Port mapping on LTE

stef70 · March 11, 2024, 11:45pm

Good morning.
So it seems that, little by little, I can get everything configured.

RB5009
ETH1 is connected to the FTTH ONT, with its VLAN and the PPPoE client
LTE1 USB stick k5160 is working and the RB5009 gets the public (but dynamic) IP
LTE1 has a greater distance, so when both the FTTH and the LTE are up, traffic goes through FTTH
Once I unplug the fiber from the ONT, LTE kicks in

I need to access my LAN from the Internet, so I created the NAT rule to the IP destination in my LAN and when the FTTH is up, I can access my local resource as expected

add action=dst-nat chain=dstnat dst-port=8444 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.1.97 to-ports=8920

Problem: when the FTTH is down and the LTE is up, the above rule DOES NOT WORK by replacing pppoe-out1 with lte1

Any help?
Thanks

holvoetn · March 12, 2024, 5:40am

Without public ip, you can not get back in.
Lte is typically cgnat, so one way only.

You need an external pivot point where you can create a tunnel to from the inside and then use that tunnel to get back in.
Multiple options there.

But easiest might be to checkout Mikrotik BTH ( wireguard based) or Zerotier, both are intended for these use cases.

stef70 · March 12, 2024, 8:13am

Well… I suppose my IP is not under NAT, not from my side not from ISP side.
The RB5009 says my IP is 176.245.xxx.yyy
If I check here
https://whatismyipaddress.com/
I get the same result, the same IP address.

Moreover the previous two old router (Sercomm and ADB) were able to map ports when running with the very same USB LTE stick (k5160)

Here is the config

# 2024-03-12 00:39:58 by RouterOS 7.14
# software id = XxXxXxXxXxXxX
#
# model = RB5009UPr+S+
# serial number = XxXxXxXxXxXxX
/interface bridge
add name=local port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN poe-out=off
set [ find default-name=ether2 ] name=ether2-LAN2 poe-out=off
set [ find default-name=ether3 ] name=ether3-LAN3 poe-out=off
set [ find default-name=ether4 ] name=ether4-LAN4 poe-out=off
set [ find default-name=ether5 ] name=ether5-LAN5 poe-out=off
set [ find default-name=ether6 ] name=ether6-LAN6 poe-out=off
set [ find default-name=ether7 ] name=ether7-LAN7 poe-out=off
set [ find default-name=ether8 ] name=ether8-LAN8-PoE
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface lte
set [ find default-name=lte1 ] allow-roaming=no sms-read=no
/interface vlan
add interface=ether1-WAN name=vlan1036 vlan-id=1036
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1036 name=pppoe-out1 \
    user=XxXxXxXxXxXxX
/disk
set slot1 slot=slot1
set slot2 slot=slot2
set slot3 slot=slot3
set slot4 slot=slot4
set slot5 slot=slot5
set slot6 slot=slot6
set slot7 slot=slot7
/interface lte apn
set [ find default=yes ] apn=web.omnitel.it name=Omnitel use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=DHCP-pool ranges=192.168.1.190-192.168.1.253
/ip dhcp-server
add address-pool=DHCP-pool interface=local lease-time=1d name=DHCP-local
/interface bridge port
add bridge=local interface=ether2-LAN2 internal-path-cost=10 path-cost=10
add bridge=local interface=ether3-LAN3 internal-path-cost=10 path-cost=10
add bridge=local interface=ether4-LAN4 internal-path-cost=10 path-cost=10
add bridge=local interface=ether5-LAN5 internal-path-cost=10 path-cost=10
add bridge=local interface=ether6-LAN6 internal-path-cost=10 path-cost=10
add bridge=local interface=ether8-LAN8-PoE internal-path-cost=10 path-cost=10
add bridge=local interface=ether7-LAN7
/ip firewall connection tracking
set udp-timeout=10s
/interface lte settings
set mode=mbim
/ip address
add address=192.168.1.1/24 interface=local network=192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m update-time=no
/ip dhcp-server lease
add address=192.168.1.190 mac-address=XxXxXxXxXxXxX
add address=192.168.1.191 mac-address=XxXxXxXxXxXxX
add address=192.168.1.192 mac-address=XxXxXxXxXxXxX
add address=192.168.1.193 mac-address=XxXxXxXxXxXxX
add address=192.168.1.195 mac-address=XxXxXxXxXxXxX
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-port=1234 in-interface=pppoe-out1 \
    protocol=udp to-addresses=192.168.1.96 to-ports=1234
add action=dst-nat chain=dstnat dst-port=5678 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.1.97 to-ports=5678
add action=dst-nat chain=dstnat dst-port=910 in-interface=pppoe-out1 \
    protocol=tcp to-addresses=192.168.1.94 to-ports=910
add action=masquerade chain=srcnat out-interface=lte1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.1.0/24
set api disabled=yes
set winbox address=192.168.1.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=RB5009
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp1.inrim.it

massinia · March 12, 2024, 9:13am

Create WAN interface list (Intefaces menu) and use Int. Interface list instead of in-interface=pppoe-out1 / lte1 for masquerade and dst-nat
Why did you delete all the rules in the firewall?

stef70 · March 12, 2024, 9:28am

I already created the list days ago, but no improvement, so I reverted to single interface not a list of interfaces.
What you suggest should solve or it is a best practice?

Starting from the default configuration, I did not deleted any firewall rules, so I addedd the two lines

add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid

Am I at risk?