Port forward on LTE

RouterOS Beginner Basics
1

hi
I do have Huwaei E8732 that is doing NAT, I’ve configured the Mikrotik as DMZ on it and it should be published with its external IP (fix ip).
how do I config the port forward for the LTE interface with the external IP on the Mikrotik side ?

thanks in advance

2

In theory port-forwarding is configured the same way regardless the WAN interface technology.

In practice, many MNOs firewall traffic even though users get globally-routable IP addresses (as opposed to CGNAT addresses). Which means it might be possible you can’t really do port forwarding into your LAN because connections are blocked already by ISP.

3

I am not behind NAT, that’s why I mentioned fix ip
since the lte interface doesn’t familier with its external IP how do I make the right rule for that?

4

Do you have a public IP at the LTE modem.

In the US… You don’t unless you paid extra for a static IP.

5

You are contradicting yourself…
I do have Huwaei E8732 that is doing NAT,”
I am not behind NAT, that’s why I mentioned fix ip

In any case, if the modem is getting a public IP and you have the MT setup on the MODEM as forwarding everything (all ports) to the MT, then treat the MT fixed IP as your public IP.

add chain=dstnat action=dst-nat protocol=xxx dst-port=xxxx dst-address=fixedwanip
to-address=ipofserver

6

Let me explain it please,

The LTE external IP has fix public ip.
The Dongle itself is doing NAT on 192.168.8.0/24 and the Mikrotik gets 192.168.8.100 , on the dongle device 192.168.8.100 is configured as DMZ.

I want the external IP of the LTE to do port forward from
Ext ip x.x.x.x 》》 192.168.8.100 [MT] 》》 192.168.88.100 [Int host] on port 80

7

I pay more for that

8

How the chain will work if the mikrotik doesnt familoer with the external fix ip?

9

Draw a diagram as your explanations are more confusing then helpful.
How many routers do you have?
How many ISP connections do you have?
Who supplies the dongle??

10 
+---------------------------------------+
|                                       +----->  Fiber (CAT6) ether1    (external IP ISP)
|           Mikrotik hEX s              |
|                                       |
|                                       +----->  USB dongle E8732   (GW 192.168.8.1)
|                                       | 192.168.8.100
+--------------------+------------------+
                     |  192.168.88.1
                     |
                     |
                     |
                     |
                     |
                     +--------------->+-------------------------------+
                                      |                               |
                                      |      lan switch               |
                                      |                               |
                                      +-----+-------------------------+
                                            |
                                            |
                                            |
                                            |
                                            |
                         +---------------+  |
                         |   RPI         +<-+
                         |               |
                         +---------------+ 192.168.88.100
11

Just create two rules to cover off both wans.

A. PRIMARY WAN
In this scenario, you will only be able to port forward using a public IP from the ether1 ISP connection

add chain=dstnat action=dst-nat protocol=tcp dst-port=80 { either dst-address=fixedwanip or in-interface-list=WAN for dynamic wanip }
to-address=ipofserver

B. LTE BACKUP WAN
In this scenario, you will only be able to port forward using the fixed wanip provided by the dongle on your LTE connection.

add chain=dstnat action=dst-nat protocol=tcp dst-port=80 dst-address=fixedwanip

12

You will have to do port forwarding on the USB dongle. If that is not possible, then you will have to configure the USB dongle in bridge / passthrough mode (if possible) so it can pass the public IP directly to the Mikrotik and then do port forwarding on the Mikrotik

13

Its opened as dmz already so it sbould be ok from the dongle side.
What i dont understand how that mikrotik will know fixedwanip belongs to lte interface

14

Because its identified in a number of places…
ip dhcp client
Ip routes.

15

external wan IP?
its not defined no where
the dongle is on 192.168.8.x

Updated: I configured dst address as none and incoming interface as lte1 and it worked!
now I just need to make sure that this host is routing through the lte1 as default…

16

You will have to tell the Mikrotik whatever enters each WAN interface must leave same WAN interface going out to Internet, i.e. route rules and or mangle rules

17

Mangle??
I thought the LTE was a failover ISP, not concurrent???

18

It has traffic monitor rule to move to lte once fiber is loaded (if…)

e.g.
who can help me to understand how mangle ports are doing a port forward from external ips when firewall rules do not “block” them by default?

19

If the USB device does not know about the LAN subnet, then you can try the “fake” DMZ method (I hate the person that coined this “DMZ” phrase on these home devices) like you stated you have done already.

This way the “DMZ” forwarding will have to point to your Mikrotik, then your Mikrotik will have to do further port forwarding to your LAN device. Obviously then NATing out to USB modem will have to be done on Mikrotik also.

Leaving same WAN interface as it entered, see https://wiki.mikrotik.com/wiki/Manual:PCC for examples, also many posts / topics on forum on this subject

Other option is to get a Mikrotik LTE device so you can properly configure routing, port forwarding, etc.

20

if course if the LTE would be able to act as a “modem” only it would be preffered but I assume its possibly only on E3372 and not E8732