Solved

Problem with Firewall in 3G connection

Posted on 2008-10-17
21
410 Views
Last Modified: 2013-11-16
Hi
I have developed two applications in C++, one is UDP client and other is UDP Server.
I tried to run  both applications on the different computers connected to my home wireless router. I dont have any firewall / NAT in home. My application use WLAN interface and it works fine and give required result. I can see data is passing between two applications.

The problem is...

When I connect both client and server with 3G USB card (having disabling all other interfaces) modem, I dont get these applications connected. I heard that provider of 3G networks insert any firewall / NAT between two peers. I have to pass through the firewall.
Can you please help me how to communicate both cppliactions connected with 3g network.

Your response will be highly appriciated.

Best Regards
-- Azam
0
Comment
Question by:thisisazam
  • 10
  • 6
  • 5
21 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22746463
I assume your 3G cards connect to an ISP. LAN applications cannot route data between any two PC's over the Internet. In order to do so you have to create a VPN (Virtual Private network) between the two PC's, or PC and server. Depending on the combination of devices (O/S's) the following site helps to explain how to configure the VPN server and client using the built in Windows VPN features:
http://www.lan-2-wan.com/vpns-windows.htm
0
 
LVL 44

Expert Comment

by:Darr247
ID: 22748638
I'm not fully understanding... the client is trying to go out and then come back in the same 3G interface to a server running on the same computer that the client is running on?

To my knowledge 3G ISPs don't use any other firewalls than 'regular' ISPs use, so a clearer picture of the process might help determine what's actually going wrong.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22748835
Point is as soon as you involve the Internet you cannot route normal LAN traffic. For example file and print sharing services are not routable over public IP's, it is not a firewall issue. The 3G connection has a public IP and does not connect directly to your router, on the internal side. Thus a VPN is required. A standard wireless card connected to your LAN will work, but not one that involves an ISP service.
0
 
LVL 44

Expert Comment

by:Darr247
ID: 22750280
No it isn't. You can forward ports on the router - a VPN is not required for that.
 I just don't understand trying to go out and come back in on the same interface. That's what 127.x.x.x is for.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22750689
Is the 3G connection a connection with an outside Internet provider?
If yes, your only option is a VPN. Sorry.
0
 
LVL 44

Expert Comment

by:Darr247
ID: 22751158
It's my opinion that if any firewall is blocking ports on the 3G cards, thisisazam, it's the firewall[s] on the machine[s] being used for that experiment.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22752723
Sorry I missed the part about "You can forward ports on the router - a VPN is not required for that". That is correct but it has to be a routable service, for example SMTP, which can be routed to the site's public IP (that of the router), via the Internet, and then port forwarding configured to forward port 25 SMTP traffic to a particular server.
However most LAN services such as file and print sharing, RPC, printing, etc. use ports like 137,139, 445, which are not routable over the Internet. One of the reasons for this is there would be absolutely no security, so it has never been possible. The VPN creates a private tunnel between any two points, localy, or over the Internet, in which all types of traffic can flow freely.

Having said that I should have asked what services you are making use of. There are some such as SQL services using port 1433 that can be routed, though it is not a good practice from a security point of view.
0
 

Author Comment

by:thisisazam
ID: 22765849
Hi
Thanks for reply.
I dont have any firewall on my machine.
I am not networking expert. so what should I do now? create a VPN or not?
if yes, then while creating VPN client in Windows Vista, we have to specify VPN server IP address. My question is Should we mention server computer IP address or VPN server is a different thing?
BR
-- Azam
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22767306
>>"My question is Should we mention server computer IP address or VPN server is a different thing?"
Sorry I don't understand the question?

As for the VPN, assuming with the 3G you are receiving an IP that is not part of the same subnet as your LAN, you will need to connect to the public side of your router the same as if you were in a different city. assuming you are using a Windows server for the VPN, the basic server and client configurations can be found at the following sites with good detail:
-Server 2003 configuration:
http://www.lan-2-wan.com/vpns-RRAS-1nic.htm
-Windows XP client configuration:
http://www.lan-2-wan.com/vpns-XP-Client.htm
-Windows XP client configuration:
http://www.onecomputerguy.com/networking/vista_vpn_client.htm
-You will also have to configure the router to forward the VPN traffic to the server. This is done by enabling on your router VPN or PPTP pass-through, and also forwarding port 1723 traffic to the server's IP. For details as to how to configure the port forwarding, click on the link for your router (assuming it is present) on the following page:
http://www.portforward.com/english/applications/port_forwarding/PPTP/PPTPindex.htm
-The users that are connecting to the VPN need to have allow access enabled under the dial-in tab of their profile in active directory
-The only other thing to remember is the subnet you use at the remote office needs to be different than the server end. For example if you are using 192.168.1.x at the office, the remote should be something like 192.168.2.x

-Once this is configured you can then use services similar to how you would on the local network. You will not be able to browse the network unless you have a WINS server installed. Also depending on your network configuration you may have problems connecting to devices by name, though this can usually be configured.. Using the IP address is less problematic such as \\192.168.1.111\SharenName.
-Nome resolution can be dealt with in many ways. See:
http://msmvps.com/blogs/robwill/archive/2008/05/10/vpn-client-name-resolution.aspx
However, the best method is to add the DNS suffix to the remote users VPN client configuration as described in the link above.

