Opening ports for WiFi access point

Pulsar33

Hello
I'm currently coding an UDP client-server small application to manage remotly Kaffeine on my desktop. When away from home for some days, I want to be able to modify the recording schedule, post-process the recorded files, and so on, with a cool GUI on the distant machine.

Kmote-v1.0.png

This is fully tested ok on my private network, between a raspberry Pi and the desktop, but not very usefull indeed. On a distant way, I've two different approachs to test. The first one would be to compile the client application on my phone and run it with Libertine. I've no doubt that this will compile and run, I've already done such things for another Gtk application. But I will face the same problem I think that for the second approach.

That one is to use the phone as a WiFi access point (which I tried to do) and use a distant machine (raspberry or laptop) to run the client and connect to the home server through the access point. Currently, this is half-working ! The client sends the requests to the server which receives them and replies to the good address (that one of the access point). But the reply never comes to the client.

My understanding is that the access point has the necessary ports closed. I've emulated this communication with my box, opening the required ports and routing the incoming messages to the right station of the local network, all works.

So please, how to manage the ports of the WiFi access points in UBports (opening and routing) ?

BR
Pulsar33

Pulsar33

This post is deleted!

Pulsar33

This post is deleted!

Pulsar33

@pulsar33 Found files in /etc/ufw ... There's a sysctl.conf file there who says :
Configuration file for setting network variables. Please note these settings override /etc/sysctl.conf.

So I uncommented net.ipv4.ip_forward=1 in that file. This is certainly better but not enough

There are also rules files but I must take care before modifying them ...

BR
Pulsar33

Pulsar33

As soon as you start the Access Point, here are the differences between rules that are used by the system.
So it seems that my problem is only to open ports. I just have to find how ...

*nat
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE

*filter
-A INPUT -i ap0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i ap0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i ap0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i ap0 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -d 10.42.0.0/24 -o ap0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i ap0 -j ACCEPT
-A FORWARD -i ap0 -o ap0 -j ACCEPT
-A FORWARD -o ap0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i ap0 -j REJECT --reject-with icmp-port-unreachable

Good evening
Pulsar33

Pulsar33

Good evening
I tried many ipatbles directives to route the incoming packet through the Access Point to the local Client but had no success.
I don't understand why this one at least doesn't do the job by fixing the good local ip address and correct port :
iptables -t nat -A PREROUTING -p udp -i ap0 --dport YYYYY -j DNAT --to-destination 10.42.0.59:YYYYY

Here is a schematic diagram of the tested communications. I would be glad if someone could help me ... Thank you
Pulsar33

UDP client server problem.png

Pulsar33

Oooops ! Confusing ap0 and ccmni0, however, this one doesn't work better :
iptables -t nat -A PREROUTING -p udp -i ccmni0 --dport YYYYY -j DNAT --to-destination 10.42.0.59:YYYYY
I'm tired of it !

BR
Pulsar33

Pulsar33

Hello
As said here, I was at last able to reinstall gtk in Libertine. So I was able to compile my above application (after changing some popup_menu function unavailable in the gtk version) and run it on its own. And I have exactly the same problem, that I don't understand.

When I run it over the local network (from 192.168.0.X to 192.168.0.Y) all works fine without any need for redirection. When I run it over the 3G network, the request is forwarded to the ddns distant server without any specific actions or rules. The server interprets the request and replies correctly (traced with WireShark). But the reply never arrives at the phone ccmni0 interface, even if I add a rule to open the udp dedicated port and ACCEPT it for INPUT. This rule should not even be necessary since the firewall does not include any restrictions by default when the Access Point is not active

This is the same problem as described in the picture above but without the local RE-ROUTING to ap0 step. it should be simpler but it is not.

