Hi,
Just got a shiny new Galaxy Note 10.1 last weekend. Yesterday, after receiving my case and keyboard from Amazon, I brought it in to school to start taking advantage of the S-Pen for note taking in classes that keyboards don't quite cut it in. Unfortunately, it revived an issue that I had and ignored on my HTC Rezound from last year... an issue that a WiFi device can't ignore, and unfortunately my phone's battery is not up to using CM10's tether function all day (and it might start running down my monthly data being used 5 days a week, all day).
So, any ideas what might cause this issue? The school primarily has Macs, and my Windows 8 Laptop sometimes has issues, but at least half the time it works fine. It is just Android devices that will not work. They connect, and get great signal strength, but just won't get any actual data. To my knowledge, nobody has ever gotten an Android device to connect. My Rezound is running an unofficial CM10 (4.1 JB) version, and my Note is using whatever the newest official update is (4.1 as well, I believe. Non-rooted). I don't know a whole lot about this type of stuff, but I'm not afraid to tinker around to try and get it working. I've tried a few other suggestions from numerous Google searches, but to no avail so far. The network is unprotected, and run by the school's IT people, so needless to say I have no way to easily change settings for the campus' network. I'd prefer not root the Note just yet, but if I need to, so be it. Any ideas what this might be?
Thanks
Some more Info
Coffeeist said:
[Original Post]
Click to expand...
Click to collapse
Some more info:
I cannot ping the tablet from my laptop (I get no packet loss, but all return 'Destination Host Unreachable'.
Same result if I try pinging my laptop or the router from my tablet using Terminal Emulator.
Sometimes, if set to DHCP, the tablet will give an 'Authentication Error Occured' error (or similar, I don't recall the actual wording). Sometimes it indicates a connection, but just won't work. I've never had a problem connecting using the same info as my laptop (with the IP changed, of course), but again, no internet, no ping.
Thanks
May or may not be the problem, but from what I've noticed, school networks tend to have a lot of blocked ports. I know the main Google Sync Framework uses port 5228. Try shooting an email to a network admin in your school's IT dept, asking about that port or just in general if they're aware that Android devices are unable to connect on their network.
Coffeeist said:
Some more info:
I cannot ping the tablet from my laptop (I get no packet loss, but all return 'Destination Host Unreachable'.
Same result if I try pinging my laptop or the router from my tablet using Terminal Emulator.
Sometimes, if set to DHCP, the tablet will give an 'Authentication Error Occured' error (or similar, I don't recall the actual wording). Sometimes it indicates a connection, but just won't work. I've never had a problem connecting using the same info as my laptop (with the IP changed, of course), but again, no internet, no ping.
Thanks
Click to expand...
Click to collapse
What do you mean by "same info as my laptop" what types of credentials are you referring to? Something you have to change on the laptop in order to get in? The more information regarding this you can provide (safely, mind you, mask/alter any sensitive info), the better we can assist you. If you have to do something like set a VLAN, then you're never going to get an Android device to work as we do not have the capability to use VLAN'd wireless like most PCs and Macs can with the proper configuration changes. If there's some browser catch-all page, then that should work, but based on your statement "with the IP changed" leads me to believe that you're messing with the adapter settings directly. I would be especially keen to helping you with more detailed networking issues like this should you provide me with the information requested. I look forward to your reply. (Yes, I like technical challenges like this, it's why I work VoIP support.)
IP address or no IP address
Coffeeist said:
Some more info:
I cannot ping the tablet from my laptop (I get no packet loss, but all return 'Destination Host Unreachable'.
Same result if I try pinging my laptop or the router from my tablet using Terminal Emulator.
Sometimes, if set to DHCP, the tablet will give an 'Authentication Error Occured' error (or similar, I don't recall the actual wording). Sometimes it indicates a connection, but just won't work. I've never had a problem connecting using the same info as my laptop (with the IP changed, of course), but again, no internet, no ping.
Thanks
Click to expand...
Click to collapse
since you know ping, then did you check the IP address for each device?
Back to basic:
1: ping your device gateway IP
2) if ok, then ping ur device (tablet or laptop)
3) if ok then ping bbc.co.uk (this will check your dns), if failed ping your dns's IP address.
If no IP on android, then check if there is any protection on device. It sound like no IP been allocated for you.
Depends on how good a school's IT dept. I have not seen many school actually put filter to stop non-window device.
I am not sure it has anything to do with VLAN yet. As a simple logon, device does not care VLAN or no VLAN.
The basic for us is 1) get an IP on device. 2) know how to get out (gateway IP) 3) interrept hwere you go (DNS resolution) 4) know how to get to internet (internet router, internet firewall, internet boardband et...)
If you have authentication error, then it is sure you are not going to get an IP address. If this is WiFi then check on security (WEP, WAP...TKIP...)
tinbox134 said:
since you know ping, then did you check the IP address for each device?
Back to basic:
1: ping your device gateway IP
2) if ok, then ping ur device (tablet or laptop)
3) if ok then ping bbc.co.uk (this will check your dns), if failed ping your dns's IP address.
If no IP on android, then check if there is any protection on device. It sound like no IP been allocated for you.
Depends on how good a school's IT dept. I have not seen many school actually put filter to stop non-window device.
I am not sure it has anything to do with VLAN yet. As a simple logon, device does not care VLAN or no VLAN.
The basic for us is 1) get an IP on device. 2) know how to get out (gateway IP) 3) interrept hwere you go (DNS resolution) 4) know how to get to internet (internet router, internet firewall, internet boardband et...)
If you have authentication error, then it is sure you are not going to get an IP address. If this is WiFi then check on security (WEP, WAP...TKIP...)
Click to expand...
Click to collapse
Hello Coffeeist,
Please contact your schools IT department and find out what kind of encryption they use on their APs.
If they use TKIP, then that is whats causing the problem with android devices.
Once TKIP is disabled on the AP you are connecting to, you will be able to reach the internet.
I say this because I had the same problem in the past (setting up Cisco APs), and can confirm that this is the cause of the problem.
TKIP shouldn't be used anyway. They should be using AES. TKIP is too weak.
I guess that last part answered another question that you might of had. (Why TKIP doesn't work with Android?) Android=Secure TKIP=WEAK.... Unacceptable for Android
Also, you mention something about not being able to ping your tablet from your laptop. If I understand this correctly, you have both your laptop and tablet connected to the same AP and you are trying to ping between the two. This wont work in most cases. Reason: "Port-Protection", which if enabled doesn't allow clients on the AP to communicate with each other.
