I have just purchased router hAP ac 2 (RBD52G-5HacD2HnD-TC) which offers USB port for 3G/4G modem.
I have successfully connected it to local T-Mobile network using E3131 3G modem.
My problem is with the public IP, to which I cannot ssh connect (even ping).
The public IP is (say) 46.204.54.28, and the command from the router
/ip address print
Flags: X - disabled, I - invalid, D - dynamic
This address (100.100.172.156/32) or network (10.112.112.131) is not even near my public IP, but anyhow, these are not my public IP, so I assume this is how the ppp connection works.
But then from WAN, neither ping, or ssh works
ping 46.204.54.28
Pinging 46.204.54.28 with 32 bytes of data:
Reply from 192.168.1.61: Destination host unreachable.
Reply from 192.168.1.61: Destination host unreachable.
ssh admin@46.204.54.28
ssh: connect to host 46.204.54.28 port 22: Connection timed out
ping 1.1.1.1
Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=235ms TTL=53
Reply from 1.1.1.1: bytes=32 time=245ms TTL=53
I have contacted T-Mobile, they claim no specific ports are blocked by them. Also they offer to setup a fix IP address, but for me this is not a problem since this is only a temporary setup.
The firewall on the router is as per default router setup, i.e. allowing ICMP.
If your public IP is in 100.64.0.0–100.127.255.255 range, you are behind the NAT and you will not be able to connect from Internet to your network.
In most cases one phone call to provider should solve the problem..
Thanks for the lead.
Now I have sent an email to T-Mobile. That is likely where the problem is.
From technical term, this IP as I can see by googling “my ip address” is not a real public IP?
Even when it does show it as a public. Now, what establishes that - a masquerade, or - NAT, or simply that that way ppp works…
the 100.64.0.0–100.127.255.255 range is so called Carrier Grade NAT and even they “look as public” many operators use them to NAT their users to save V4 public IP’s but if you ask them to put you on “real public IP”, in most cases there are no problems.
then use VPN or port forward for SSH to your none public IPs
Can you share details? If I do not need to pay this top up of $4 that would be nice…
I have fixed IP on my second router with no additional cost, yet in case of mobile WAN - used for testing , this is only with a charge.
If you have MT then you have DDNS In IP/Cloud you can use it, It is reachable through the internet you can config VPN to access local resources or forward SSH port from your WAN to dst address local
VPN is more secure than port forward or redirects if you want to access the MT only then you don’t need to do VPN or port forward
Your very welcome, The Windows Putty terminal showed that I used the local IP for the connection although the DDNS worked correctly so I checked with none local network like my phone LTE just to be sure it’s working through the Internet too. Sure Its a FREE service like https://www.noip.com/what-is-dns or https://account.dyn.com/ Build-in into RouterOS.
I checked with none local network like my phone LTE
Sorry, I do not fully get it. Does it mean, that I could cancel T-Mobile’s public APN service, and even then - use DDNS name for ssh access to mikrotik, and also below (hosting a web server) ? Yes, that would be great… yet I have a doubt that this will work…
If that is the only price to pay, (use DDNS name, instead of IP) … would be happy.
That’s completely on you to cancel your service but it will provide some functionality and yes you can host web services with some firewall and NAT rules.
But not in a production environment. For example, you cant req CERT for it with DDNS (no self-signed certificate ) or if you wanna use CMS for web server like Cpanel or DirectAdmin then as the license is on the IP address of the server then you cant get one. it is complicated.
