I have successfully implemented a LTE solution in a remote area using a 951Ui-2HnD + USB2miniPCIe + Quectel EC-25 modem.
Behind the router I have 3 devices I need to access from outside so I’ve used a PPtP client with default route and port forwarding.
The config can be examined here : https://jpst.it/2kvD_
The routes are automatically added as below and everything is working :
A few days ago I bought a R11e-LTE modem and tried to clone the above config but with the different (although similar) router model (951Ui-2nD)
Everything works to a point. The routes are as follows :
Note the 3rd one which is unreachable.
In this state, once PPtP gets connected every device attached to eth loses connection to internet.
To make it work I have to manually add a new route :
4 A S ##.##.##.15/32 lte1 1
Another difference between the two implementations is the missing device under Ports :
951Ui-2HnD / Quectel EC-25
/port print
Flags: I - inactive
# DEVICE NAME CHANNELS USED-BY BAUD-RATE
0 usb1 1 9600
951Ui-2nD / R11e-LTE
/port print
Flags: I - inactive
# DEVICE NAME CHANNELS USED-BY BAUD-RATE
What could cause this behavior? I suspect it’s related to the R11e-LTE modem but I don’t have another Quectel EC-25 to test and confirm.
Note : I’ve tried to match the ROS versions and it’s the same.
This can be done by that or by mangle who see traffic incomming from vpn and mark connection at input. Next do mark routing to route table who back to vpn that traffic who was before marked into output. Then you not must mess with default gateway but you choose your way.
Note the 3rd one which is unreachable.
In this state, once PPtP gets connected every device attached to eth loses connection to internet.
To make it work I have to manually add a new route :
4 A S ##.##.##.15/32 lte1 1
Before you have that rule too but EC25 have own internal NAT but R11e-LTE not use it and bring you a proper ISP IP what means you should use that route at lte1 interface one time. Not every time when you connect.
I not see problem here.
Another difference between the two implementations is the missing device under Ports :
951Ui-2HnD / Quectel EC-25
951Ui-2nD / R11e-LTE
What could cause this behavior? I suspect it’s related to the R11e-LTE modem but I don’t have another Quectel EC-25 to test and confirm.
yes, differ lte modules works differ. EC25 have usb1 and lte1, R11e-LTE have only lte1, I not see problem here.
Thanks for the tip. Unfortunately I’m not familiar with the MANGLE feature so I’ve used my basic knowledge to achieve what I need.
EC25 have own internal NAT but R11e-LTE not use it and bring you a proper ISP IP what means you should use that route at lte1 interface one time. I not see problem here.
This explained my suspicion. Coming from a plug’n’play setup to a different acting modem (R11e) confused me. Not a problem, of course, but requires an extra step and poses a problem if the VPN server IP changes!? This means you could lose control of the router from outside.
Very common way is use some DDNS + DNS CNAME record.
Your VPN Server should use some DDNS name, if this is external RouterOS then you can use IP>Cloud with your hostname: b…5.sn.mynetname.net
At your hosting the DNS zone setup: vpn-server-ddns.yourdomain.tld CNAME b…5.sn.mynetname.net
All your VPN Clients you set to go to vpn-server-ddns.yourdomain.tld who redirect them to your VPN Server even when he change IP.
I’m not sure how this is different between the two cases (when the gateway has to be set to the IP address like with the Quectel and when it has to be set to interface name like with the R11e-LTE).
To allow hosts to change IP addresses, the institution of FQDN and DNS has been designed. So the connect-to on the /interface pptp-client row has to be set to an FQDN rather than a numeric IP address.
But as you cannot create a route with FQDN as destination, you’ll have to create an address-list to resolve the FQDN to an IP address for you: /ip firewall address-list add list=my-vpn-server address=vpn-server.somedomain.xy
This makes RouterOS issue a DNS query, create a dynamic address-list item from the response, and repeat this process whenever the indicated TTL of the response is about to expire.
Next, you add a mangle rule marking packets sent by the router itself to the VPN server: /ip firewall mangle add chain=output dst-address-list=my-vpn-server action=mark-routing new-routing-mark=via-vpn
Then, you add a default route with the LTE as gateway (interface or IP address depending on modem type), marked with the same routing-mark: /ip route add dst=address=0.0.0.0/0 gateway=lte1 routing=mark=via-vpn
Due to some specialties of the output chain, there must be a masquerade rule in NAT: /ip firewall nat add chain=srcnat out-interface=lte1 action=masquerade
I am an entrepreneur and I live in Pakistan. I just started a new business and developed a website for my business. I got VPS service in Pakistan for my new website from a reliable and trusted brand