Problem with Firewall in 3G connection

Hi
I have developed two applications in C++, one is UDP client and other is UDP Server.
I tried to run  both applications on the different computers connected to my home wireless router. I dont have any firewall / NAT in home. My application use WLAN interface and it works fine and give required result. I can see data is passing between two applications.

The problem is...

When I connect both client and server with 3G USB card (having disabling all other interfaces) modem, I dont get these applications connected. I heard that provider of 3G networks insert any firewall / NAT between two peers. I have to pass through the firewall.
Can you please help me how to communicate both cppliactions connected with 3g network.

Your response will be highly appriciated.

Best Regards
-- Azam
thisisazamAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
I assume your 3G cards connect to an ISP. LAN applications cannot route data between any two PC's over the Internet. In order to do so you have to create a VPN (Virtual Private network) between the two PC's, or PC and server. Depending on the combination of devices (O/S's) the following site helps to explain how to configure the VPN server and client using the built in Windows VPN features:
http://www.lan-2-wan.com/vpns-windows.htm
0
Darr247Commented:
I'm not fully understanding... the client is trying to go out and then come back in the same 3G interface to a server running on the same computer that the client is running on?

To my knowledge 3G ISPs don't use any other firewalls than 'regular' ISPs use, so a clearer picture of the process might help determine what's actually going wrong.
0
Rob WilliamsCommented:
Point is as soon as you involve the Internet you cannot route normal LAN traffic. For example file and print sharing services are not routable over public IP's, it is not a firewall issue. The 3G connection has a public IP and does not connect directly to your router, on the internal side. Thus a VPN is required. A standard wireless card connected to your LAN will work, but not one that involves an ISP service.
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

Darr247Commented:
No it isn't. You can forward ports on the router - a VPN is not required for that.
 I just don't understand trying to go out and come back in on the same interface. That's what 127.x.x.x is for.
0
Rob WilliamsCommented:
Is the 3G connection a connection with an outside Internet provider?
If yes, your only option is a VPN. Sorry.
0
Darr247Commented:
It's my opinion that if any firewall is blocking ports on the 3G cards, thisisazam, it's the firewall[s] on the machine[s] being used for that experiment.
0
Rob WilliamsCommented:
Sorry I missed the part about "You can forward ports on the router - a VPN is not required for that". That is correct but it has to be a routable service, for example SMTP, which can be routed to the site's public IP (that of the router), via the Internet, and then port forwarding configured to forward port 25 SMTP traffic to a particular server.
However most LAN services such as file and print sharing, RPC, printing, etc. use ports like 137,139, 445, which are not routable over the Internet. One of the reasons for this is there would be absolutely no security, so it has never been possible. The VPN creates a private tunnel between any two points, localy, or over the Internet, in which all types of traffic can flow freely.

Having said that I should have asked what services you are making use of. There are some such as SQL services using port 1433 that can be routed, though it is not a good practice from a security point of view.
0
thisisazamAuthor Commented:
Hi
Thanks for reply.
I dont have any firewall on my machine.
I am not networking expert. so what should I do now? create a VPN or not?
if yes, then while creating VPN client in Windows Vista, we have to specify VPN server IP address. My question is Should we mention server computer IP address or VPN server is a different thing?
BR
-- Azam
0
Rob WilliamsCommented:
>>"My question is Should we mention server computer IP address or VPN server is a different thing?"
Sorry I don't understand the question?

As for the VPN, assuming with the 3G you are receiving an IP that is not part of the same subnet as your LAN, you will need to connect to the public side of your router the same as if you were in a different city. assuming you are using a Windows server for the VPN, the basic server and client configurations can be found at the following sites with good detail:
-Server 2003 configuration:
http://www.lan-2-wan.com/vpns-RRAS-1nic.htm
-Windows XP client configuration:
http://www.lan-2-wan.com/vpns-XP-Client.htm
-Windows XP client configuration:
http://www.onecomputerguy.com/networking/vista_vpn_client.htm
-You will also have to configure the router to forward the VPN traffic to the server. This is done by enabling on your router VPN or PPTP pass-through, and also forwarding port 1723 traffic to the server's IP. For details as to how to configure the port forwarding, click on the link for your router (assuming it is present) on the following page:
http://www.portforward.com/english/applications/port_forwarding/PPTP/PPTPindex.htm
-The users that are connecting to the VPN need to have allow access enabled under the dial-in tab of their profile in active directory
-The only other thing to remember is the subnet you use at the remote office needs to be different than the server end. For example if you are using 192.168.1.x at the office, the remote should be something like 192.168.2.x

-Once this is configured you can then use services similar to how you would on the local network. You will not be able to browse the network unless you have a WINS server installed. Also depending on your network configuration you may have problems connecting to devices by name, though this can usually be configured.. Using the IP address is less problematic such as \\192.168.1.111\SharenName.
-Nome resolution can be dealt with in many ways. See:
http://msmvps.com/blogs/robwill/archive/2008/05/10/vpn-client-name-resolution.aspx
However, the best method is to add the DNS suffix to the remote users VPN client configuration as described in the link above.

