One way path


#1

I have a nice tall site I could use, but it’s going to have an issue with connectivity. Long story short, a firewall I have no control of will prevent a two way path to the Pi Aware. I can forward packets from a Pi Aware, through a one way serial connection, to the Internet. So I know MLAT will be out. Updates won’t happen. But if I can manage to get a port feed (30001, 30002?) from the Pi Aware, and out to the Internet, will my data get to the servers? I already do this for AIS and it works great. I know ADS-B is way more complicated, but can I simplify it this much and still get data online? Don’t bother with router or firewall solutions, I can’t change them.


#2

Only way I can see that working is if you tunnel the raw port 30005 data out over the serial connection, and run piaware somewhere externally.
The port 30005 data is relatively high bandwidth (35kB/s at busy sites)

The piaware-to-FA-server connection is fundamentally bidirectional so you are not going to be able to run that connection over a one-way link.


#3

I use a simple “domestic” NAT firewall - probably similar to most other users here. Piaware simple punches out through my firewall and FA returns data on the same path - so I do not need to install any firewall rules.
A company may have a more complex firewall which may need specific rules.

Having the RPi establish an outgoing vpn tunnel to your home may be a way for you to control the RPi.


#4

If you can tell us, what’s the firewall? Most simple-minded stateful firewalls block (just about) everything incoming (from the outside world) but allow connections on most ports to be opened from the inside to external services.

So someone on the outside trying to connect on port 80 or 443 isn’t going to get anywhere, but from the inside you can connect to CNN using http: or https: with no problems and it will work fine. Same with things such as Netflix.

If you’re faced with such a stateful firewall, you shouldn’t have a problem.

On the other hand, if it’s a commercial installation, someone may have set up the firewall to be very picky about what ports can be used going out.

Let us know – you might have a chance of it working.

bob k6rtm


#5

It’s a very large, highly regulated government firewall. Everything I’ve tried to connect through it to the outside world has been blocked. And getting exceptions isn’t possible. I can put a serial to Ethernet device at the tall site. And another Ethernet to Serial elsewhere in the network where there is open Internet co-located. This setup works great for MarineTraffic.com. But that’s a one way path.


#6

I hadn’t thought of separating the Pi from the radio. Interesting approach. So how would I do this?

Antenna-Stick-USB-(?)-Internal IP network-(?)-PiAware-Public Internet.

What are the devices at the question marks?

If I did port 30005 one way, would anything work? Or would it not even start? The Serial to Ethernet devices I use can do serial up to 230 kBaud. So that would be about 28kB/s. Lantronix UDS1100. Would the bandwidth be less without MLAT running?


#7

[flight][/flight]

I have a similar situation and here’s what works:

Inside the firewall, setup a RPi or other Linux pc with dump1090. Install SOCAT. Set it up to push the raw data out to your home site public IP on port 30001. On your home station, you need to be running PiAware with Dump1090-mutability in ‘–net-only’ mode, listening for the raw data push from the remote receiver. Make sure to register your home site location as the lat/Lon coordinates of the remote site.

My site 22047 is running using roughly this scheme and does MLAT fine.

I’m in the air right now on my way home, and will post the SOCAT configure info later if you want it.


#8

The first one would be something running dump1090 against the real dongle (e.g. a Pi), and socat to connect to localhost:30005 and feed to the serial-to-ethernet converter’s serial device.

(the socat command like would be something like: socat -u TCP-CONNECT:localhost:30005 OPEN:/dev/someserialdevice,b230400)

The second one would be something running dump1090 in --net-only mode and piaware (e.g. another Pi), and socat to feed data from the ethernet-to-serial converter’s serial device to dump1090 on localhost:30104

(the socat command like would be something like: socat -u OPEN:/dev/someserialdevice,b230400 TCP-CONNECT:localhost:30104)

piaware then ends up connecting to the --net-only dump1090 on port 30005, which will get copies of the data arriving over the serial device. You’re really only running that dump1090 to provide fan-out of the serial line since piaware wants to make a couple of separate connections to port 30005.

If I did port 30005 one way, would anything work? Or would it not even start? The Serial to Ethernet devices I use can do serial up to 230 kBaud. So that would be about 28kB/s. Lantronix UDS1100. Would the bandwidth be less without MLAT running?

The data on 30005 is one way so it should work OK. That format is originally for serial use anyway (in the Mode S Beast) so it will tolerate some data loss etc as well (I don’t know if the converters give you any reliability guarantees or if it is send-and-pray)

mlat doesn’t affect the bandwidth. The Beast format is already fairly compact and always includes timestamps. You’re looking at something like 16-24 bytes per Mode S message from memory, multiply that by the message rate you see to get a bandwidth estimate.


#9

And there’s my problem. The firewall blocks that. But I could push 30001 to an Ethernet to Serial converter at another network location where I do have unfiltered Internet access. Then a serial to Ethernet device on the public Internet side that forwards to anywhere. But that’s a one-way path. Sounds like I need to do some experimentation.


#10

mizupc8.bio.mie-u.ac.jp/echigoya … remserial/

lpccomp.bc.ca/remserial/

elinux.org/RPi_Serial_Connection


#11

Thanks everyone. I have some experimentation to do here. Great info.


#12

Just to clarify, I understand that at the physical location you wish to mount the receiver, you do have Ethernet but the firewall blocks all outbound traffic from that location?

Or, is it that there is actually no network available there, but there is cabling in place that would allow a serial link to another location with more open network? If this is the case, what type of cabling is it?