0
 
LVL 44

Expert Comment

by:Darr247
ID: 22769599
Unless the author has already purchased a 3G router such as the DIR-450 or 451 (EVDO and HSDPA respectively), or similar units from Cradlepoint (CTR-350 is EVDO, the CTR-500 and MBR-1000 do both EVDO and HSDPA and the latter takes nearly any kind of 3G adapter), or Kyocera (their KR-2 is the MBR-1000 with yet another type of 3G port added), that info might not help them much.

Cisco and Draytek also have 3G solutions... the former makes 1 EVDO and 1 HSDPA HWIC module for the 2600 and 2800 series routers which also fit 2 specific models in the 1800 series, and the latter makes mostly dual WAN models with the 3G on the failover/2nd WAN.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:thisisazam
ID: 22774456
Hi
Thanks for your continue interest.
VPN solution is not a feasible solution for me, as I can not configure my router. in fact no router is involved. I am afraid I must have explicitly mentioned it earlier.
I think I should state here that I am connected with Mobile 3G network. So I connect one computer through my mobile phone (connected with USB cable) to a mobile network and other computer is connected with mobile network with 3G card.

Please comments?
-- Azam
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22776319
The VPN does not require a router or it's configuration.

Please confirm the following to be sure that I am not pointing you in the wrong direction.
The Mobile 3G card and the Mobile 3G phone connect directly to a service provider.
What type a service or protocol are you trying to route between the two devices.

If the devices connect directly to the service provider, even though it might appear the two devices are connected directly by the 3G network, they are not, unless you can create some sort of "ad-hoc" connection I am not aware of. There could be a dozen routers between the two devices within the 3G network. For example if I send a packet to the office across the street, 100 feet away, it may go 1000 miles to actually get there. This being the case you must use a routable service. Something like remote desktop can be routed over a public network, assuming the receiving device and its related equipment can be configured to receive it. Most protocols however, those used on a LAN, can in no way be routed over a public network. This is why some sort of direct connection like a dedicated T1 line, or a VPN needs to be used in these situations It is possible your 3G service provider offers a form of VPN connection service, a few do.

The other issue that comes into play is you are likely assigned a different IP every time you connect. You need to know the remote devices IP in order to send a packet. There are Dynamic Domain Name Services that deal with this, but I don't know if they exist for mobile devices. In addition to that it is extremely difficult to establish any sort of connection such as VPN it both ends of the connection have dynamic IP's. At least one should be static.
0
 
LVL 44

Expert Comment

by:Darr247
ID: 22777425
> If the devices connect directly to the service provider, even though it might
> appear the two devices are connected directly by the 3G network

The way I understood the problem as described, the author is trying to use one computer with one 3G adapter to go out and then back in through the same device to the same computer (instead of using the loopback interface). i.e. there are not 2 devices, and there are not 2 computers.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22777759
Perhaps that should be clarified, but I don't think so: "I connect one computer through my mobile phone (connected with USB cable) to a mobile network and other computer is connected with mobile network with 3G card."
0
 
LVL 44

Expert Comment

by:Darr247
ID: 22778342
Yeah, I took that to mean that's how it was desired to work eventually, but in the original question,
''When I connect both client and server with 3G USB card (having disabling all other interfaces) modem, I dont get these applications connected.''
0
 

Author Comment

by:thisisazam
ID: 22835866
HI
Thanks for your contineous response.
and Sorry for late reply, I was very busy in other stuff.
Actually I am running both applications on different computers.
1. Application A (UDP Client ) on Computer A, connected with internet through 3G card.
2. Application B (UDP Server ) on Computer B, connected with internet through mobile phone via usb cable.

I discovered that both computers are behind so called "Port restricted Cone NAT" (Sorry dont remember exact name).
This type of NAT allows traffic to enter into network through same IP address and port number, for which it has started the communication.
Please Comments..
-- Azam
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22836738
Do you mean one-to-one NAT?
Regardless you are dealing with public IP's and will need a VPN.

We still don't know what type a service or protocol are you trying to route between the two devices.

0
 

Author Comment

by:thisisazam
ID: 22838787
My application is using UDP protocol.
I dont know what is one-to-one NAT, but as i mentioned both computers are behind the NAT.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 22840586
Sorry by protocol I was referring to RDP, SMTP, RPC, or similar.
Regardless as mentioned with the exception of a few protocols such as RDP, you cannot route traffic over public IP's without a VPN. The few like RDP can be routed, but in these instances you use port forwarding on the incoming router.
0
 

Author Comment

by:thisisazam
ID: 22840667
I have only two simple client server applications running over UDP.
I just send string message "hello" from UDP client and receive it on UDP server, and then send it back to UDP client.
Nothing fency.
Comments?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 22840722
Not routable over the public network. Sorry. You need a VPN.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

For Sennheiser, comfort, quality and security are high priority areas. This paper addresses the security of Bluetooth technology and the supplementary security that Sennheiser’s Contact Center and Office (CC&O) headsets provide.  
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now