So i was using ZTE 5G modem as internet source in bridge mode. All routing where done on “wAP LTE6 kit Mikrotik”. It got internet over ETH1 from ZTE, and over ETH2 internet was passed to the main switch. ZTE stopped working so i’ve send it to the warranty and swapped SIM card from broken ZTE to wAP LTE6 kit Mikrotik.
All routing (and port forward) was done on Mikrotik even with ZTE (because ZTE slow and very basic and worked only in bridge mode).
For all port forwarding rules where set “all ethernet” as source (In. interface). As ZTE gone and SIM card is now directly in the Mikrotik, i’ve changed port forwarding rule and instead on “All Ethernet” i’ve set “LTE”. BUT it’s not working it’s not doing port forwarding. And yes, we have fixed public IP on our sim card.
That’s what i did in the first place. And it is not working
It looks like you have to change only one parameter (from all ethernet to lte1). But this is not working
The port also needs to be allowed on the “input” in the /ip firewall filter for the same port/protocol as the dst-nat to work. And it should be added just below the ICMP input accept rule. The dst-nat rule is still needed.
Note here…this part is critical:
since most standard LTE services use CGNAT, which would not allow port forwarding.
This should work (unless you have some other rules that affect this), also To Ports doesn’t need to be added if the same as port in Dst. Port. Examining configuration export could help.
Sorry. Did not understand correctly. But i don’t need to export anything. I only need to make some changes in port forwarding so it could port forward FROM LTE1 (sim card) to ETH2. Previous configuration was working from ETH1 port forward to ETH2. Now my internet is coming not from ETH1, but from LTE1, while main switch still on the ETH2.
Is that correct? I don’t have such rule in my configuration, and dstnat forwarding works. I have only input rules for accessing ROS system services (VPNs)
If is the same SIM as was in ZTE and from there it worked, I doubt that ISP changed something in the mean time, but also can be APN configuration (I have different to get public IP, not network APN)
Sorry for being confusing: If you have a public IP, you really just need to add an input rule with action accept in the IP > Firewall > Filter page. Your title is going to attract attention, so more a note for others, not your case. e.g. having a public IP on LTE is not common
With the default firewall and QuickSet, you need to allow the input traffic to router.
LTE is/should be in WAN interface list, so the !LAN rule in /ip/firewall/filter would drop the traffic incoming traffic for the LTE’s public IP. The dst-nat rule looks right. But it will never get hit because the !LAN is dropping it.
Wooow. You maybe right!!!
i see that now i have NOT my external IP.
Yes, it is the same SIM card, and there is no way ISP could change it. As it was working fine, i just removed sim card from ZTE, put in to Mikrotik and that’s it. It’s not working any more. So maybe there is a catch with APN settings.
As long as
a. you have a proper formatted dst-nat rule
b. have the default firewall rule blocking all WAN traffic except for dst-nat or
own rule allowing dst-nat OR
no firewall rules (meaning all is permitted).
It should work. If it does not then it would seem you are stuck and need to contact ISP for a real IP.
it’s not doing port forwarding. And yes, we have fixed public IP on our sim card.