Regards,
Ed
Let us know how it goes.
nasvi said:
Hello Coffeeist,
Please contact your schools IT department and find out what kind of encryption they use on their APs.
If they use TKIP, then that is whats causing the problem with android devices.
Once TKIP is disabled on the AP you are connecting to, you will be able to reach the internet.
I say this because I had the same problem in the past (setting up Cisco APs), and can confirm that this is the cause of the problem.
TKIP shouldn't be used anyway. They should be using AES. TKIP is too weak.
I guess that last part answered another question that you might of had. (Why TKIP doesn't work with Android?) Android=Secure TKIP=WEAK.... Unacceptable for Android
Also, you mention something about not being able to ping your tablet from your laptop. If I understand this correctly, you have both your laptop and tablet connected to the same AP and you are trying to ping between the two. This wont work in most cases. Reason: "Port-Protection", which if enabled doesn't allow clients on the AP to communicate with each other.
Regards,
Ed
Let us know how it goes.
Click to expand...
Click to collapse
With useful posts above the rest is not much left for me to say but a simple advice
Make sure your friends aren't playing a prank on you coz I tend to do it I use arpspoof and aireplay-ng to cause such mayhem
Sent from my A116 using Tapatalk 2
Airplay and Arpspoof wouldn't be possible if MFP is enabled on the AP. Also the OP is stating that it is with all android devices and not 1.
Sent from my HTC One XL using xda app-developers app
responses
First off, thanks for all of the posts, and I apologize for taking so long to respond.
Also, I did check port 5228 with my laptop, and it seemed to indeed be closed. Haven't been able to contact IT yet, but I will need to soon to solve an issue with another, unrelated issue.
Cynagen said:
What do you mean by "same info as my laptop" what types of credentials are you referring to? Something you have to change on the laptop in order to get in? The more information regarding this you can provide (safely, mind you, mask/alter any sensitive info), the better we can assist you. If you have to do something like set a VLAN, then you're never going to get an Android device to work as we do not have the capability to use VLAN'd wireless like most PCs and Macs can with the proper configuration changes. If there's some browser catch-all page, then that should work, but based on your statement "with the IP changed" leads me to believe that you're messing with the adapter settings directly. I would be especially keen to helping you with more detailed networking issues like this should you provide me with the information requested. I look forward to your reply. (Yes, I like technical challenges like this, it's why I work VoIP support.)
Click to expand...
Click to collapse
Just IP/DHCP/DNS (and I've also tried public DNS such as Google). Nothing fancy set up on the laptop (everything should be on Windows default network settings, same with Android on both devices). There is also no catch-all page, assuming I'm interpreting that correctly (as a login page sort of thing, like I'd get at Starbucks or a Hotel).
Glad to provide the challenge... truth be told, underneath the annoyance of lacking connection, I love issues like this because of the fun tricks and such that solving them can teach.
tinbox134 said:
since you know ping, then did you check the IP address for each device?
Back to basic:
1: ping your device gateway IP
2) if ok, then ping ur device (tablet or laptop)
3) if ok then ping bbc.co.uk (this will check your dns), if failed ping your dns's IP address.
If no IP on android, then check if there is any protection on device. It sound like no IP been allocated for you.
Depends on how good a school's IT dept. I have not seen many school actually put filter to stop non-window device.
I am not sure it has anything to do with VLAN yet. As a simple logon, device does not care VLAN or no VLAN.
The basic for us is 1) get an IP on device. 2) know how to get out (gateway IP) 3) interrept hwere you go (DNS resolution) 4) know how to get to internet (internet router, internet firewall, internet boardband et...)
If you have authentication error, then it is sure you are not going to get an IP address. If this is WiFi then check on security (WEP, WAP...TKIP...)
Click to expand...
Click to collapse
1. If I recall, this either had full loss, or Destination Host Unreachable, when pinging the gateway IP from the tablet.
2. Have tried this nonetheless, and I think I made it through once or twice just after turning on the tablet, but after that would only get Dest. Host Unreachable.
3. Had tried with Google, fails across any DNS.
I seem to get an IP, although sometimes I get the authentication error in Android and it won't connect. Whenever I set a static IP, based off of my laptop's IP (not the same, of course), I get connected, just no internet.
nasvi said:
Hello Coffeeist,
Please contact your schools IT department and find out what kind of encryption they use on their APs.
If they use TKIP, then that is whats causing the problem with android devices.
Once TKIP is disabled on the AP you are connecting to, you will be able to reach the internet.
I say this because I had the same problem in the past (setting up Cisco APs), and can confirm that this is the cause of the problem.
TKIP shouldn't be used anyway. They should be using AES. TKIP is too weak.
I guess that last part answered another question that you might of had. (Why TKIP doesn't work with Android?) Android=Secure TKIP=WEAK.... Unacceptable for Android
Also, you mention something about not being able to ping your tablet from your laptop. If I understand this correctly, you have both your laptop and tablet connected to the same AP and you are trying to ping between the two. This wont work in most cases. Reason: "Port-Protection", which if enabled doesn't allow clients on the AP to communicate with each other.
Regards,
Ed
Let us know how it goes.
Click to expand...
Click to collapse
Unless I am totally clueless about this stuff (er, moreso than I though I already was), it uses neither TKIP or AES, being an open and unsecured network.
sak-venom1997 said:
With useful posts above the rest is not much left for me to say but a simple advice
Make sure your friends aren't playing a prank on you coz I tend to do it I use arpspoof and aireplay-ng to cause such mayhem
Sent from my A116 using Tapatalk 2
Click to expand...
Click to collapse
Haha, I doubt it. None of my friends, especially the ones who I think would even try and do something like this, are tech-savvy enough for me to have any suspicion of that. Thanks though
Another piece of info (a pretty weird seeming one at that): Sometimes, I'll turn on my tablet in the middle of the day, and out of the blue there is an email notification there, for recent emails. Of course, if I go into browser, I can't get any pages. Can't think of any other networks that the device could/would connect to on campus, either.
Thanks!
Coffeeist said:
First off, thanks for all of the posts, and I apologize for taking so long to respond.
Also, I did check port 5228 with my laptop, and it seemed to indeed be closed. Haven't been able to contact IT yet, but I will need to soon to solve an issue with another, unrelated issue.
Just IP/DHCP/DNS (and I've also tried public DNS such as Google). Nothing fancy set up on the laptop (everything should be on Windows default network settings, same with Android on both devices). There is also no catch-all page, assuming I'm interpreting that correctly (as a login page sort of thing, like I'd get at Starbucks or a Hotel).
