Radios in other subnets - Why can't SmartSDR for Windows & Maestro be used without auto discovery?

  • 2
  • Question
  • Updated 3 years ago
  • Answered
We've got a bridged VPN/Layer 2 - with multiple Flex Radios in different locations. That setup is running very good for quite some time now. The plan is to move to a routed VPN, as the network grows, bridging ist not the way to go.

With the IPhone client, the remote radio's IP can be specified manually without any UDP broadcast discovery. Agree, that auto discovery is convenient in average home Class-C networks, but I don't like, that it's the only way to contact the radio. 

I'd need Maestro & "SmartSDR for Windows" to be able to be told about static radio IP(s), that are not visible in my broadcast domain. Is there any feature ahead? Maybe some workaround with that filter.txt files? Maybe a hidden knownRadiosList.txt somewhere?

I don't want to start and implement ugly udp-broadcast-relays on our VPN devices, to pack/unpack udp:4992 packages.
Photo of Frank, HB9FXQ

Frank, HB9FXQ

  • 62 Posts
  • 37 Reply Likes

Posted 3 years ago

  • 2
Photo of K6OZY

K6OZY, Elmer

  • 542 Posts
  • 212 Reply Likes
2.0 will solve this issue.  They may add this feature prior, but I wouldn't bet on it.  This issue arrived when Marcus (Author of the IOS version) added this feature that was not in sync with the Maestro/Windows versions.   They implemented this restriction to prevent people from port forwarding their radio through their firewall since there is currently no authentication on it.   I am not defending this decision, simply stating it.
(Edited)
Photo of Frank, HB9FXQ

Frank, HB9FXQ

  • 62 Posts
  • 36 Reply Likes
Let's see if there'll be an official statement from the staff this time. @Steve @Eric :)

I don't like the idea, that preventing users from doing dump things like unsecured port forwarding. Nobody saves me from opening all my ports to a unsecured old Windows XP machine, just because it is a dump idea. Even if flex would offer a WAN feature, I'd stick to my VPN setup, because it's under my control. Open source and I can do propper enterprise grade authentication, regenerate certs / use good auth relams etc. 
Photo of K6OZY

K6OZY, Elmer

  • 542 Posts
  • 212 Reply Likes
I agree with this statement.  I do not like them restricting the client "for my safety".  I too will continue VPN usage with 2.0.  My guess is liability or support issues.  It is ultimately their choice.
Photo of Mark Thomas

Mark Thomas

  • 52 Posts
  • 16 Reply Likes
The "for my safety" speculation makes no sense, because this is a limitation of the Maestro/Windows SmartSDR client, not a limitation of the Flex-6xxx radio server.

As a networking/security professional, this is an especially frustrating limitation as it's basic level functionality I take for granted an just about all other networking systems I use. I just keep hoping that if enough people ask, maybe FRS will add a box to SmartSDR and Maestro where an advanced user can type in a specific IP address to connect to instead of relying on broadcast discovery.
Photo of Steve - N5AC

Steve - N5AC, VP Engineering / CTO

  • 1057 Posts
  • 1097 Reply Likes
Mark, FYI we have already added fixed IP to both Maestro and the radio.  This will be released in v1.10 which will be available soon.
Photo of Jim Gilliam

Jim Gilliam

  • 944 Posts
  • 218 Reply Likes

I have tried to use SmartSDR with OpenVPN in my iPhone and using the OpenVPN server on the Linksys router. When I bring up iSmartsdr the radio is not discoverable. It would really be great to enter the I/P address and the radio would magically appear. The problem with Linksys OpenVPN ( I guess) is that it provides the client with an I/P address that is not on the LAN. I don't know enough on how to overcome this problem.

Jim, K6QE

Photo of K6OZY

K6OZY, Elmer

  • 542 Posts
  • 212 Reply Likes
OpenVPN has two modes.  TUN & TAP.   You want to use TAP mode so your client gets an IP in the same subnet.  If those options aren't available to you, then your OpenVPN server is too "simple" and hides those options from you.
Photo of Frank, HB9FXQ

Frank, HB9FXQ

  • 62 Posts
  • 36 Reply Likes
This plastic router devices often hide advanced VPN features. We found some semi-prof. hardware ( https://twitter.com/HB9FXQ/status/770303108681437184  /  http://pcengines.ch/apu.htm) and run PfSense on it. Requires some good network knowledge, but I'll post some detailed documentation about our setup soon. I'll announce it here in the forums then. 
(Edited)
Photo of K6OZY

K6OZY, Elmer

  • 542 Posts
  • 212 Reply Likes
I use pfSense extensively too and wrote up an article already on using OpenVPN on it.

