Technical Requirements for the Connector
Version 1.1 as of March 6th 2025
The roclub Connector requires specific firewall rules to establish an active network connection with roclub's service infrastructure. All network traffic is routed through private VPN connections to roclub.
Due to considerations to patient safety and the solution's security, only USB devices provided by roclub may be used with the connector. Please see the schematic overview below for properly plugging in the given USB devices:
Network Requirements
Setup
- To ensure maximum security, we recommend operating the roclub connectors in a separate subnet that is fully isolated from the internal hospital network.
- We recommend using DHCP address reservation to assign a static IP address to the connector. The MAC address of the roclub Connector is displayed on the device screen.
- DHCP must be enabled for the initial connection; if needed, a static IP address and proxy can be configured later through the connector settings in the roclub app after installation.
- Both IPv4 and IPv6 can be used as the internet protocol versions. While IPv6 can be disabled, we recommend using dual-mode.
Bandwidth
- Minimum 10 MBit/s download
- Minimum 10 MBit/s upload
NAT Configuration
Network Address Translation (NAT) can become particularly complex in scenarios involving symmetric NAT, where the translation of IP addresses and ports is dependent on both the source and destination. This behavior often complicates peer-to-peer communication and other network-dependent applications. For a more detailed explanation and guidance on configuring NAT in such environments, please refer to the comprehensive documentation available here: NAT Configuration.
Introduction
The roclub Connector heavily depends on NAT traversal to enable communication for Video Conferencing and also connecting to the roclub Controlplane Platform.
The details of NAT types are very complex. For context information regarding the requirements for the roclub connector, is recommended to read RFC4787.
The functionality and performance of the roclub connector can be limited by the customer network. NAT configuraton and restrictions are a major contributing force. Research from IETF divides NAT into two different types: the easy variant “Endpoint-Independent Mapping” (EIM), and the hard variant “Endpoint-Dependent Mapping” (EDM).
Endpoint-independent and endpoint-dependent Mapping
NAT Endpoint-Independent Mapping is a NAT configuration in which the same internal private IP address and port is consistently mapped to the same external public IP address and port, regardless of the destination IP address or port of the outgoing packets.
NAT Endpoint-Dependent Mapping is a NAT configuration in which the mapping of an internal private IP address and port to an external public IP address and port depends on the specific destination IP address and port. As a consequence, different external mappings may be created for different destinations.
Taking into account firewall configurations and NAT mapping types, the following NAT Cone types result:
| Firewall | Endpoint-Independent NAT mapping | Endpoint-Dependent NAT mapping (all types) |
|---|---|---|
| Endpoint-Independent | Full Cone NAT | N/A* |
| Endpoint-Dependent (dest. IP only) | Restricted Cone NAT | N/A* |
| Endpoint-Dependent (dest. IP and port) | Port-Restricted Cone NAT | Symmetric NAT |
NAT traversal on Symmteric NATs cannot work with only STUN. The video conferencing, this means falling back to TURN, an authentication based relay server, potentially increasing latency. This is the golden standard for Video Conferencing (WebRTC) scenarios.
For communicating to Controlplane we use DERP servers. It is a general purpose protocol using HTTP, resulting in high compatibility with corporate networks.
In order to still get best performance for Symmetric NAT scenarios, the following setup is suggested: Enabling UPnP, NAT-PMP or PCP. Additionally, opening port 41641/UDP can circumvent the need to relay traffic, resulting in better performance for Remote Operators.
Simplified Firewall Configuration
Simplified
Ensure allowing the following:
- initiate connections to 53/UDP
- initiate connections to 53/TCP
- initiate connections to 123/UDP
- initiate connections to 443/TCP
- initiate connections from 41641/UDP to *:*
- initiate connections to 3478/UDP
Restrictive Firewall Configuration
In case you require a restrictive configuration of the Connector's subnet firewall which blocks outgoing connections, it is necessary to whitelist specific endpoints used by the roclub connector. The endpoints given below are the minumum requirements for the teleoperation platform to function. Please keep in mind that these endpoints may change, requiring manual updates to maintain product functionality.
Please also note that the connections for the video conferencing sessions vary depending on the connector's geographical location. Globally required and location-dependent endpoints need to be accessible.
Globally required
| Domain/FQDN | Purpose | Port |
|---|---|---|
| 1.1.1.1 | DNS | 53/UDP |
| 8.8.8.8 | DNS | 53/TCP |
| time1.google.com | Time Server | 123/UDP |
| time2.google.com | Time Server | 123/UDP |
| time3.google.com | Time Server | 123/UDP |
| eu.hosted.mender.io | Update Service | 443/TCP |
| mender.blob.core.windows.net | Update Service | 443/TCP |
| c271964d41749feb10da762816c952ee.r2.cloudflarestorage.com | Update Service | 443/TCP |
| login.tailscale.com | Virtual Private Network | 443/TCP |
| controlplane.tailscale.com | Virtual Private Network | 443/TCP |
| log.tailscale.com | Virtual Private Network | 443/TCP |
| log.tailscale.io | Virtual Private Network | 443/TCP |
| derp4-all.tailscale.com | Designated Encrypted Relay for Packets | 443/TCP |
| derp5-all.tailscale.com | Designated Encrypted Relay for Packets | 443/TCP |
| derp9-all.tailscale.com | Designated Encrypted Relay for Packets | 443/TCP |
| derp11-all.tailscale.com | Designated Encrypted Relay for Packets | 443/TCP |
| derp21-all.tailscale.com | Designated Encrypted Relay for Packets | 443/TCP |
| derp22-all.tailscale.com | Designated Encrypted Relay for Packets | 443/TCP |
| derp4-all.tailscale.com | Designated Encrypted Relay for Packets | 3478/UDP |
| derp5-all.tailscale.com | Designated Encrypted Relay for Packets | 3478/UDP |
| derp9-all.tailscale.com | Designated Encrypted Relay for Packets | 3478/UDP |
| derp11-all.tailscale.com | Designated Encrypted Relay for Packets | 3478/UDP |
| derp21-all.tailscale.com | Designated Encrypted Relay for Packets | 3478/UDP |
| derp22-all.tailscale.com | Designated Encrypted Relay for Packets | 3478/UDP |
| network-nodes.roclub.io | Virtual Private Network | 41641/UDP |
See also:
Technical Requirements for the Remote Operator
Technical Requirements for the Local Operator