Glad to provide the challenge... truth be told, underneath the annoyance of lacking connection, I love issues like this because of the fun tricks and such that solving them can teach.
1. If I recall, this either had full loss, or Destination Host Unreachable, when pinging the gateway IP from the tablet.
2. Have tried this nonetheless, and I think I made it through once or twice just after turning on the tablet, but after that would only get Dest. Host Unreachable.
3. Had tried with Google, fails across any DNS.
I seem to get an IP, although sometimes I get the authentication error in Android and it won't connect. Whenever I set a static IP, based off of my laptop's IP (not the same, of course), I get connected, just no internet.
Unless I am totally clueless about this stuff (er, moreso than I though I already was), it uses neither TKIP or AES, being an open and unsecured network.
Haha, I doubt it. None of my friends, especially the ones who I think would even try and do something like this, are tech-savvy enough for me to have any suspicion of that. Thanks though
Another piece of info (a pretty weird seeming one at that): Sometimes, I'll turn on my tablet in the middle of the day, and out of the blue there is an email notification there, for recent emails. Of course, if I go into browser, I can't get any pages. Can't think of any other networks that the device could/would connect to on campus, either.
Thanks!
Click to expand...
Click to collapse
Based on your responses, I have a follow up question and comment. The question is as follows: Did you have to register your computer with your IT when you started school in order to be permitted on the wireless network? If this was the case they're likely filtering based on MAC address (which you won't be able to spoof on your Android, but you may be able to spoof on your laptop), get them to re-register your laptop after you spoof the MAC address so you can get both devices on using the same MAC address (though not at the same time of course unless you're fine with stuff randomly not working). The comment is as follows: Yeah, finding the workarounds to get back limitations like this is definitely a fun challenge because when you win, you've definitely learned something new. Oh, and you were right about my question of the gateway authentication page like a hotel wifi login page.
MAC
Cynagen said:
Based on your responses, I have a follow up question and comment. The question is as follows: Did you have to register your computer with your IT when you started school in order to be permitted on the wireless network? If this was the case they're likely filtering based on MAC address (which you won't be able to spoof on your Android, but you may be able to spoof on your laptop), get them to re-register it after you spoof the MAC address so you can get both devices on using the same MAC address (though not at the same time of course). The comment is as follows: Yeah, finding the workarounds to get back limitations like this is definitely a fun challenge because when you win, you've definitely learned something new.
Click to expand...
Click to collapse
Nope, it was up and running just through connecting normally, and has been since (mostly) - no registration or anything like that. Now, the reason that I put 'mostly' in parentheses is that sometimes the computer will be connected, but also have no internet (I don't think this started until I, dare I admit, upgraded to Windows 8). However, this only happens sometimes, whereas the Android devices never get internet access.
However, on the topic of MAC addresses, one post (in fact, I think it was on XDA) I saw awhile back while Google searching this problem was that someone had a similar issue, found to be with their device's MAC address having the letters 'FA' instead of 'FB' or something like that. Being that my Note isn't rooted, I haven't tested it with that, but perhaps I should give that a try with my CM10 Rezound?
(This is the post: HERE)
Thanks!
Coffeeist said:
Nope, it was up and running just through connecting normally, and has been since (mostly) - no registration or anything like that. Now, the reason that I put 'mostly' in parentheses is that sometimes the computer will be connected, but also have no internet (I don't think this started until I, dare I admit, upgraded to Windows 8). However, this only happens sometimes, whereas the Android devices never get internet access.
However, on the topic of MAC addresses, one post (in fact, I think it was on XDA) I saw awhile back while Google searching this problem was that someone had a similar issue, found to be with their device's MAC address having the letters 'FA' instead of 'FB' or something like that. Being that my Note isn't rooted, I haven't tested it with that, but perhaps I should give that a try with my CM10 Rezound?
(This is the post: HERE)
Thanks!
Click to expand...
Click to collapse
That shouldn't be it unless they have corporate level routers that don't recognize the MAC address of any devices manufactured after 2009 (when most of these manufacturers got the MAC addresses assigned to them (this is VERY unlikely)). I would honestly work with IT on campus and advise that it appears not a single Android device is allowed on the network. If they're blocking Android for any reason, check the terms of service for using the WiFi and see if there's any provisions for banning an entire brand of device/OS for whatever reason. If there's only provisions for individual banning, then take it back to them and show them that your record has not been abusive in the least and go from there. Make a case, otherwise draw one up with legal council. *shrugs* I don't believe anyone should ever be punished for the type of device they chose to purchase, that's first amendment choice, but it really comes down to their terms of service which you agree to by using the wifi.
Cynagen said:
That shouldn't be it unless they have corporate level routers that don't recognize the MAC address of any devices manufactured after 2009 (when most of these manufacturers got the MAC addresses assigned to them (this is VERY unlikely)). I would honestly work with IT on campus and advise that it appears not a single Android device is allowed on the network. If they're blocking Android for any reason, check the terms of service for using the WiFi and see if there's any provisions for banning an entire brand of device/OS for whatever reason. If there's only provisions for individual banning, then take it back to them and show them that your record has not been abusive in the least and go from there. Make a case, otherwise draw one up with legal council. *shrugs* I don't believe anyone should ever be punished for the type of device they chose to purchase, that's first amendment choice, but it really comes down to their terms of service which you agree to by using the wifi.
Click to expand...
Click to collapse
I'll give it a shot, thanks.
Coffeeist said:
I'll give it a shot, thanks.
Click to expand...
Click to collapse
Sorry to bump the thread, but seeing as it's my own I figured it would be alright...
I got around to asking the the school IT about the issue, and they said that the deliberately block mobile traffic, which they went on to find out does include Android tablets (I understand phones, but I can't even begin to understand why they target Android tablets... unfortunately, that's not my call). I Google searched a bit, and found that networking devices from a company called Aruba can be set to block traffic from specific types of devices (supposedly Cisco and a few other companies can do similar things too), by checking something with the HTML version, or something like that (I'm by no means a networking expert hehe).
So, I guess I'll make my last effort with this thing, and ask if anyone knows of some legal, non-hacky way of getting by this?
I'm guessing not, but worth asking.
Thanks
Coffeeist said:
Sorry to bump the thread, but seeing as it's my own I figured it would be alright...
