tmobile business static ip passthrough to Mikrotik

RouterOS General
1

I have a Tmobile static IP. Connection to the tower is good with an Inseego FX3100 router/modem set to passthrough to Mikrotik RB2011UiAS running ROS 7.18.2.

Previously, I had a DSL bridged static IP and port forwarding worked perfectly. The reason for this change is that T-Mobile static service is much faster D/L and U/L than prior DSL connection, and there are very limited other options from my base.

I changed dstNAT to new static address, but otherwise left firewall and NAT rules unchanged. Now, I can get some ports open, but not port 53 TCP, though UDP seems to be open. My PTR record is unseeable, though other MX functions work. There is a DNS/NS problem, though a website I host is reachable by name with SSL/TLS certificate in place. I have not activated Ipv6.

I will be happy to post complete config and any details, but I want first to know if there is some problem inherent to this set up not dependent on Mikrotik router. Thanks in advance for any help.

2

Are you using “b2b.static” as APN and unchecking “Use Network APN” in the LTE APN settings?

You may want to confirm b2b.static is right for your account, but I think they use same for any account that has paid for the fee to enable static IPs.

Otherwise the default config should just work. The default source NAT can be left as masquerade, although you replace that with a src-nat rule if your sure it will be same IP (although I’d leave masquerade just in case you change APNs or other carrier-side issues that get you a different IP). Incoming ports will be blocked by default firewall, unless you create specific dst-nat rules in /ip/firewall/nat.

You might want to post your config (:export file=config.rsc at terminal, the use File in webfig/winbox to download file to PC, the open/cut-and-paste to forum)

3

Thanks, Amm0, this response is reassuring.

The TMOBUS apn is indeed b2b.static. and I have unchecked the box The b2b.static is, I believe, right for my account and was provided by TMO. However there are 2 other apn’s which seem to have been added, whether by me, or auto, I don’t know. Nor do I know if they conflict and are causing trouble. Also, there is no actual LTE interface, and I do not see LTE as an option in the add interface list.

I would prefer to DM the complete config file to you, if you wish. Although I added the qualifier < hide-sensitive>, the file as I read it contained the WAN IP from TMO, and local MAC addresses. The latter may not matter much, but the former while perhaps obtainable publicly is not something I wish to disclose at this time. It will contain the complete config, from which file excised [***] the static ip and certain other info which I did not wish to make public.

Again, your help is much appreciated. TMO support has not been successful. I have some other, as yet, unexplored resources, but I believe this forum is the best place to start.

chandoz

4

Hmm. If you’re not seeing the lte1 interface that’s a bit different.

I thought the Inseego FX3100 was one of the hotspots with USB, but just looked that more full-blown router…

You’re may be best just using Mikrotik defaults, and enable the “DMZ Passthough” on the FX3100 to the IP address obtained on the MikroTik when Inseego is connect to ether1. https://inseego.com/resources/product-documentation/wavemaker-fx3100/t-mobile/user-guide/advanced-settings/firewall-tab/

I’m not sure there is a “real” passthough of the LTE/5G modem to RouterOS directly.

5

Hi Amm0,

NOTE: for main concern, see #6, below. The long post is to try to explain the reasons for it, as I see them.

Still I struggle with Tmobile static IP. My data flow is arranged like this:

  1. Tmo tower --I can not determine which one, after hours of searching.

  2. An external Mohamp Mimox2 directional panel antenna mounted on another antenna pole on my roof. The antenna probably is not aimed L.O.S. to the tower, no matter which one it turns out to be. I intend to reposition it as soon as I can determine how to get a reliable location. The web site for my router lists the tower as the band as n71:
    Tower #7536971778 ICCID 8901260414704886877 PTN 15884504446

I don’t really know what these numbers mean. n71 is one of Tmobile’s 5g bands, 617-698 Mhz, though at times, it has indicated an n41 band (2496-2690 MHz), for presumably, a different tower.

  1. About 50 meters of LMR600 cable, attached to the antenna’s leads, which are SMA, a smaller cable type/gauge. These, as well as the Inseego FX3100’s external antenna ports (TS9-9) may make the LMR600 cable attached between the antenna and router gross overkill, as the other cable/port types could be limiting factors. But I made the choice of LMR600 to minimize signal degradation to the extent possible.

  2. The Inseego FX3100, in “passthrough” mode. Instructions state this mode identifies the MAC # of first device connected to either of 2 ethernet ports. I have assigned port 1 to Mikrotik ether1’s MAC address. This process appears to work insofar as the signal does appear as my WAN static IP address in the RB20110UiAS.

  3. The RB2011UiAS controls my LAN, which includes 3 Ubiquiti access points, 6-8 computers, a 12Tb server, and many other devices. The server has many ports which, in the past, the Mikrotik router successfully fowarded to it from a DSL ISP. The server includes a DNS server, a mail server, and many dedicated apps running a version of Linux (Synology DSM). Another server, HP r620, is also part of the network, but I have not used it much as its Linux version is probably too old to operate most of the apps I would wish to use.

I have tried many, many configurations of the passthrough router, the Mikrotik router, and the Synology (NAS) server to try to get all the ports I want open to be forwarded correctly. To date, I am able to operated a crude demo website, and at times, the mail server. But DNS remains a significant problem. Each device in the signal path has DNS settings, and most have multiple, presumably flexible alternative options. I have tried as many as I could think of and adopt. Nothing works to open TCP port 53, though UDP 53 is almost always open. The standard default mail server ports generally are open, as are some custom ports I use to control the server functions. However, no configuration of the Synology DNS server allows PTR/TXT zone files to load a reverse DNS; thus, mail can not be sent from server-based e-addresses to gmail accounts. A call to T Mobiles pathetically inadequate “support” for its “business” internet asking for delegation of the static Ip to my domain was a waste of time. The staff were basically customer service reps with minimal training, knowledge or any business insight appropriate to the service they sell. I have seen posts from other Tmobile users stating essentially the same thing. Most are several years old. I can only assume that Tmobile launched the program without interest in customer satisfaction. Geolocation, for example, has placed my static ip address variously in Bellevue, WA, Dallas, TX and (currently) in Wichata, KS. With all these problems, the Tmobile bus service is cheap, faster than DSL which ATT is discontinuing, and easy to obtain. It limps along, functioning in a few important ways, and failing in others.

I should note that, while my personal Tmobile account uses Ipv6 addresses from the tower, the business account seems to use Ipv4 exclusively. I have set the passthrough modem (Inseego) to accept either. Mikrotik is not configured for Ipv6 although I am considering that option. I don’t really know how to do it for all the devices in the signal path.

  1. I know this post is over-long, and I do not really expect a reply, but if you could give me some advice about DNS settings for to get the signal through to the server as best it can be, that would respond to what I believe is my most important need . The strangest part of all this is that with the old very slow DSL connection, the whole network and remote connections were fine, except super slow. And now DSL is going away. My site is too remote for any other provider (Starlink’s reputation is poor). Thanks for your past info, and for any help you can give. I can post the whole Mikrotik config file if desired.

chandoz