Unsupported SmartSDR 1.4 over WAN using OpenVPN HowTo (pfSense Firewall)
Photo of K6OZY

K6OZY, Elmer

  • 542 Posts
  • 212 Reply Likes
pfSense can be installed on any commodity hardware, but I like to support the pfSense team.   I'm currently using https://store.pfsense.org/SG-4860/.

My prior model was an SG-2220.  They have released a cheap $150 unit that is Super small:  https://store.pfsense.org/SG-1000.aspx
Photo of Frank, HB9FXQ

Frank, HB9FXQ

  • 62 Posts
  • 36 Reply Likes
Seen your posts. Great work! Basicly that is what we've done. I've also included IP switchable power sockets, SPE PA Control and a small html dashboard to start/stop radios via relays on the REM port, control accessories like antenna switches etc.  Enjoy that setup very much
Photo of Jim Gilliam

Jim Gilliam

  • 944 Posts
  • 218 Reply Likes

Thank you, gentlemen, for the lucid advice. Never knew about Tun and Tap. It seems everyday there is a new term or acronym to add to my miserable knowledge of networking.


Jim, K6QE

Photo of Ria - N2RJ

Ria - N2RJ, Elmer

  • 2314 Posts
  • 956 Reply Likes
I would second pfsense. We use it in the datacenter to handle about 2GBps of traffic. I use it at home on an atom box, at that time I needed more than what pfsense had in their h/w offerings. Even have IPv6 and RADIUS running on it as well as multi-wan and wifi APs as well as VLAN trunking for various subnets tied to Wifi SSIDs. Better than any home router. 
(Edited)
Photo of Steve - N5AC

Steve - N5AC, VP Engineering / CTO

  • 1057 Posts
  • 1097 Reply Likes
Official Response
​K6OZY is correct.  The discovery protocol was designed, in part, to avoid use in different subnets.  This was done because there ​was no security (authentication, authorization) on the command protocol and we wanted to prevent someone from transmitting, etc. off-subnet without your permission.  I've made a number of jokes about this publicly and they go something like: imagine what a script kiddie, grad student, etc. could do with a 100W transmitter at their command on the Internet.  The major design goal of v2.0 is to eliminate this requirement along with adding security so that full remote use becomes possible.

Backstory: The way the radio works now was very deliberate.  3-4 years ago when we were designing the API, I brought a major concern to our management team about the lack of security.  Along with this concern I provided two options: 1) we could proceed as we are with no security (no authentication, authorization, encryption, etc), but implement some simple steps such as discovery and an off-subnet block in the API to prevent most types of hacking, or 2) we could throw on the brakes and design security into the protocol and then resume work.  

Each solution has benefits and drawbacks.  At the time, the most important consideration was bringing our customers new capabilities as quickly as possible; to pull the FLEX-6000 way ahead of the competition in capabilities before others had a chance to attempt to duplicate what we had done -- to make the competition think twice about venturing down the road we were on until it was too late and they were too far behind.  The major drawback was that it would make customer DIY remote harder.  It was a spirited discussion, but in the end, we opted for the "we'll do that later" model of remote and complete security.  We are somewhat unique compared to any other IoT device in that Internet use is not a core expected functionality from our customer group -- much of the key functionality of the product can be realized with local subnet use.
Photo of Frank, HB9FXQ

Frank, HB9FXQ

  • 62 Posts
  • 36 Reply Likes
Thanks for all that background info. Explains it well, but for now we need a solution: 

Since our radios are already deployed we don't want to wait for 2.0, it leads me even more workarounds :) Tried to realize it with iptables and routing tables, but what happened was more something like: 

https://twitter.com/Cannibal/status/787861071931461632



I starded to hack a "Discovery packet relay app". Since we anyway have allways-on raspberry pi on all sites for monitoring / watchdog purpose I'll run that relay server/client on all sites. It captures and packs the discovery packages from the local subnet into routable packages, forwards it, the client then unpacks it, thenbroadcast it on the target site to  255.255.255.255:4992.

Sounds ugly, but works like a charm. Looking forward to complete it the upcoming weekend and will publish on github. Hope SmartSDR 2.0 will be available soon and I can delete that repo.

vy 73
Frank 

(Edited)
Photo of Ross - K9COX

Ross - K9COX

  • 352 Posts
  • 108 Reply Likes

This conversation is no longer open for comments or replies.