You can easily create IP servers - for example the standard Python module "http.server" can be used: https://docs.python.org/3.3/library/http.server.html
However, by default the Cradlepoint router's firewall will block all unexpected incoming traffic, so while your server can bind on a local router port, happily waiting for incoming clients - none will appear. Therefore, you will need to create the appropriate firewall rules to allow incoming IP traffic to reach your SDK code.
Create a custom Filter Policy
- First, we'll create a custom filter policy, which defines the general type of filter we'll allow. Go into "Security" > "Filter Policy", and click "Add".
- Next, in the policy editor, name and add a new policy defining some allowed traffic. Since this is for a custom SDK web server, we'll call it "My Web Server".
- Within this policy, we'll have a single rule, which allows any clients to be received. Therefore leave the "Source" as "None assigned". ''Note that limiting access to local clients verse WAN clients is done later.'' See Cradlepoint documentation for more advanced, flexible rules.
- For destination, define the TCP or UDP port which your SDK code will bind upon. Because your SDK code runs as a non-privileged user, you cannot use values 0 to 1023. Also, avoid port numbers of common servers, because if the router NCOS uses a common port, your code will run too late and find the port unavailable for binding. Also, for security purposes, it is advisable to use unexpected port numbers, which offers hackers fewer clues or help. In this example, our web server will wait on TCP port 9001.
- Finally, enable this policy for UDP (IP protocol 6) or TCP (IP protocol 17). Note that SSH, SSL, and TLS all arrive as-if TCP, so IP protocol 17.
- Press save to save this policy. Make sure the
action is green, for allow.
- You are returned to the list of Filter Policy. Click the "+", so you see the details and once again, confirm it looks as expected.
Attach Your New Policy to Zone Forwarding
- Next, create a new Zone Forwarding rule. Go into "Security" > "Zone Forwarding", and click "Add".
- Next, create a new Zone Forwarding rule. Select the appropriate source and destination zone, then attach your new policy. In this example, we are limiting access to our customer web server to clients on the primary local LAN.
- After you click "Save", confirm the details are as expected.
Dangerous "Allow All" for testing
- If you are having trouble testing, you might wish to create a "Zone Forwarding" which in effect disables your firewall! This is less risky during local SDK development, but should not be used if your router has a publicly exposed, routable IP address. Use it for quick testing, then delete it.