LTE Passthrough enabled, but still NAT'd

RouterOS Beginner Basics
1

I’ve done as much reading of these forums as I can on this topic, and I think I have things correctly configured, but I’m still getting a DHCP address allocated from the Mikrotik, not the ISP (ie I can see it in the DHCP leases of the Mikrotik).

So, firstly, my setup:

  • Mikrotik EG12-EA based device (cAP LTE12 ax)
  • Unifi gateway

The MT should be, as much as possible, just an LTE modem, I don’t need any other functionality from it. It’s configured as a router on a stick essentially, with management and wan clan’s, and connected to the wan2 port of my unifi, which all works fine, but there are two things which don’t work, ip-type=ipv4-ipv6 and passthrough (or I misunderstand what passthrough should do).

When I connect to my ISP via LTE this is the state:

> /ip/dhcp-server/pr
Flags: D - DYNAMIC
Columns: NAME, INTERFACE, ADDRESS-POOL, LEASE-TIME
#   NAME      INTERFACE  ADDRESS-POOL  LEASE-TIME
0 D default  wan vlan   static-only   1m

Note the “D” flag, indicating it is dynamically created, which means I can’t delete it.

> /ip/dhcp-server/lease/print 
Flags: D - DYNAMIC
Columns: ADDRESS, MAC-ADDRESS, SERVER, STATUS, LAST-SEEN
#   ADDRESS       MAC-ADDRESS        SERVER    STATUS  LAST-SEEN
0 D 10.208.232.9  1C:0B:8B:12:90:D1  default  bound   5s

I can see it has an active lease to my unifi gateway… which to my mind defeats the purpose of passthrough? Shouldn’t the gateway get assigned an IP from my ISP? Note that the carrier definitely uses CGNAT, so I’m not expecting to see a public IP here, but seeing a different IP assigned to the (vlan) interface and the gateway along with an active DHCP lease on the MT device… seems wrong.

My partial config:

/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" mtu=1900
/interface lte apn
set [ find default=yes ] apn=yesinternet ip-type=ipv4 passthrough-interface="wan vlan" passthrough-mac=1C:0B:8B:12:90:D1 use-network-apn=no
/interface lte settings
set mode=mbim

The second issue, which isn’t really important, is that ip-type=ipv4-ipv6 doesn’t seem to exist for me. The carrier supports both (and I can individually select either ipv4 or ipv6).

What am I doing wrong?

EDIT: Forgot to say, I’ve tried this on a few different routers versions, currently running 7.20beta2, and latest modem firmware.

I’m beginning to think this is just how it works, MT get DHCP assigned addresses from ISP and uses a dynamic DHCP server to serve one of these to the downstream. So there is no NAT involved (well other than the CGNAT in this case), but I’m effectively grabbing 2 IPs from the ISP. Maybe this is fine, but it’s not clear from the doc if this is actually the case?

2

Maybe best to show full config.
You’re only showing bits and some parts which are relevant, are not shown.

It doesn’t work for you so you can not know what is relevant or not. Show it all then (just remove serial, passwds, public IP, … from export before including it here in code quotes)

3

I’m beginning to think this is just how it works, MT get DHCP assigned addresses from ISP and uses a dynamic DHCP server to serve one of these to the downstream. So there is no NAT involved (well other than the CGNAT in this case), but I’m effectively grabbing 2 IPs from the ISP. Maybe this is fine, but it’s not clear from the doc if this is actually the case?

This is how it works.

What leads you to believe you are getting two IP addresses from the ISP? The MT LTE device gets a single IP address from the ISP and passes that through to the downstream DHCP client.

4

MT is reporting that it has acquired an IP

> /ip/address/print 
Flags: D - DYNAMIC; S - SLAVE
Columns: ADDRESS, NETWORK, INTERFACE
#    ADDRESS           NETWORK       INTERFACE        
0 DS 192.168.4.213/24  192.168.4.0   management ether2
1 D  100.80.61.29/29   100.80.61.24  wan vlan

And on the Unifi gateway I have acquired 100.80.61.28 as the WAN address, so that’s what has made me think it’s acquired two addresses. I guess it’s not actually acquired an address, just reporting the network? Given the other entry does show an acquired address… this seems misleading to me!

This isn’t really a problem, I was mostly worried about extra NAT layers, but you have confirmed that’s not happening. I do wish the DHCP lease was longer than 1 minute, but it’s not causing problems so I guess that is fine.

Thanks!

5

The Mikrotik LTE device creates a dynamic synthetic subnet based on the address from the ISP so that it can provide a gateway address for the default route on the passthrough device.

There is a brief description on https://help.mikrotik.com/docs/spaces/ROS/pages/30146563/LTE if you look for “passthrough-subnet-selection”. Searching for that configuration will provide more examples of how it works.