Unrestricted APN

Do you want/need an APN that allows connections initiated from outside the APN?

  • No thanks, no idea what this means - don't think it applies to me

    Votes: 17 8.5%

  • No thanks, I know what it means and I will never need it

    Votes: 15 7.5%

  • Yes please, for [desktop or other] remote support

    Votes: 110 55.3%

  • Yes please, for hosting

    Votes: 61 30.7%

  • Yes please, for some other reason explained in my post in the thread

    Votes: 27 13.6%

  • I clicked a 'Yes' option above, and am prepared to accept the risk of being hacked

    Votes: 93 46.7%

  • I clicked a 'Yes' option above, and am NOT prepared to accept the risk of being hacked

    Votes: 6 3.0%
  • Total voters
    199
V

vodacom3g

Vodacom Representative
Joined
Jan 14, 2005
Messages
12,065
Reaction score
2
Location
(mostly) Plattekloof, Cape Town
The History

There are 3 'consumer' APN's available to the Vodacom user base:

internet - NAT'd IP with all incoming ports blocked, i.e. you can connect to any service with no blocking or shaping of any kind, but your PC can't accept incoming connections. This is out-and-out to protect users from port attacks and scanning.

internetvpn - Routable, dynamic IP with all incoming ports blocked, i.e. you can connect to any service with no blocking or shaping of any kind, but your PC can't accept incoming connections. This is out-and-out to protect users from port attacks and scanning.

vlive - same as internet, but allows you to connect to VodafoneLive at no charge.

All the above apn's block incoming ports but have no restriction on outgoing. You decide what to do with your data.

Some users, in addition, required unsolicited incoming connections and for this the 'unrestricted' APN was created. This allows you to do things live web streaming, remote desktop support, etc. My original name for the APN was the 'hosting' APN, but it turned out to be more than that.

The danger of this APN is that it exposes your device to the greater internet and you can (and probably will) be attacked. Worse, because you pay for every byte sent or delivered to your data card, you could end up paying for the privilege of being attacked! But some people require the service and thus I asked for it to be created a year or so ago.

Another triumph for the forum, BTW!!

Initially you could auto-provision yourself via 4me but I asked for it to be removed and replaced by the relevant form, the idea is to make VERY sure a user understands the risks.

On-line, click-through would have enticed users to auto-provision without understanding the risks (and wasting precious routable IP's). We recently saw posts here where there was no need to be on the unrestricted APN, but yet, it seems, the subscriber provisioned himself in any case.

If you read the disclaimer you'll notice this is basically what it says: By using the 'unrestricted' APN you will not hold Vodacom responsible for incoming data charges. So, please ensure your firewall is up to scratch.

To summarise:

1) NO blocking, shaping, throttling or messing with outgoing ports, in any way, on all Vodacom APN's. This covers 99.99% of all Vodacom data users as the vast majority of applications initiate the connection from the 3G side.

2) internet, vlive and internetvpn APN's will block all unsolicited incoming connections.

3) unrestricted apn allows all incoming ports, again NO blocking, shaping, throttling or messing with incoming ports, in any way, just like outgoing.

To summarise the summary: NO shaping, whatsoever.

How to Apply for the unrestricted APN
http://www.vodacom.co.za/portal/sit...=format6/javascript<b></b>:top.nullSrc()&ht=t
 
Last edited by a moderator:
I need some help and suggestions...

I'm running a Java Server application on my home PC connected to the 3G network with the internetvpn APN. The server is only used to receive and forward small amounts of data (about 4 MB per day).

I'm using a dynamic IP client to constantly update my IP address on the DNS server.

For some reason I cannot access the IP address from outside the 3G network. If both my server and other connection is running on GPRS or 3G I can see the IP but again not from the internet.

Any ideas? Maybe there is another APN i can use to make the IP visible on the internet? My only other option is to opt for a DSL line.

When I point my browser (on the machine running the server) to my URL on a certain port, the web page is loaded from the DNS. But this doesn't work from another internet connection. I have my firewall switched off for now.

Can I get someone to host my server somewhere else maybe?

ANy help will be appreciated.

grub
 
If I read you correctly, you are being blocked from opening up a connection from the outside into the 3G network. This is standard practise in most ISP environments to protect users from being port scanned and hacked.

There are a few solutions to this problem:

1) If you can get your server to open up the connection from the inside, it will work, i.e. let the server poll the client, or at least let the server open up the comms. This is how P2P systems get around the incoming port blocking.

2) Not to sure if creating a VPN tunnel might work. Maybe another forumite can comment on this?

3) In theory we could create an open APN, but taking all the security issues around this in consideration, will need to be carefully constructed.
 
well i remember when i was using mtn gprs, when you connected to the network, you got some private ip address... then to access the actual internet your traffic went through their proxy... so it was impossible to be seen from outside the mtn network ... you were basically on some little mtn private network!
 
bboy,

That is true for the internet APN. By using the internetvpn APN the IP is routable. I think my problem is associated with the ports I want to use.
 
grubsner said:
bboy,

That is true for the internet APN. By using the internetvpn APN the IP is routable. I think my problem is associated with the ports I want to use.
Click to expand...

