I want to route a reserved local IP address (say “192.168.88.8” ) on my wifi bridge (cAP) to a public web server IP address.
How do I do this? I have played around with NAT but so far unsuccessfully.
Maybe it sounds crazy but I am trying to force/restrict Android to using local wifi to access my public web server. I want to do this with minimal adjustments on the Android device — just connect to the wifi and enter the local address in the browser is what I’m after. I am seeking to avoid/prevent use of mobile data networks and restrict access to known locations/broadband gateway addresses.
I control the web server so the server is not the problem. The problem is that Android will sometimes (but not always) use mobile broadband (which I have no knowledge or control of) instead of wifi. Using an address that is only reachable on wifi would solve the problem if I could handle the routing in the AP.
I added to my original post to try to clarify. NAT is needed in order to force Android to use local wifi instead of broadband. Forcing access through a known gateway IP lets me identify and restrict the locations where requests are allowed to come from. Most people try to use geo-fencing for this but geo-coordinates are easily spoofed.
192.168.88.8 —> known broadband gateway IP —> public web server
Using a list of known gateways, I can log the location of each request. If the gateway is some unknown mobile tower, I have no idea where the request came from.
what I don’t understand is how your android device would know this.
If you are connected to let’s say LTE and WIFI at the same time your device will use wifi over LTE. so why do you need to do anything?
so let’s say you have a webserver with 1.1.1.1 IP how cloud you access it inside your local network of 192.168.88.0/24.
example.
if you browse 192.168.88.254 it would redirect you to 1.1.1.1 ? is that what you want? it doesn’t make sense to me.
So you want some Android device to connect to your public server, but not directly to its public address, because it could send packets the wrong way. To prevent that, you’ll tell it to connect to local 192.168.88.8 and you’ll redirect it to server’s public address. Correct?
Only catch is that if Android is in same subnet as this 192.168.88.8, the address must respond to arp requests. Simplest way to achieve that is to add it to router. If you already have e.g. 192.168.88.1, then just add .8 as second one.
This indicates that you might have a problem with your wifi reception/quality.
As already stated, when the device is connected over wifi, it should prefer that over mobile. This should result in your local router enabling the connection to your public web-server just fine.
Only when wifi is not connected, the device would choose the mobile (default) route.
Giving your web-server a non-public IP, basically masquerading (hence your attempt on using NAT) it will not help as your device will not be connected to wifi at that time.
This is not a MT problem, as it seems.
You should try and find an app for your android, that does apply some kind of access-management/rules choosing/defining allowance to certain paths over wifi only.
…I actually do not know of any app, but I’d gather that there are many…first attempt on my google-fu reveals “NetGuard” as an option…maybe you will need to go for the PRO version, based on your usecase.
It should … but it doesn’t always do this … even with an excellent wifi signal.
I think the problem is the wifi has restricted access and it fails the Android “internet access” test. When Android thinks there is no internet access across wifi, it (sometimes but not always) sends the data over the mobile access.
CORRECTION: All for naught — Android is brain dead! Even though the is address is only valid n the local wifi subnet, Android still tries to resolve it using the mobile connection. If internet access is not detected on wifi, the only way Android will use wifi is if mobile data is turned off.
With ARP it’s about responses sent by router. Entries in IP->ARP are what router itself uses (unless it’s published=yes for proxy ARP). If you assign address to router, it automatically responds to ARP requests and you don’t need to do anything with IP->ARP.
Hmpf…so you are not in your own, managed wifi zone but rather at your employer’s or such situation?
That actually could be the cause of your problem.
How about setting up a wireguard link and use that as default route, going through your own ISP from basically everywhere?
Your other solution is a bit too unconventional, I’d say