0
Darr247Commented:
Unless the author has already purchased a 3G router such as the DIR-450 or 451 (EVDO and HSDPA respectively), or similar units from Cradlepoint (CTR-350 is EVDO, the CTR-500 and MBR-1000 do both EVDO and HSDPA and the latter takes nearly any kind of 3G adapter), or Kyocera (their KR-2 is the MBR-1000 with yet another type of 3G port added), that info might not help them much.

Cisco and Draytek also have 3G solutions... the former makes 1 EVDO and 1 HSDPA HWIC module for the 2600 and 2800 series routers which also fit 2 specific models in the 1800 series, and the latter makes mostly dual WAN models with the 3G on the failover/2nd WAN.
0
thisisazamAuthor Commented:
Hi
Thanks for your continue interest.
VPN solution is not a feasible solution for me, as I can not configure my router. in fact no router is involved. I am afraid I must have explicitly mentioned it earlier.
I think I should state here that I am connected with Mobile 3G network. So I connect one computer through my mobile phone (connected with USB cable) to a mobile network and other computer is connected with mobile network with 3G card.

Please comments?
-- Azam
0
Rob WilliamsCommented:
The VPN does not require a router or it's configuration.

Please confirm the following to be sure that I am not pointing you in the wrong direction.
The Mobile 3G card and the Mobile 3G phone connect directly to a service provider.
What type a service or protocol are you trying to route between the two devices.

If the devices connect directly to the service provider, even though it might appear the two devices are connected directly by the 3G network, they are not, unless you can create some sort of "ad-hoc" connection I am not aware of. There could be a dozen routers between the two devices within the 3G network. For example if I send a packet to the office across the street, 100 feet away, it may go 1000 miles to actually get there. This being the case you must use a routable service. Something like remote desktop can be routed over a public network, assuming the receiving device and its related equipment can be configured to receive it. Most protocols however, those used on a LAN, can in no way be routed over a public network. This is why some sort of direct connection like a dedicated T1 line, or a VPN needs to be used in these situations It is possible your 3G service provider offers a form of VPN connection service, a few do.

The other issue that comes into play is you are likely assigned a different IP every time you connect. You need to know the remote devices IP in order to send a packet. There are Dynamic Domain Name Services that deal with this, but I don't know if they exist for mobile devices. In addition to that it is extremely difficult to establish any sort of connection such as VPN it both ends of the connection have dynamic IP's. At least one should be static.
0
Darr247Commented:
> If the devices connect directly to the service provider, even though it might
> appear the two devices are connected directly by the 3G network

The way I understood the problem as described, the author is trying to use one computer with one 3G adapter to go out and then back in through the same device to the same computer (instead of using the loopback interface). i.e. there are not 2 devices, and there are not 2 computers.
0
Rob WilliamsCommented:
Perhaps that should be clarified, but I don't think so: "I connect one computer through my mobile phone (connected with USB cable) to a mobile network and other computer is connected with mobile network with 3G card."
0
Darr247Commented:
Yeah, I took that to mean that's how it was desired to work eventually, but in the original question,
''When I connect both client and server with 3G USB card (having disabling all other interfaces) modem, I dont get these applications connected.''
0
thisisazamAuthor Commented:
HI
Thanks for your contineous response.
and Sorry for late reply, I was very busy in other stuff.
Actually I am running both applications on different computers.
1. Application A (UDP Client ) on Computer A, connected with internet through 3G card.
2. Application B (UDP Server ) on Computer B, connected with internet through mobile phone via usb cable.

I discovered that both computers are behind so called "Port restricted Cone NAT" (Sorry dont remember exact name).
This type of NAT allows traffic to enter into network through same IP address and port number, for which it has started the communication.
Please Comments..
-- Azam
0
Rob WilliamsCommented:
Do you mean one-to-one NAT?
Regardless you are dealing with public IP's and will need a VPN.

We still don't know what type a service or protocol are you trying to route between the two devices.

0
thisisazamAuthor Commented:
My application is using UDP protocol.
I dont know what is one-to-one NAT, but as i mentioned both computers are behind the NAT.
0
Rob WilliamsCommented:
Sorry by protocol I was referring to RDP, SMTP, RPC, or similar.
Regardless as mentioned with the exception of a few protocols such as RDP, you cannot route traffic over public IP's without a VPN. The few like RDP can be routed, but in these instances you use port forwarding on the incoming router.
0
thisisazamAuthor Commented:
I have only two simple client server applications running over UDP.
I just send string message "hello" from UDP client and receive it on UDP server, and then send it back to UDP client.
Nothing fency.
Comments?
0
Rob WilliamsCommented:
Not routable over the public network. Sorry. You need a VPN.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.