So if you use MTN GRPS or V3G and the internetvpn APN , you should get a routable IP?
 
although using the internetvpn apn, I never managed to contact my 3G linux box from outside, not on any "standard" port (eg 80, 21, 22, 110) :mad:
 
I just did a port scan on ShieldsUp WITHOUT my firewall running and all the ports are reported as STEALTH. This means ALL incoming ports are blocked. I can't even contact my Home PC via my VPN software on port 443.
 
This is correct. You won't be able to open up a port from the outside INTO the 3G/GPRS data network for the reasons stated above.

However, there might be a valid case for this functionality.

Can we see a show of (electronic) hands from those who need this, together with a short reason. I can then collate and feed through.

For example:

- Require to do support of 3G connected PC's.
- Need to do maintenance on a 3G system.
- Want to host a 3G based server.

etc.

Just to clarify why the ports are not open by default.

1) An unsuspecting user can be hacked and infected without realising it.
2) Any hacking / scanning attempts will be for the account of the user! Remember you pay for all incoming and outgoing traffic.
 
What is the real purpose of the 'internetvpn' APN? I thought that all ports would be open for a end user on v3g/gprs and it is their risk with what happens regarding the data transfered. If you don't want the risk then use the standard 'internet' APN.

I am wanting to set up my Linksys 3G Routers that i've just got, with DDNS in-order for remote software configuration and maintenance.

Maybe there should be another APN setup at vodacom for use with these new Linksys 3G Routers??

So, what is the real purpose of having a v3g linksys router where you can't actually use the router part of it??
 
Just saw the other option " I clicked a 'Yes' option above, and am prepared to accept the risk of being hacked"

but I didn't click it first time round so add another one to that number from me
 
I tried to set up a VPN over the internet between my ADSL PC and MTN 3g laptop using DynDNS and had no luck so far... Is all of the above something to do with my prob?

It's late and I should be sleepy but you know how it is when you're trying to get something to work......
 
internetvpn

Hi

got my legal IP. but could v3g please confirm or someone that even though you have a legal IP, incoming connections are still blocked???? i.e. connection still needs to be established from the inside? and connection cannot be established from the outside??? dont worry about the fact that the legal IP changes everytime I connect, I am aware of that and have resolved it.

Thanks
 
Yes, you're right. All incoming ports are blocked. No outgoing ports are blocked.

Reason being that you could get port scanned from the outside and will end up carrying the cost for that. Vast majority of 3G users would have a serious problem with this.

However, I believe, we should have a 'Hosting APN' where incoming ports are not blocked and the user carry the responsibility. It would be a specialist type of application, not for normal use.

I've requested this APN, been aproved in principle, and is being developed as a product.
 
The connectivity strategy is being expanded and cleaned up at the same time with multiple access points across the country but only to one SP.

It's also important to not have to many APN's as this can cause configuration and support issues.

Currently we have a number of APN's focused on specific functionality:

- blackberry
- mms
- vlife

The open APN's are:

- internet - NATed IP with incoming port blocking. Used for general internet access
- internetvpn - Routable IP with incoming port blocking. Used for general internet access and when a routable IP is required by a specialised app.

Proposed new APN:

- hosting - Routable IP with no incoming port blocking. Used for hosting, support or other incoming requests.
 
Ok, so seen a few 'legit' reasons why people want a routable ip:
Home security - think this could actually be the killer app ( few webcams, custom router software and 3g) or GPS, cellphone in your car for a realtime tracker .I really would not mind taking responsibility for the traffic so long as its a unique APN.


now what about the 'real' reasons people want a mobile server.... I really dont want to see anyone walking around with a head mounted webcam and suspiciously heavy backpack.... a beer for the most creative application?
 
Listening VNC viewer

One of the main requirements for the 'hosting' APN is to be able to do remote connections to a 3G-based system for support.

You can't (currently) do a direct VNC connection into the 3G network as the incoming ports are blocked.

Just got off the phone with one of the forumites and he suggested one use the listening VNC viewer. This is so obvious, I'm worried why the collective forum never thought about this :)

This way the 'server' will have to initiate the connection to the 'viewer' but this could work in a lot of the 'support' type of requirements where there are humand on both ends.

Comments?
 
If your requirement is to connect to a system on the 3G network from somewhere else, using VNC for example, you'll run the VNC server on the 3G connected system and the VNC viewer on the outside system.

Normally the viewer would connect to the server and take over it's screen, keyboard and mouse allowing you to control the server system. This will not work on the internet or internetvpn APN's as the incoming port (from viewer to server) is blocked.

VNC has another mode where you run a 'listening viewer' on the client side. The server now initiates the connection (normally a human action) and connects to the viewer who can then control the server.

The connection was now made in the outgoing direction and will work on any APN including the NATed internet APN.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X