I got around to asking the the school IT about the issue, and they said that the deliberately block mobile traffic, which they went on to find out does include Android tablets (I understand phones, but I can't even begin to understand why they target Android tablets... unfortunately, that's not my call). I Google searched a bit, and found that networking devices from a company called Aruba can be set to block traffic from specific types of devices (supposedly Cisco and a few other companies can do similar things too), by checking something with the HTML version, or something like that (I'm by no means a networking expert hehe).
So, I guess I'll make my last effort with this thing, and ask if anyone knows of some legal, non-hacky way of getting by this?
I'm guessing not, but worth asking.
Thanks
Click to expand...
Click to collapse
Before discussing any workarounds, you may need to review the Terms of Service for your wifi on the school premises first, review the consequences for bypassing their security measures, and figure if it's worth the risk to you... At this time, it'll be kind of "hacky" to get around such a block. In order to provide you with a valid workaround though we'll need a little bit of information regarding what's going on when you connect.
First, when you connect to the WiFi with your Android device, do you even receive an IP address? If you don't then we'll stop here, the only way to get around the types of blocks they're employing at this level would require hardware hacking/firmware reprogramming to change the identity of the device itself, which is flat out illegal in just about anywhere I can think of. Here's your checklist, fill out where applicable: (Even if you set static information to accomplish this, that will be a valid Y.)
Get an IP? (If Y, proceed)
Is it a valid IP address on the same network as your PC? (Either way, don't care)
Can you ping the gateway you got from DHCP on Android? (If Y, proceed)
Can you ping the DNS server(s) you got from DHCP on Android? (If Y, proceed)
Can you ping an external server such as Google DNS (8.8.8.8) on Android? (If Y, then we're done here)
It's kind of a bit of a process unfortunately, however, if you pass every single one of these tests with the Android device, there's good news. They're only filtering traffic based on the User-Agent identification of all your applications (and based on the MAC address of your device, denying your DHCP requests), you should be able to bypass this with a VPN tunnel back to your home from your Android (after setting your static IP) in order to encrypt and keep this information from leaking to their systems. However, this will likely set off alarms if they monitor their network heavily. If the school IT asks, then you're "working on projects in-between classes on your computer at home and your family has a home office with VPN already, so you used that to connect back to the house". Either way, they can't say much about it besides cut you off... again. Anywhos, I wouldn't recommend trying to bypass without doing all this research first, and then also evaluating the possible consequences, however the rewards are within themselves. You'll be the only person at school with a working mobile device, (besides those iSuckers). Technically, encrypting your traffic is completely legal (and they can't say anything legally about it), however, setting a static IP address in the same range as your computer at school may be against their TOS which you abide by being on campus. Let us know how everything goes.
Cynagen said:
Get an IP? (If Y, proceed)
Is it a valid IP address on the same network as your PC? (Either way, don't care)
Can you ping the gateway you got from DHCP on Android? (If Y, proceed)
Can you ping the DNS server(s) you got from DHCP on Android? (If Y, proceed)
Can you ping an external server such as Google DNS (8.8.8.8) on Android? (If Y, then we're done here)
Click to expand...
Click to collapse
With Static I set an IP and all other info (Gateway, DNS, etc, except for Network Prefix Length... no clue what that is, left it at 24 default), and could not ping gateway
Dynamic/DHCP I will have to check tomorrow, after downloading stuff for the tablet to get that info (I think I need root to use IfConfig with Terminal Emulator, correct?).
Whatever they use to block me out, it seems to have a slight hole built in... every day, multiple times a day, I will look down at my tablet and see notifications (mainly email, occasionally Facebook, etc) that pushed through on the schools network (I know that for sure, being that often times the emails are messages received during the day, in a time period where the tablet has been nowhere near any other networks). Maybe this hole can be breached?
Thanks!
Coffeeist said:
With Static I set an IP and all other info (Gateway, DNS, etc, except for Network Prefix Length... no clue what that is, left it at 24 default), and could not ping gateway
Dynamic/DHCP I will have to check tomorrow, after downloading stuff for the tablet to get that info (I think I need root to use IfConfig with Terminal Emulator, correct?).
Whatever they use to block me out, it seems to have a slight hole built in... every day, multiple times a day, I will look down at my tablet and see notifications (mainly email, occasionally Facebook, etc) that pushed through on the schools network (I know that for sure, being that often times the emails are messages received during the day, in a time period where the tablet has been nowhere near any other networks). Maybe this hole can be breached?
Thanks!
Click to expand...
Click to collapse
It seems like small gaps where the system doesn't block you long enough to receive some traffic, but that is promising. BTW, you can get your "network prefix" (netmask as we call it) from your computer. If you go into the command prompt on windows and run "ipconfig /all" you'll get 4 useful bits of info we need, IP address (so you can mimic it), the gateway, the subnet mask (usually 255.255.something.something) and the DNS servers. The subnet mask determines what you use, and I HIGHLY doubt they use 24 (that's mainly for home networks, 24 = 254 devices permitted on the DHCP, 16 = 65534 devices (this is WAY more likely)).
Cynagen said:
It seems like small gaps where the system doesn't block you long enough to receive some traffic, but that is promising. BTW, you can get your "network prefix" (netmask as we call it) from your computer. If you go into the command prompt on windows and run "ipconfig /all" you'll get 4 useful bits of info we need, IP address (so you can mimic it), the gateway, the subnet mask (usually 255.255.something.something) and the DNS servers. The subnet mask determines what you use, and I HIGHLY doubt they use 24 (that's mainly for home networks, 24 = 254 devices permitted on the DHCP, 16 = 65534 devices (this is WAY more likely)).
Click to expand...
Click to collapse
Well, I just had a clean connection for about 5 minutes, and had a normal-looking IP based on my PC. Using Terminal Emulator I pinged the gateway after my connection failed, still with no response. I still appeared to have a proper IP on my tablet, but no actual internet connection.
So, perhaps these small windows are something to pursue? Or perhaps sticking with the VPN plan is best?
Thanks!
Coffeeist said:
Well, I just had a clean connection for about 5 minutes, and had a normal-looking IP based on my PC. Using Terminal Emulator I pinged the gateway after my connection failed, still with no response. I still appeared to have a proper IP on my tablet, but no actual internet connection.
So, perhaps these small windows are something to pursue? Or perhaps sticking with the VPN plan is best?
Thanks!
Click to expand...
Click to collapse
You need to make sure your networking information is entered correctly, you still haven't said anything about the netmask in this situation. However, if you're entering this information in correctly then you should have a solid connection until they realize you've forced a device into the network. The only thing you can do beyond that point is during that window, open a VPN connection without using a single browser request so they don't know what the device is unless they check the MAC address. Either way, this is a window that can be used, you just need to avoid identifying your device in any way prior to initiating the VPN connection. Turn off Sync when you connect.
