Good morning,
I am a newbie on using modem Mikrotik and what I am trying to do is to have two Modem Mikrotik connected to two PC on Wifi.
Each modem is configured in order to communicate with LTE each other.

PC1 <---> MODEM MIKROTIK 1 <---> LTE <--> MODEM MIKROTIK 2 <---> PC2

I configure PC1 in order to have the LTE address as 172.14.8.1.
I configure PC2 in order to have the LTE address as 172.14.7.1.

If ping this LTE address on both computers everything is working but what I see opening a wireshark on PC2 is that no ping has been received, so I suppose that it is
pinging the interface LTE on the modem.

This is the /export of the MODEM MIKROTIK 2:

\

jan/02/1970 00:14:19 by RouterOS 6.41.2

software id = 20UR-DRB4

model = RouterBOARD wAP R-2nD

serial number = 7B7005CB28EB

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-3B1B19 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn=mobile.private.static.it authentication=chap name=THT_7 password=jjkkaaqq user=utente7@roamer.private
/interface lte
set [ find ] apn-profiles=THT_7 mac-address=AC:FF:FF:00:00:00 name=lte1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=wlan1 name=defconf
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=wlan1 list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=wlan1 network=192.168.88.0
add address=172.14.7.1 interface=lte1 network=172.14.7.1
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=lte1
add action=masquerade chain=srcnat out-interface=lte1
add action=dst-nat chain=dstnat dst-address=172.14.7.1 to-addresses=192.168.88.252
add action=src-nat chain=srcnat src-address=192.168.88.252 to-addresses=172.14.7.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN



What I am doing wrong? I am trying this in order to open an SSH connection from PC1 to PC2.

Please help me!

So your LTE provider gives you static IP’s for your modems?
Do they use CGNAT?

Thank you for you answer.

No, I add a static IP directly to the modem. Then I enable a DHCP Server in order to obtain an IP when I connect the device. But it seems not working.

Thanks
Alessandro

Unless you’ve got a special arrangement with your LTE provider for creation of a VPN for your SIMs (subscriber accounts) where you would be free to organize the address space like you want, it is not possible to assign static addresses of your own choice to your LTE connections. Normally you get the IP address assignment from the operator, and if one of the addresses is a public one, you can use some dynDNS service to bind an fqdn to that address and let the other device establish a VPN to it. If both are private ones, there is a small chance that they could see each other without a NAT between them if both are used in the same region, but they’ll be most likely changing with each renewal, and binding of an fqdn to a private IP is not supported by any public DNS I know.

So without the LTE VPN provided by the operator, you’ll need a “fixed point in the universe”, which is a device on public address which you can configure as a VPN access point and connect both your LTE devices to it, making it possible for them to talk to each other that way.

Many of mobile network operators assign public IP addresses to subscribers’ terminals, but still block incoming connections … let’s pretend it’s firewall to protect subscribers