I would really appreciate your assistance here, on this:
I have an RBwAPGR-5HacD2HnD LTE6 kit, which is placed at an area with no wire connection. A SIM card from an LTE provider is being used, connection is up to 100/20 Mbps up/down.
Now, there is the need for accessing a single device, an IP camera, remotely.
The provider does not support (does not sell) any connection with possibility of port forwarding or a static IP, so there is no chance to upgrade the contract.
“Router is behind a NAT. Remote connection might not work”, is being mentioned in /ip/cloud
What are my options for getting in contact with the camera?
There must be public IP address somewhere, there’s no way around that. But it doesn’t necessarily have to be on that router. The router can use outgoing VPN connection either to you directly (if you have public address) or to some VPS, and you can get access to camera this way, or you can expose it to others via your/VPS public address if needed.
If you can get a public ipv4 address for the wAP-LTE6 then you’ll have a lot of options. A dynamic address not so important and can be dealt with using DDNS. If you are lucky, you can get public ipv6, although the setup is quite different from ipv4 and also depends on how your ISP handle things.
Recommendations:
If you’re unable to get a public IP address, I recommend using ZeroTier which is bundled with Ros v7 using the “Basic” license (free of charge) that will create your own “private network”. It does work without any public ip addresses and support most devices like smartphones, tablets and computers with Windows, macOS and Linux.
As an alternative there is WireGuard or IPsec. However, this requires a public IP address and a router somewhere where the wAP-LTE6 and your smartphone may connect to. Pretty tricky I would say if you haven’t done similar installations before.
EDIT:
There are other SD-WAN solutions similar to ZeroTier such as Tailscale, Nebula, Netmaker etc, but then you need to install and configure the services on a separate mini server (like a Raspberry PI) behind the wAP-LTE6.
Lots of options, I see, but all of them demand a good level of understanding, which I briefly have. In anyway, I followed the 1st advice with the vpn, but after spending the very short time I had, I gave up. Temporarily, I will come back to it later.
Next, it was zerotier. Never had tried it, I thought it maybe worth the time. I made the basic account, created the network ID, connected (by approval in control panel) a test w10 machine with public address and then followed the instructions for connecting the wAP to ZT, too. Much help came from this article, thanks to the titanian effort of Amm0.
Some notes, here:
In zerotier interface I had to add “allow-managed=yes”, otherwise I had no zt address in /ip/addresses. This is not mentioned in Configuration example, but on the contrary, it mislead me and I spent some time there, too.
And one question, please:
Why in /zerotier/peer/print I see five 10-digit records which have nothing to do with the devices I have in this virtual switch?
Thank you again.
Clarification:
The #3 first firewall rule is for accessing the IPCam by calling the wAP’s zt IP from the other side of this virtual network. Port 37777 is the default port for Dahua’s application to communicate.
The second rule is for accessing the camera’s webinterface, by calling <wAP’s IP>:8011
I left port 80 for wAP’s web interface, considering it is safe to let it open in a trusted network. Do you think this point of view is correct? 8291 is not accessible from lte1 WAN.