3G inbound port 80 traffic in Vanuatu

Forums › New Zealand Mobile and Wireless › 3G inbound port 80 traffic in Vanuatu

1 | 2 | 3

4962 posts

Uber Geek
Inactive user

#801804 18-Apr-2013 18:27

Probably not a huge benefit in using OpenVPN to a SSH tunnel. I guess the main benefit is the VPN bridges the entire subnet as opposed to just connecting to a single host. but then when I think about it there is only one host behind the router anyway so probably no point.
The Draytek 2130 has all the VPN stuff built in so need to have any extra stuff on your *nix box. You can have it connected in a site-to-site configuration but then that might use 3G data unnecessarily. So at the end of the day, once i actually think it all through, the only thing you really want the router to do it the DynDNS... which can be done on the box anyway with 'ddclient'. So then lets just plug the USB stick straight in to the box lol...

Where are the linux boys at? They will know heaps heaps more.

deadlyllama

1262 posts

Uber Geek

Trusted

#802073 19-Apr-2013 09:10

Oh, you're running debian?

OpenVPN is what you want. If you're running debian on the PC in Vanuatu, you can get it to initiate the openvpn connection and use a relatively dumb 3G router. This has the advantage that you can ask someone in Vanuatu to buy a new 3g router and plug the PC into it, and you'll have access again, no complex configuration required.

OpenVPN can run over both TCP and UDP. Use UDP if you can -- google "TCP over TCP" to find out why you want to avoid running a VPN over TCP.

You'll need to run an OpenVPN server at your end, on a public IP. Because OpenVPN uses UDP/TCP you can run the server behind NAT and forward the appropriate port from your router. And you could do this on a dynamic IP if you used a dyndns hostname for the server.

jwgorman

42 posts

Geek

#802268 19-Apr-2013 13:36

At the moment, the device will be an "appliance" that just has an ethernet port that can be set with a internal static IP or via DHCP.

But...we are working on an open-source project that boots debian off an SD card, and uses certificates issued our own CA to authenticate what we call SolarNodes (the low-power computer booting debian). all that traffic is over SSL as well. having an OpenVPN layer might be worth exploring, thanks.

question on 3G modems - if the carrier uses 900MHz (sounds like that with Digicel Vanuatu) is it likely that a 3G modem like the Huawei 160G will work on their network? I know to ask them - but in general are they compatible? trying to find a modem that has an optional external antenna - might run into faraday cage issues with this deployment - metal enclosures etc..

deadlyllama

1262 posts

Uber Geek

Trusted

#802361 19-Apr-2013 16:10

jwgorman: At the moment, the device will be an "appliance" that just has an ethernet port that can be set with a internal static IP or via DHCP.

Then get a device you can run a VPN client on, too. A router than can run OpenWRT would do -- maybe one with a USB port that you can plug your 3G modem into? An always on VPN will use a little bit of traffic, you can do some testing if you need to know how much.

jwgorman

42 posts

Geek

#802407 19-Apr-2013 17:29

Cool OK, sounds like the TL-MR3020 is not quite supported by a stable version of OpenWRT:

http://wiki.openwrt.org/toh/tp-link/tl-mr3020

but worth trying the snapshot?

DigicelVanuatu

1 post

Wannabe Geek

Trusted

Digicel Vanuatu

#806010 26-Apr-2013 17:00

Kia ora, our public APN is web.digicelpacific.com.

Jessica Hill

Marketing Executive

Digicel Vanuatu

jwgorman

42 posts

Geek

#807156 29-Apr-2013 10:52

Thank you, that's great. We are probably going to be using USB 3G modems in Santo central but understand that we may need a USB 2.5G modem in areas that are slightly outside the centre. Do you see any issues using a router in these cases? Thanks again.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

jwgorman

42 posts

Geek

#812125 6-May-2013 16:13

Hi Jessica,

we are able to use the 3G modem configured with the APN:

web.digicelpacific.com

to dial out to the internet. However, our router that has DYNDNS enabled exposes the domain we set up:

as a number 10.10.130.129

which I understand is a private subnet number right? We did get a public IP number though our browser when visiting the site:

www.whatismyip.com

from our 3G conenction, which we were able to reverse DNS to show that it was part of Top Level Domain: "digicelpacific.com"

but were not able to route the port we would like to use to this device, even if we used the IP number directly.

Anything we need to consider? thanks, John

wongtop

563 posts

Ultimate Geek

#812137 6-May-2013 16:33

You will need to find if digicel can offer a public ip. A number of NZ carriers (2degrees and telecom at least) do this using the "direct" as opposed to "internet" APNs.

jwgorman

42 posts

Geek

#812143 6-May-2013 16:42

Yes I know what you mean, there is one called "direct" rather than "internet" when you're dealing with 2Degrees in NZ for example that allows inbound traffic. we tested the exact same hardware here in NZ and it worked fine with redirected inbound ports.

but the public APN for Digicel Vanuatu was listed above in this post as:

web.digicelpacific.com

and we are technically able to see the internet - so it does work at least in one direction. what I am puzzled by is how the router picks a private number for its external IP number when using dyndns.org. and why we cannot route traffic inbound to the device using the 3G modem that uses the public APN.

wongtop

563 posts

Ultimate Geek

#812147 6-May-2013 16:51

They will probably be using carrier grade NAT. I.e. they will be NATTING one public ip to many private ips one of which your 3G modem is picking up.

I am not sure there is a solution apart from getting a public ip somehow.

wongtop

563 posts

Ultimate Geek

#812150 6-May-2013 16:56

Supplementary question, when it was on 2degrees did it work both on "direct" and "internet" or just on "direct". My understanding is that on "internet" 2degrees uses carrier grade NAT so you should have seen something similar to what you describe on digicel.

jwgorman

42 posts

Geek

#812158 6-May-2013 17:14

Ah OK. I understand now - yes on 2degrees it only worked on "direct" and not on the "internet" APN, as the NAT service was just handing out internal IPs mapped to one public IP. that makes sense now. what I will need is a public IP at the modem level.

deadlyllama

1262 posts

Uber Geek

Trusted

#813911 8-May-2013 19:38

jwgorman: Hi Jessica,

as a number 10.10.130.129

This is where a VPN would be useful...

If you don't have a server with a static IP you can acquire a Linux VPS quite cheaply to run one on.

jwgorman

42 posts

Geek

#814699 9-May-2013 18:25

I definitely agree - the VPN is the way to go, but - if I understand correctly - it still requires that the 3G modems be given public IP addresses right, so that DYNDNS can identify them staticly with a URL? the VPN is created with that dynamic IP, and then the devices behind the remote router can exist on a private subnet, with all communication going through the tunnel that the VPN defines?

question about carrier grade NATTING: can't the carrier use the SIM card or the MAC address of the USB 3G modem to determine the IP address it gets? can the private IP numbers that they give out going through a public IP gateway be static?

1 | 2 | 3