Enterprise Network Configuration

Basic Connectivity Requirements for Freedom Robotics Device Agent will be outlined here. This includes:

  • How it connects to the internet steps
  • Network Metrics
  • WebRTC
  • Remote SSH
  • Firewall Rules

Internet Connectivity
An internet connection in order to communicate with the Freedom Robotics API, to receive and transmit data. It will connect to api.freedomrobotics.ai on port default port 443, establishing a https connection.

Network Metrics
There are metrics that check the public internet IP of the device. This is done by making http GET requests (on default port 80) to test urls like:

WebRTC
Tele-operation and remote piloting via WebRTC needs a port to establish communication between python2 processes and python3 processes which handles WebRTC. The default port is 5540, but this can be changed by configuring the device during install time under the advanced settings.

Python2 processes will start a small service that will create a socket that listens on port 5540 but only on the localhost interface. The python3 process will connect to this socket as a client.

Turn/Stun servers used for Remote WebRTC

  • stun:global.stun.twilio.com:3478?transport=udp
  • turn:global.turn.twilio.com:3478?transport=udp
  • turn:global.turn.twilio.com:3478?transport=tcp
  • turn:global.turn.twilio.com:443?transport=tcp
  • stun:stun.l.google.com:19302

Direct connectivity via local WebRTC
WebRTC needs all UDP traffic on the network unblocked to have it working without using a turn server (local_webrtc only).

Remote SSH:
This feature is using an external tool NGROK which is able to create a tunnel for ssh services.

  • The tunnel is created by connecting on port 443 to ngrok.io servers and keeping the connection alive for some period of time (it will close if it is inactive for some time).
  • The tool is also creating a local service which listens on port 4040 for our Device Agent to make a http GET request to: http://127.0.0.1:4040/api/tunnels.
  • SSHD has to be running and listening on default port 22 otherwise ngrok can’t finish the external connection via the tunnel. (Configuring the port may be possible in some cases)
  • When someone connects via the tunnel, ngrok will proxy the connection to 127.0.0.1 port 22 tcp (where SSHD is listening). Note that this works even if no incoming connection is allowed on the device (as the connection is technically internal)

Firewall Rules
Incoming

Rule

Protocol

Port

App Protocol

From

To

Remote SSH

TCP

22

SSH

localhost

localhost

WebRTC

TCP

5540 (configurable)

Socket

localhost

localhost

Remote SSH - ngrok service

TCP

4040

HTTP

localhost

127.0.0.1

Outgoing

Rule

Network Protocol

Port

App Protocol

To

Freedom API

TCP

443

HTTPS

api.freedomrobotics.ai

Freedom API (optional)

TCP

443

HTTPS

staging.api.freedomrobotics.ai

Remote SSH

TCP

443

HTTPS

*.ngrok.io

WebRTC stun 1

UDP

3478

stun

global.stun.twilio.com

WebRTC stun 2

UDP

19302

stun

stun.l.google.com

WebRTC turn

UDP/TCP

3478

turn

global.turn.twilio.com

Public ip echo (recommended)

TCP

80

HTTP

ifconfig.me
icanhazip.com
ipecho.net
bot.whatismyipaddress.com
checkip.amazonaws.com
ifconfig.co
ip.42.pl

Geo Location

TCP

80

HTTP

ip-api.com

Map Box

TCP

80

HTTP

mapbox.com
www.mapbox.com
api.mapbox.com
api.tiles.mapbox.com
a.tiles.mapbox.com
b.tiles.mapbox.com
c.tiles.mapbox.com
d.tiles.mapbox.com