Can my Android phone running as a mobile hotspot act as a switch — as a well as a router — when multiple devices are connected to it?

Question

I'm using the portable hotspot of my Xiaomi Redmi Note 8T.

I have 2 Linux machines - one is Ubuntu and the other is Fedora - connected and from both I can find the internal IP through ifconfig. If I ping their IP they respond one another.

Now, on Ubuntu I've setup a Nginx site that should be visible through the internal network but the HTTP connection is timing out on Fedora without any reply: notice that I'm using the internal network IP on the Fedora laptop to avoid issue with the hostname/DNS. On the same Ubuntu I can see the http site when I use the internal IP.

I've tried also with the public IP (getting it from tracemyip.org) but it doesn't work even on the same Ubuntu PC (and sudo ufw status is inactive) and neither the ping works.

Is it due to the mobile carrier or what am I missing? Can you suggest what to do to enable the HTTP connection at least across the internal network?

Further testing

I've tried also the other way around: Setting up the site on Fedora laptop instead of the Ubuntu machine and with a trivial python3 -m http.server instead of a more elaborate Nginx uwsgi flask... The intranet seems to work locally on the same machine, but the connection is not reachable from the other, even if they are under the same Android router.

I guess the private intranet is prevented by the mobile Android router, but I'm still seeking a technical confirmation.

Replies to comment about nmap

I've installed nmap. Let's say that Ubuntu machine, where the http server is running has internal IP (from ifconfig) 192.168.43.236.

I run the following command on the same Ubuntu machine.

nmap 192.168.43.236 -p 8080
Nmap scan report for myubuntu (192.168.43.236)
Host is up (0.00018s latency)
PORT      STATE SERVICE
8080/tcp  open  http-proxy

On the other Fedora machine

nmap 192.168.43.236 -p 8080
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-25 23:59 CEST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.04 seconds

But

ping 192.168.43.236
PING 192.168.43.236 (192.168.43.236) 56(84) bytes of data.
64 bytes from 192.168.43.236: icmp_seq=1 ttl=64 time=161 ms
64 bytes from 192.168.43.236: icmp_seq=2 ttl=64 time=186 ms

Tried also

nmap 192.168.43.236 -Pn  -p 8080
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-26 00:04 CEST
Nmap scan report for home (192.168.43.236)
Host is up.

PORT     STATE    SERVICE
8080/tcp filtered http-proxy

Nmap done: 1 IP address (1 host up) scanned in 2.05 seconds

Replies to comment about netstat

To simplify, let me use Fedora as server and I can do just

python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) 

There I see

netstat -an|grep 8000
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN    

But from Ubuntu the state of nmap looking at Fedora port 8000 with option -Pn is filtered (on the other hand, leaving all the rest invariant, the state of nmap is open when I check it on the same machine).

Conclusion

I connect a machine to my phone wifi router. I see the ip assigned from ifconfig. I start a http server on a port (e.g. python on 8000 or nginx on 8080) and - on the same machine - I check the above said ip and port with nmap or netstat or with firefox and it is all ok. On another machine connected to the same wifi router, the ip is filtered out, not reachable. I suspect it is a "security" feature of my Xiami Mi maybe against wifi probes... or something like that, I don't think it depends on the Linux machine config.

I have to try with another model of phone asap. I have tested with other phones and all works fine so the issue is with the above said phone

Routing tables

This is the command to show the routing tables of my phone:

ip route show dev wlan0 table all
192.168.43.0/24 table 97 proto static scope link
192.168.43.0/24 proto kernel scope link src 192.168.43.1
broadcast 192.168.43.0 table local proto kernel scope link src 192.168.43.1
local 192.168.43.1 table local proto kernel scope host src 192.168.43.1
broadcast 192.168.43.255 table local proto kernel scope link src 192.168.43.1
fe80::/64 table 1029 proto kernel metric 256 pref medium
anycast fe80:: table local proto kernel metric 0 pref medium
local fe80::a64b:d5ff:fe06:1bd7 table local proto kernel metric 0 pref medium
ff00::/8 table local metric 256 pref medium

Answer 1

The answer is yes, I just tested this.

Using two PCs

• One on Ubuntu 16.04, running a firewall so only for outgoing connections only)
• One on Ubuntu 19.10

Once they are both connected to the hotspot on my Android phone(*).

• ip address show shows 192.168.43.4 on the 16.04 one and 192.168.43.227 on the 19.10 one. These are the addresses in the local hotspot LAN.

Then using the local addresses (192.168.43.*):

• Both machines can ping each other.
• I can successfully ssh from 16.04 to 19.10
• I can successfully issue HTTP requests from 16.04 to an HTTP server on port 8000 in 19.10.

(*) Xiaomi Redmi Note 7, Android 9 PKQ1.180904.001, MIUI Global 11.0.7.0.

Answer 2

Update as of Nov 24, 2020

After the last kernel and Android update from Xiaomi to:

MIUI Global 12.0.1 (QCXEUXM)

Android version 10

the issue appears to have been finally solved!

I've also noticed that looking at the ip tables from termux now there is a line that was not there at the time of the question (as I said my phone is not rooted so I can't change them in any way)

fe80::/64 table 97 proto static metric 1024 pref medium

All the below is kept only for historical tracking.

Executive summary

It is a configuration issue in the iptables part of the specific Android kernel.

Details

I have tried with my sister's phone: Samsung Galaxy A30. All works like a charm. Of course it is an issue of my Redmi hotspot. The answer to my question is that it is not possible to do that by using such a phone, Xiaomi Redmi Note 8T (Android 9PKQ1.190616.001 MIUI Global 11.0.7.0 PCXEUXM): it acts as a router but network switching is blocked at kernel/rom level (in fact, among the other aspects relevant to ip filtering, you must be root to access the iptables NAT - e.g. see the similar situation described here - and so on... till you hit the Internet Packet Accelerator firewall in the MSM driver of Qualcomm Snapdragon sm6125 SoC). Another device must be used. Unless you root it, that is not an option for me.

Related github issue in the Android Kernel open-source of the Redmi Note 8T, codename xiaomi-willow.

Workaround

From this answer on android.stackexchange, you can install a Proxy Server app (or an open-source equivalent) on the problematic phone and then set up a manual proxy 192.168.43.1 port 38665 in Firefox (or curl --proxy http://192.168.43.1:38665 http://192.168.43.xxx:pppp) from another machine in the internal/hotspot LAN. On the web server side, of course, nothing changes for your nginx+flask configuration, but a little fix is needed for python http.server (see 3servProxy.py, assuming that the web server binds 192.168.43.239:8000)