Some idea ?
Some precision requests :
All iptables rule are effectively used by UBports ?
No need to activate anything else ? (seen that ufw is off but don't seems a problem to me)

BR
Pulsar33

Pulsar33

Feeling lonely
Do you know another forum where I can post these questions with a small hope of success ?
Pulsar33

arubislander

@pulsar33

Hmmm ... This seems to be on the dividing line between app development and break-your-ut territory.

Pulsar33

@arubislander : hummm, thanks for suggestion but, I've never used Telegram. On the other hand, this is my own code and it works on local network as said. The problem seems to be between the ISP (maybe not forwarding) and the 3G interface of the phone (maybe not accepting to open the requested port). Is there someone able to speak about the modem access and behaviour ?
BR
Pulsar33

arubislander

@pulsar33 OK then. Well I don't know much about network shaping and such. When I have a situation in which I want to be able to access my home network away from home I just connect to my VPN server (which was fairly easy to set up on my Router running DD-WRT) and avoid all the hassle.

Pulsar33

@arubislander Thanks anyway.
There are obviously generic solutions that would work if I had fiber at home but I only have adsl2 and it's very limited in upstream traffic. VNC or similar is not an option for me. Hence the idea of deporting only the GUI which should be able to run on any GTK remote device.

More generally, I'm disappointed that I can't do what I want with my smartphone and I would like to at least understand why.

BR
Pulsar33

arubislander

@pulsar33 with a VPN you could still have the GUI run on a client, it would simply connect to your server through the VPN connection.
But indeed, in such a situation you wouldn't need the phone as a go-between.

Sorry I can't help you as to why your setup doesn't work. Maybe asking in the general or overflow UBports groups on Telegram might connect you to someone who has more of an idea.

Pulsar33

Hello,

For information :
I made a test with a FP2 running Androïd instead of my two BQ E5 (Ubuntu Touch and UBports)
I have exactly the same problem.

So, we can say :

UBports is not the reason of the problem.
It would be cool that UBports help me to solve the problem !

If the problem comes from the ISP, UBports can simply help to confirm
If the problem comes from the modem management, maybe UBports could help to find a workaround

BR
Pulsar33

arubislander

@Pulsar33, I truly am sorry I can't help you out with what you are trying to do, as I don't really understand the way you are going about it.

Just one little nitpick, if you will allow it.

@pulsar33 said in Opening ports for WiFi access point:

instead of my two BQ E5 (Ubuntu Touch and UBports)

UBports is the name of the community and also part of the name of the Foundation. The OS that runs on your device is still (or actually, now) called Ubuntu Touch. (since that was never officially it's name when developed by Canonical. Then it used to be Ubuntu of Devices.)

Pulsar33

@arubislander : I know that but there should be a decision to assume the difference
Else how can I tell that my two devices are not running the same OS ?

Aquaris BQ E5 HD UBports OTA-23 (currently testing features)
Aquaris BQ E5 HD Ubuntu Edition Canonical OTA-15 (last Canonical version, daily use)

OTA-15 was the last Canonical revision. If UBports had produced OTA-16 as first release all would have be more simple but it's not the case ...

Sorry for remaining out of scope. Hope this will close the question
BR
Pulsar33

Br1

@pulsar33 said in Opening ports for WiFi access point:

If the problem comes from the ISP

Almost certainly the problem comes from the ISP ... read here ... " most mobile operators do not provide dedicated IP addresses – they perform "1:many" NAT, not just 1:1 NAT, and the external address is simultaneously used by multiple customers (just like your home router shares your external addresses between all LAN devices).

Even those operators which do dedicate an address per customer (whether direct or 1:1 NATed) frequently put it behind a firewall which blocks all incoming connections. This has two purposes – it prevents the customer from hosting services on their 4G connection (which is usually not allowed by their terms of service), and it prevents various botnet scans and unsolicited connections from draining the device's battery "

Pulsar33

@br1 not as good as expected but I thank you anyway for the information. It seems I will have to change the type of communication, even if simple bidirectionnal UDP was cool.

BR
Pulsar33