Over the past couple of weeks since I got a GTX 760 for my main rig, I've been playing with getting Shield streaming to work through a NAT. With a combination of an Android app and Windows app, I've been able to get the Shield to stream through a NAT device.
This is alpha software, so it may not work for you. I'll be continuing development on it to make it more robust based on bug reports filed here and on the GitHub projects
This method is potentially more complex than running a VPN, but it is lower overhead and works in environments where VPNs cannot.
For those who don't care about the technical details, skip the next section.
Relay Technical Details
The Shield uses MDNS to discover compatible streaming PCs. It issues a query for _nvstream._tcp.local to which streaming PCs reply with PTR, A, AAAA, and TXT records. MDNS isn't routable outside of the local network (and sometimes blocked within the network too), so naturally PCs outside the Shield's local network won't be available as streaming targets.
To solve the MDNS problem, I wrote MDNS relays for Android and Windows that operate on UDP port 5354. The Android relay sends MDNS queries to the Windows relay where the Windows relay replays them local and sends the reply back to the Shield. The Android relay then takes the reply and parses it to look at the A record. It replaces the IP address specified in the A record with the IP address it received the MDNS reply from so it can properly connect to PCs behind a NAT. With the MDNS relay code in place, the Shield could see the PC and even start games.
There was still a problem getting the video stream back. It turns out that the way that UDP port 47998 is used on the Shield streaming software running on the PC prevents it from traversing NATs when going back to the Shield because it assumes that the source is always 47998. This is IMHO a bug because all other ports deal with NAT traversal properly, but needless to say I still had to deal with this.
The only option I had for fixing the port 47998 issue was to capture the packets as they go onto the wire in the Windows relay. I used WinPcap to capture the UDP packets leaving the machine. I then filter based on whether the packet was addressed to us. If it's a packet from the Shield to us on port 47998, then I save the source port of that packet. When I see a packet going out from us to port 47998, I extract the data from that packet and send it again on my own socket also bound to port 47998 (so the source port is correct) with the destination specified in the packet and the port that we saved from the Shield's last communication. With this code, the Shield can connect to a PC from behind a NAT.
Instructions
1. Download and install the Shield Proxy APK on the Shield from https://github.com/cgutman/ShieldProxyAndroid/releases
2. Install WinPcap on your streaming PC from http://www.winpcap.org/install/
2.1 Only required for v0.1-- Install the Visual C++ 2013 runtime library for x86 (use x86 even on x64 systems) from http://www.microsoft.com/en-us/download/details.aspx?id=39315
3. Ensure your router is configured properly as described in the next section.
4. Download and run the Shield Proxy Windows program on your streaming PC from https://github.com/cgutman/ShieldProxyWindows/releases
5. On the Android app, fill in the externally accessible IP address or DNS name for your router. You can get your external IP address from http://www.whatsmyip.org/ on your streaming PC.
6. Tap the start button to start the Android relay service
7. Stream like normal from the TegraZone app
NAT/Router configuration for Shield streaming
The following ports need to be forwarded to the streaming PC:
UDP 47998, 47999, 48000, 5354 (MDNS relay port)
TCP 35043, 47989, 47991, 47995, 47996
Troubleshooting
Make sure ShieldProxy.exe is allowed through Windows Firewall for Private and Public networks.
Make sure ShieldProxy.exe and the Android Shield Proxy service are running
Make sure the external IP address of your streaming PC is correct in the Android app (use http://www.whatsmyip.org/ from your streaming PC)
If TegraZone doesn't show your PC as online and you see "We haven't received any DNS responses. Is the Windows Shield Proxy running on your PC?",
Ensure the router is properly forwarding the specified ports to your PC. Note that TCP vs UDP matters when setting the router forwarding configuration.
Issues
If anyone encounters problems, please report them here or on the GitHub issues page. I'll try my best to get them fixed.
After getting all the initial setup done, it's seemingly ran great so far; considering the circumstances. Haven't had any errors besides some DNS thing I didn't get to read fully when it booted up Steam but did not have any impact on playability.
DLL error
I keep getting an error that MSVCR120.dll is missing. I checked the windows\system32 folder and it wasn't there, so installed the Visual C++ redistributable package for Visual Studio 2012 and 2013 Preview. This added the DLL to the system32 folder, but still getting the same error after a reboot. Tried copying the DLL to the directory for Shield Proxy and it then gives me an error "The application was unable to start correctly (0xc000007b). Click ok to close the application.
Any ideas?
Thanks and thanks for putting this together!
Cheers!
daethang said:
I keep getting an error that MSVCR120.dll is missing. I checked the windows\system32 folder and it wasn't there, so installed the Visual C++ redistributable package for Visual Studio 2012 and 2013 Preview. This added the DLL to the system32 folder, but still getting the same error after a reboot. Tried copying the DLL to the directory for Shield Proxy and it then gives me an error "The application was unable to start correctly (0xc000007b). Click ok to close the application.
Any ideas?
Thanks and thanks for putting this together!
Cheers!
Click to expand...
Click to collapse
I can't remember whether the 64-bit Visual C++ redistributable includes both 32-bit and 64-bit runtime dlls. The relay is built as a 32-bit program so it needs the 32-bit runtime even on a 64-bit machine.
For the next version, I'll build it with the runtime linked into the executable so people won't have to hunt down the runtime.
cgutman said:
I can't remember whether the 64-bit Visual C++ redistributable includes both 32-bit and 64-bit runtime dlls. The relay is built as a 32-bit program so it needs the 32-bit runtime even on a 64-bit machine.
For the next version, I'll build it with the runtime linked into the executable so people won't have to hunt down the runtime.
Click to expand...
Click to collapse
Thanks - installed the 2013 32bit preview and it worked like a charm after. Will start testing the remote streaming now. Thanks for the quick pointer. Appreciate it!
Cheers
daethang said:
Thanks - installed the 2013 32bit preview and it worked like a charm after. Will start testing the remote streaming now. Thanks for the quick pointer. Appreciate it!
Cheers
Click to expand...
Click to collapse
Cool, I updated the instructions to mention that the Visual C++ 2013 x86 runtime is required.
Oh, nice.
Since VPN method didn't work on my rig, I tried this one... and works great!
thanks a lot.
