Enterprise Network Configuration
Basic Connectivity Requirements for Freedom Robotics Device Agent will be outlined here. This includes:
- How it connects to the internet steps
- Network Metrics
- WebRTC
- Remote SSH
- Firewall Rules
Internet Connectivity
An internet connection in order to communicate with the Freedom Robotics API, to receive and transmit data. It will connect to api.freedomrobotics.ai on port default port 443, establishing a https connection.
Network Metrics
There are metrics that check the public internet IP of the device. This is done by making http GET requests (on default port 80) to test urls like:
- 'http://ifconfig.me'
- 'http://icanhazip.com'
- 'http://ipecho.net/plain'
- 'http://bot.whatismyipaddress.com'
- 'http://checkip.amazonaws.com'
- 'http://ifconfig.co'
- 'http://ip.42.pl/raw'
WebRTC
Tele-operation and remote piloting via WebRTC needs a port to establish communication between python2 processes and python3 processes which handles WebRTC. The default port is 5540, but this can be changed by configuring the device during install time under the advanced settings.
Python2 processes will start a small service that will create a socket that listens on port 5540 but only on the localhost interface. The python3 process will connect to this socket as a client.
Turn/Stun servers used for Remote WebRTC
- stun:global.stun.twilio.com:3478?transport=udp
- turn:global.turn.twilio.com:3478?transport=udp
- turn:global.turn.twilio.com:3478?transport=tcp
- turn:global.turn.twilio.com:443?transport=tcp
- stun:stun.l.google.com:19302
Direct connectivity via local WebRTC
WebRTC needs all UDP traffic on the network unblocked to have it working without using a turn server (local_webrtc only).
Remote SSH:
This feature is using an external tool NGROK which is able to create a tunnel for ssh services.
- The tunnel is created by connecting on port 443 to ngrok.io servers and keeping the connection alive for some period of time (it will close if it is inactive for some time).
- The tool is also creating a local service which listens on port 4040 for our Device Agent to make a http GET request to: http://127.0.0.1:4040/api/tunnels.
- SSHD has to be running and listening on default port 22 otherwise ngrok can’t finish the external connection via the tunnel. (Configuring the port may be possible in some cases)
- When someone connects via the tunnel, ngrok will proxy the connection to 127.0.0.1 port 22 tcp (where SSHD is listening). Note that this works even if no incoming connection is allowed on the device (as the connection is technically internal)
Firewall Rules
Incoming
| Rule | Protocol | Port | App Protocol | From | To |
|---|---|---|---|---|---|
| Remote SSH | TCP | 22 | SSH | localhost | localhost |
| WebRTC | TCP | 5540 (configurable) | Socket | localhost | localhost |
| Remote SSH - ngrok service | TCP | 4040 | HTTP | localhost | 127.0.0.1 |
Outgoing
| Rule | Network Protocol | Port | App Protocol | To |
|---|---|---|---|---|
| Freedom API | TCP | 443 | HTTPS | api.freedomrobotics.ai |
| Freedom API (optional) | TCP | 443 | HTTPS | staging.api.freedomrobotics.ai |
| Remote SSH | TCP | 443 | HTTPS | *.ngrok.io |
| WebRTC stun 1 | UDP | 3478 | stun | global.stun.twilio.com |
| WebRTC stun 2 | UDP | 19302 | stun | stun.l.google.com |
| WebRTC turn | UDP/TCP | 3478 | turn | global.turn.twilio.com |
| Public ip echo (recommended) | TCP | 80 | HTTP | ifconfig.me icanhazip.com ipecho.net bot.whatismyipaddress.com checkip.amazonaws.com ifconfig.co ip.42.pl |
| Geo Location | TCP | 80 | HTTP | ip-api.com |
| Map Box | TCP | 80 | HTTP | mapbox.com www.mapbox.com api.mapbox.com api.tiles.mapbox.com a.tiles.mapbox.com b.tiles.mapbox.com c.tiles.mapbox.com d.tiles.mapbox.com |
Updated about 3 years ago