interesting about the openvpn back to your network, i tried it with wireguard but didn't have any luck. Might give it another shot with openvpn although i have started using tailscale which works really well (except for the radios as its wireguard based and doesn't support UDP broadcast)

  • rickd
    rickd Member ✭✭

    @runtimesandbox let me know if you need help with the openvpn server part ...

    Should be easy enough to give you some screenshots of my setup...

Leave a Comment

Rich Text Editor. To edit a paragraph's style, hit tab to get to the paragraph menu. From there you will be able to pick one style. Nothing defaults to paragraph. An inline formatting menu will show up when you select text. Hit tab to get into that menu. Some elements, such as rich link embeds, images, loading indicators, and error messages may get inserted into the editor. You may navigate to these using the arrow keys inside of the editor and delete them with the delete or backspace key.