Seems to be working here as well, although similar to VPN, streaming outside of my WIFI connection doesn't seem to work. The game will start and every once in a while I will see video start (more often though just a blank screen followed by a timeout). My home connection has 55 down and ~12 up, so I think the connection on that end is good. I have tried from multiple remote locations, but none of them have worked so far. Will do some speed tests on the remote connections to see if they are the cause. Splashtop seems to stream fine when on remote connection, so I dont think its a connection issue. One thing that works better on this solution is the PC actually shows as available, for some reason it does not when on VPN.
daethang said:
Seems to be working here as well, although similar to VPN, streaming outside of my WIFI connection doesn't seem to work. The game will start and every once in a while I will see video start (more often though just a blank screen followed by a timeout). My home connection has 55 down and ~12 up, so I think the connection on that end is good. I have tried from multiple remote locations, but none of them have worked so far. Will do some speed tests on the remote connections to see if they are the cause. Splashtop seems to stream fine when on remote connection, so I dont think its a connection issue. One thing that works better on this solution is the PC actually shows as available, for some reason it does not when on VPN.
Click to expand...
Click to collapse
From what it sounds like, the MDNS relay is working fine and the router is definitely configured correctly because you get video sometimes. I assume you also see the message in the ShieldProxy.exe console: "Shield is now communicating with us on port XXXXX".
If I had to speculate, I'd say it's related to high packet loss. Shield streaming (both on the network and through my proxy) use UDP for the video stream and a PPTP VPN uses GRE packets which are both lossy protocols, while Splashtop uses TCP which retransmits lost packets. It may be that the ISP is doing some QoS stuff that's causing non-TCP packets to be dropped at a higher rate, but this is complete speculation.
The Shield pings the streaming PC and the streaming PC sends back video data, but if the pings aren't reaching the streaming PC or the video isn't reaching the Shield, you get the dreaded "Streaming failed due to network interference ... etc" message.
The upside is that we can better troubleshoot the issue based on the output from the Windows Shield proxy. If you could paste that here, I could take a look (remove the last 2 octets of the IP addresses, so 192.168.1.1 becomes 192.168.X.X). Also if you would post what ISP you're using and where you were trying to connect from (whichever ones you feel comfortable mentioning).
I can't seem to get any of those ports open except 47989, even when I change my setup to be directly connected to my SB6141 modem. Port 5354 always appears closed and can't be accessed so I never can see my computer when I try connecting with the shield proxy app posted above.
Anyway to change the port to something other than 5354 or any idea why the port always appears closed even when connected from computer to modem?
Thanks
Edit: It seems only ports that are being listened to on netstat -an will appear as open to a port checker. Shouldn't there be something on that list listening for 5354 in order for Shield proxy to connect to that port?
HobsonA said:
I can't seem to get any of those ports open except 47989, even when I change my setup to be directly connected to my SB6141 modem. Port 5354 always appears closed and can't be accessed so I never can see my computer when I try connecting with the shield proxy app posted above.
Anyway to change the port to something other than 5354 or any idea why the port always appears closed even when connected from computer to modem?
Thanks
Click to expand...
Click to collapse
Ports will appear closed even if the router is properly forwarding them to your PC, but the PC is blocking them. Check your Windows Firewall settings and make sure ShieldProxy.exe is allowed through for both public and private networks. I also found out the hard way that it won't always prompt you to allow for public networks if it's already allowed for private and vice versa.
I think it's normal for those other Shield Streaming ports to be closed until streaming actually starts, but 5354 should appear open while ShieldProxy.exe is running.
It is possible for me to (and I plan to) add some code to make the MDNS relay port configurable but I don't think that would solve your issue here.
EDIT: Also make sure you're testing 5354 (and other UDP ports) as UDP, not TCP. TCP 5354 is not the same as UDP 5354. In fact, you can host different services on the same ports on TCP and UDP at the same time.
cgutman said:
Ports will appear closed even if the router is properly forwarding them to your PC, but the PC is blocking them. Check your Windows Firewall settings and make sure ShieldProxy.exe is allowed through for both public and private networks. I also found out the hard way that it won't always prompt you to allow for public networks if it's already allowed for private and vice versa.
I think it's normal for those other Shield Streaming ports to be closed until streaming actually starts, but 5354 should appear open while ShieldProxy.exe is running.
It is possible for me to (and I plan to) add some code to make the MDNS relay port configurable but I don't think that would solve your issue here.
EDIT: Also make sure you're testing 5354 (and other UDP ports) as UDP, not TCP. TCP 5354 is not the same as UDP 5354. In fact, you can host different services on the same ports on TCP and UDP at the same time.
Click to expand...
Click to collapse
Ah good call out of my lack of attention to detail I forgot to run Shieldproxy.exe again after removing my router from the loop and rebooting everything. It appears to be working now. Unfortunately my Linksys E2000 with DD-WRT has been having major issues port forwarding but at least I know it's my router now and I can keep playing with it to get it working like I had to do with VPN.
Thanks!
v0.2 released
I've posted updated releases for Android and Windows on the GitHub projects. None of the changes in either version break compatibility with v0.1 so you can update them at separate times.
Android v0.2 Changelog:
- Fix several bugs preventing the "MDNS relay not running" warning from showing up consistently
- Tighten the check that determines whether the MDNS query will be forwarded
Windows v0.2 Changelog:
- Statically link to the VC++ runtime so installing the runtime isn't required anymore
- Tighten the check that determines whether the MDNS query will be forwarded
cgutman said:
From what it sounds like, the MDNS relay is working fine and the router is definitely configured correctly because you get video sometimes. I assume you also see the message in the ShieldProxy.exe console: "Shield is now communicating with us on port XXXXX".
If I had to speculate, I'd say it's related to high packet loss. Shield streaming (both on the network and through my proxy) use UDP for the video stream and a PPTP VPN uses GRE packets which are both lossy protocols, while Splashtop uses TCP which retransmits lost packets. It may be that the ISP is doing some QoS stuff that's causing non-TCP packets to be dropped at a higher rate, but this is complete speculation.
The Shield pings the streaming PC and the streaming PC sends back video data, but if the pings aren't reaching the streaming PC or the video isn't reaching the Shield, you get the dreaded "Streaming failed due to network interference ... etc" message.
The upside is that we can better troubleshoot the issue based on the output from the Windows Shield proxy. If you could paste that here, I could take a look (remove the last 2 octets of the IP addresses, so 192.168.1.1 becomes 192.168.X.X). Also if you would post what ISP you're using and where you were trying to connect from (whichever ones you feel comfortable mentioning).
