SDS100/SDS200: Proscan WAN port forwarding

[Echo4Thirty]

I have my SDS200 working great on the LAN. Static IP on the SDS and everything configured great. The goal is to be able to use this same PC remotely without having a PC tied to the SDS. I am very adept in networking and have assigned NAT rules to attempt to get ProScan to connect via the WAN side of my network. I am using business grade networking equipment and have my public IP on the WAN port of my router. This would not be a double-nat situation. Sniffing the network, i see ProScan communicating with the scanner on TCP 554. What is not making any sense to me is when I go to the URL connection screen within ProScan, it tells me the PC port is UDP and a randomized port in the 5xxxx range, and the scanner is UDP 50536 (this port is consistent)

I have tried creating NATs pointing to the scanners static IP for various ports and it will not connect. Here are the NATs I have tried:

WAN 554 to SCANNER IP 554
WAN 50000-59000 to SCANNER IP 50536

I do not see anywhere in ProScan to hard set port usage. It should be a simple matter to NAT ports over to enable remote access just like I am on my lan. I do not see any 224.x multicast IPs being used, so i have not created a tunnel. I would really prefer to do this without having to create a VPN tunnel.

What am I missing? The receiver has the ability to be controlled without having a PC attached locally, there should be a way to replicate this properly by NATing etc.

Thanks!

 

[jtwalker]

If it will work … you’ll have no protection for the scanner sitting on the internet. So no authentication and no encryption.

And then what is the tolerance for excessive latency?

 

[ProScan]

I do not see anywhere in ProScan to hard set port usage.

The UDP inbound port # is assigned by the UDP protocol. There's nowhere in the scanner to set the UDP outbound port #. Same goes with web browsers (except using TCP) . The outbound is usually port 80/443 but the returned data will be received on a different port # every time.

 

[Echo4Thirty]

So bottom line is it's a bad network design by Uniden? My R8600 has three set UDP ports (Control, Serial, Audio) and it was easy to nat it across to the wan port.

So it sounds like it's not possible to do this without a PC unless I dedicate an entire second public IP to it and do a 1:1 NAT.

Seems like a complete waste of an Ethernet stack over just serial control of the earlier scanners since you apparently have to have a host device to traverse a WAN.

 

[buddrousa]

You understand that the PC protects your scanner and your home network.
What you are looking at doing is removing the doors and windows to your house.
No different than removing the PIN to your Credit Cards and Debit Card.

 

[Echo4Thirty]

You are making a ton of assumptions about my network and it's security.

I do enterprise networking for a living and have an enterprise network at home. I did not share the details but my network uses extensive usage of vlans and other security that are far more than your typical Walmart or ISP provided router. Lots of layer 2 and 3 security

The only other device on my radio VLAN is my R8600. So if someone gained access to the SDS, so what? All they would have access to is it and the 8600. Everything else access them via extensive ACLs.

 

[jtwalker]

.

 

[ProScan]

You are making a ton of assumptions about my network and it's security.

I do enterprise networking for a living and have an enterprise network at home. I did not share the details but my network uses extensive usage of vlans and other security that are far more than your typical Walmart or ISP provided router. Lots of layer 2 and 3 security

The only other device on my radio VLAN is my R8600. So if someone gained access to the SDS, so what? All they would have access to is it and the 8600. Everything else access them via extensive ACLs.

You're making it sound like Uniden made the right call. I don't think they would expect the average consumer to have a setup like yours.

 

[Echo4Thirty]

You're making it sound like Uniden made the right call. I don't think they would expect the average consumer to have a setup like yours.

Icom made the right call by being able to NAT the appropriate ports and still have the device behind the firewalls. The R8600 does not have to be attached to a PC to be controlled via anywhere in the world with RS-R8600 and is apparantly not a security risk. No enterprise network needed, I can install it at my moms house and AT&T's own issued device allows the ports to be forwarded. For some reason, Uniden decided to randomize the ports which means you need to go to greater lengths to make it work. There are several other ways to make this work, i just did not really think I had to create an IPSEC tunnel or L2TP into the VLAN to make it work.

Regardless, thank you for the information regarding the ports. It did push me in the right direction to generate a solution in spite of those that may have watched one too many episodes of Mr. Robot lol.