Click to expand...
Click to collapse
I think you are right in regards to packet loss. I have Comcast at home, and have tried various providers (ATT LTE, ATT WIFI so far with this solution and VPN over some other WIFI networks). I will be testing it again in the next couple of days and will report back with the additional details requested. I have the ASUS NT-R66U router as well. Thanks for the reply and offer of assistance, really appreciated.
Cheers!
Finally had some time to play with this more than some quick tests. This seems to run so much smoother than my old VPN configuration.
I don't know if anyone else has experienced with this but even though it's running like almost perfectly smooth sometimes the connection just completely drops. VPN would have big lag spikes but would rarely drop me.
Edit: Hm not sure if this is normal but there seems to be a larger audio latency (> 200-300 ms) which wasn't as bad with VPN. If I go to a friends house instead of playing around at work I'll try hard wiring my shield to ethernet to see if that improves anything.
HobsonA said:
Finally had some time to play with this more than some quick tests. This seems to run so much smoother than my old VPN configuration.
I don't know if anyone else has experienced with this but even though it's running like almost perfectly smooth sometimes the connection just completely drops. VPN would have big lag spikes but would rarely drop me.
Edit: Hm not sure if this is normal but there seems to be a larger audio latency (> 200-300 ms) which wasn't as bad with VPN. If I go to a friends house instead of playing around at work I'll try hard wiring my shield to ethernet to see if that improves anything.
Click to expand...
Click to collapse
Glad to hear that it's smoother than VPN for you.
The Shield Relay is just the same Shield streaming traffic just sent over the Internet rather than your home network. This comes with benefits (speed) and drawbacks (lower reliability). Both of the oddities that you mention are probably related to packet loss, latency spikes, and routing changes that are more prevalent on the Internet than the average home network.
I suspect that the reason the stream drops during big lag spikes is because the lag spikes are due to packet loss or high latency. If the Shield's pings to the streaming PC get lost or arrive very late, the PC will timeout the stream, stop sending video, and the stream will drop.
The audio latency is probably due to variances in the latency and routing of the Internet. It's possible that the video packets and the audio packets take different paths through the Internet, so they can reach the Shield at different times. Normally the latency is close on a home network because there's only one route from your computer to your Shield, but the Internet can have tens or hundreds of routes to get your packets from point A to point B (sometimes even the route from A -> B is different than B -> A).
Nvidia could timestamp the audio and video packets so they can be played back at the same time, but that would force the Shield to delay displaying the video while it waits for the audio packets to come (and vice versa). Since this is a gaming feature, they probably don't want to introduce more latency.
ok how to know if everything if ok ?
ok how to know if everything if ok ? ?
i done everything like it write over here and i don't get any error just "stop" after i click run in the shield.
so everything working right?
Yosizach said:
ok how to know if everything if ok ? ?
i done everything like it write over here and i don't get any error just "stop" after i click run in the shield.
so everything working right?
Click to expand...
Click to collapse
Do you see both lines like "Shield is now communicating with us on port XXXXX" and "Relaying MDNS traffic to XXX.XXX.XXX.XXX" on the Shield Proxy running on Windows?
cgutman said:
Do you see both lines like "Shield is now communicating with us on port XXXXX" and "Relaying MDNS traffic to XXX.XXX.XXX.XXX" on the Shield Proxy running on Windows?
Click to expand...
Click to collapse
dmm...no i don't see it ...this is what i get when i run the
ShieldProxy.exe
all i get is "shield streaming proxy for windows v0.2"
joined MDNS multicast group with interface 192.168.1.13 (my pc)
listening on Microsoft for shield traffic
relay is up and running..."
what i am doing wrong .. i open all the ports i have RT-AC66U so..
Yosizach said:
dmm...no i don't see it ...this is what i get when i run the
ShieldProxy.exe
all i get is "shield streaming proxy for windows v0.2"
joined MDNS multicast group with interface 192.168.1.13 (my pc)
listening on Microsoft for shield traffic
relay is up and running..."
what i am doing wrong .. i open all the ports i have RT-AC66U so..
Click to expand...
Click to collapse
Does your PC show up as available in the TegraZone app with Shield Relay running on Windows and Android? The start button on the Android relay doesn't do anything other than just start the relay service in the background. You still need to use the TegraZone app to access streaming. If you see an error message saying "We haven't received any DNS responses. Is the Windows Shield Proxy running on your PC?" then check that ShieldProxy.exe is allowed through Windows Firewall on public and private networks.
I have a server that I run that uses roughly 150w. I'd like to be able to get one of my Android TV boxes to send a magic packet to boot the server based on a port access. I can send the specific port to 2 different IPs in my router. Based on that specific port activity I'd like for it to send a magic packet to boot the server, I have WOL enabled by the server and have tested sending a magic packet to boot the server that works fine.
I'd just like some lower power device to do this for me. I'm using an Asus AXE11000 router. It can also send a magic packet but its a manual process and there doesn't seem to be a way to create a trigger to cause the WOL.
I have firestick/nvidia shield/and chromecast devices that could be potentially used for this.
Please clarify your question.
You want to send a wol packet from (what kind of device, which os)
And you would like to do that internaly on your lan? internaly across subnets?
Externally from internet to internal device ?
So lets assume this is a web server that responds on port 80 to make the discussion easy. (its not a web server)
lets say web server is at 192.168.1.4
low power TV client is at 192.168.1.5
I have a bunch of android TV devices that are always on and low power. I am hoping one could by loaded with a script to do this. So the OS is Android which ever one is the most convenient to do this on I would use.
The flow would be:
1. Someone external from the LAN would try to make an access to port 80. So WAN access from port 80
port 80 would get forwarded to both 192.168.1.4 and 192.168.1.5 via the router
2. 192.168.1.4 is powered down so wont respond. 192.168.1.5 will be listening to port 80
It will see a port 80 access and then will issue a magic packet for WOL to 192.168.1.4 to wake up
3. 192.168.1.4 powers on and responds to future request to port 80.
So I am trying to use a low powered always on device to automatically wake up the higher powered, powered down device. The server is running Ubuntu 22.10
again , why are you trying to do this from external lan (i assume the internet)
need to clarify that situation. as everything gets allot more complicated
with wol if done from outside the subnet/network
1. (no the same as wake on lan)
On server you need to check if it has wake by ethernet capability in bios ( some devices have that )
It is like wake up by mouse or keyboard except by ethernet ( unlike sending a wol packet to a mac address)
but more like any network activity directed at the the device ( this will be the simplest if server can do that)
2.
sending wol usually requires root (etherwake)
Etherwake | F-Droid - Free and Open Source Android App Repository
Wake computers on the same network
f-droid.org
sometimes you can use non root (wakeonlan) but does not work in all cases
3.
if doing this across subnets or from outside (things are harder)
wol packets are not standard tcp connections but layer 2 broadcast based frame with mac address.
they will not be routed by the router , even with port forwarding.
simplest solution to that would be sending an 'etherwake 12:12:23:aa:bb:cc'
over ssh ( ssh [email protected] 'etherwake 12:12:23:aa:bb:cc' )
harder solutions would involve custom configs in the router/firewall
fwknop(single packet authorization)
is a port knocking tool that can be configured to execute
external commands , besides opening/forwarding ports in
linux firewall, nothing to hack if everything is closed.
4.
can be done with having another old low power router
running openwrt/ddwrt/advanced-tomato firmwares
i keep old routers for such purposes wrt54g(s) e1500 etc...
5.
Get a newer server , i have some that idle at 10-15w
intel i5 based , ramp up when needed.
or mini desktop pc, (lenovo m92p tiny) can be had for $50-60 on ebay
and pack a punch for such a small machine (only one ssd drive though)
but many usb ports
dandudikof said:
again , why are you trying to do this from external lan (i assume the internet)
need to clarify that situation. as everything gets allot more complicated
with wol if done from outside the subnet/network
1. (no the same as wake on lan)
On server you need to check if it has wake by ethernet capability in bios ( some devices have that )
It is like wake up by mouse or keyboard except by ethernet ( unlike sending a wol packet to a mac address)
but more like any network activity directed at the the device ( this will be the simplest if server can do that)
2.
sending wol usually requires root (etherwake)
Etherwake | F-Droid - Free and Open Source Android App Repository
Wake computers on the same network
f-droid.org
sometimes you can use non root (wakeonlan) but does not work in all cases
3.
if doing this across subnets or from outside (things are harder)
wol packets are not standard tcp connections but layer 2 broadcast based frame with mac address.
they will not be routed by the router , even with port forwarding.
simplest solution to that would be sending an 'etherwake 12:12:23:aa:bb:cc'
over ssh ( ssh [email protected] 'etherwake 12:12:23:aa:bb:cc' )
harder solutions would involve custom configs in the router/firewall
fwknop(single packet authorization)
is a port knocking tool that can be configured to execute
external commands , besides opening/forwarding ports in
linux firewall, nothing to hack if everything is closed.
4.
can be done with having another old low power router
running openwrt/ddwrt/advanced-tomato firmwares
i keep old routers for such purposes wrt54g(s) e1500 etc...
5.
Get a newer server , i have some that idle at 10-15w
intel i5 based , ramp up when needed.
or mini desktop pc, (lenovo m92p tiny) can be had for $50-60 on ebay
and pack a punch for such a small machine (only one ssd drive though)
but many usb ports
Click to expand...
Click to collapse
1. My device supports pumbg
wol p|u|m|b|a|g|s|d...
Set Wake-on-LAN options. Not all devices support this. The
argument to this option is a string of characters specifying
which options to enable.
p Wake on phy activity
u Wake on unicast messages
m Wake on multicast messages
b Wake on broadcast messages
a Wake on ARP
g Wake on MagicPacket(tm)
s Enable SecureOn(tm) password for MagicPacket(tm)
d Disable (wake on nothing). This option clears all previous
options.
I tried setting up wake on lan unicast messages and I though it worked at first but its not. The machine starts up just like wake on phy activity. Not sure who is sending unicast messages to wake but its waking up almost immediately after being shut down.
I'm not trying to send the magic packet from the WAN. The request for service lets say port 80 comes from the WAN. I want a local internal device to trigger on the port 80 access from the WAN and have a local device send the WOL on the LAN.
3. I tried to figure out a way to get my asus router to trigger on the port access and send the WOL but doesnt seem possible.
4. I have an older Asus 66u I could potentially load tomato
5. This is new........its a 13900 problem is ubuntu is not correctly supporting C-states and causes the machine to crash after being Idle. So I have to shut C-states off to prevent the thing from crashing I suspect the intel_idle driver needs to be updated for 13th gen. With C-states enable it idles around 30w and that's with 3 20TB drives spinning. But wont go a full day without crashing unless C-States are disabled.
0.
Again you did not answer the most important question !
Why does this need to happen from the internet or other subnet,
please explain, as that would determine the correct course of action.
1.
regular wol usually uses g-type as it is most specific and would not be misunderstood
for anything else.
2.
what does the current router run ? (stock firmwares , basicaly useless in custom scenarios like this)
but can be configure to port forward something to another device to listen to and react.
2.5
have the first router device port forward say 4422 port to 22 on the secondary
router (which is not really a router anymore), and configure secondary router with paswordless ssh login .
that ways you can just execure a single command trough ssh without
any interaction. just a script that calls ( ssh [email protected] 'etherwake 11:22:33:aa:bb:cc')
3
manual port knock
would involve configuring iptables/nftables to log a certain packet.
having some script watching the log for a certain key phrase to trigger an action
4
i highly recommend openwrt firmware if possible with fwknop as the most secure approach
to trigger a command to ( very secure , but highly techical config)
but can also set up custom firewall rulles for forwarding only from the device that requested
it in the first place( so firewall remains closed to everyone else)
5
Wake-On-Lan - Behind Two Routers
So here is my current network setup: There is a central 'Cisco' router for the apartment. I connect wirelessly using an old router of mine (WRT54Gv2) with DD-WRT installed as a client to the central
superuser.com
0. I dont think you are getting it even though I have stated it multiple times. The WOL is NOT coming from the internet, zip, nada, do not pass go. Do not know how else to make that any clearer. The WOL will only be issued from the local network by a device that lives inside the local network.
A port access to a service that would be running on the server would come from internet. Obviously if the server is shut off that access would fail. However if a local device sees that same access it also does not respond to that request but it would issue a WOL to the server that would then handle additional requests.
I dont think anyone has custom firmware for the Asus AXE11000 yet so it has stock firmware.
i understand that you want to send the wol from a local device .
a secondary device could not possibly get the same request forwarded
to it on the same port as that port is already being forwarded to the primary server device
(at least with ipv4 )(without involving extra rule based port forwarding)
again , easiest would be to get an ssh connection to a device on the inside
or router itself , and issue a wol trough ssh.
otherwise you are looking at custom sollutions