AT&T Network Cisco Microcell won't work. Specifically, AT&T support says the ports are not open for the microcell and thus it won't register. What is odd is that the Microcell was installed without port forwarding and worked fine for months. After an outage with our tower where this person is connected, the Microcell would not reconnect again. This is actually not the first time I've seen this and I'm about at my wits end going back and forth between the customers, AT&T and around again in circles! (there's my gripe,I'm done. let's continue...)
I setup the same rules that work for DVR / NVR / IP Cameras, Xbox etc... But the same rules will not work with the Microcell.
I checked the rules will work by forwarding to several other devices on the local network (also beyond whatever switch and wiring at the home) and scanning with NMAP. Ports show as opened only when not pointed to the Microcell.I have set my firewall rules and checked them twice. My NMAP says naughty even though they are nice.
Setup and Equipment and Etc...
This is a RB941 hAP Lite for the router, on the latest 6.7 Router OS and 3.33 Firmware. The connection is a wISP fixed wireless, bridged UBNT 5GHz PtMP setup. The router has a Static Public IP set static on the WAN gateway. I added another Public IP to try and bypass the Masquerade NAT and effectively DMZ the microcell. AT&T said it was a hardened device and this is safe to do.
Here's a compact of the Config Export. Right now I have it setup as a "DMZ" style which was what the last AT&T support suggested we try. You'll see the other rules I disabled trying different combinations. The other rules for port 4369 is for a "Home Automation" system unrelated and it's working without a hitch.
# sep/24/2016 07:08:45 by RouterOS 6.37 # software id = G0UK-LSFL # /interface bridge add admin-mac=E4:8D:8C:8B:07:6C auto-mac=no name=bridge-local /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \ country="united states" distance=indoors frequency=auto mode=ap-bridge \ ssid=meow wireless-protocol=802.11 /interface ethernet set [ find default-name=ether1 ] name=ether1-gateway set [ find default-name=ether2 ] arp=proxy-arp name=ether2-master-local set [ find default-name=ether3 ] arp=proxy-arp master-port=\ ether2-master-local name=ether3-slave-local set [ find default-name=ether4 ] master-port=ether2-master-local name=\ ether4-slave-local /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\ dynamic-keys supplicant-identity=MikroTik /ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-cbc /ip pool add name=dhcp ranges=192.168.88.10-192.168.88.254 /ip dhcp-server add address-pool=dhcp disabled=no interface=bridge-local name=default /interface bridge port add bridge=bridge-local interface=ether2-master-local add bridge=bridge-local interface=wlan1 /ip address add address=192.168.88.1/24 comment="default configuration" interface=\ ether2-master-local network=192.168.88.0 add address=188.8.131.52/30 interface=ether1-gateway network=184.108.40.206 /ip dhcp-client add comment="default configuration" dhcp-options=hostname,clientid disabled=\ no interface=ether1-gateway /ip dhcp-server lease add address=192.168.88.108 client-id="69:70:2e:61:63:63:65:73:73:2d:33:47:2d:4\ 1:50:2d:37:34:35:34:37:44:2d:30:30:32:37:35:33:39:37:33:33" comment=\ microcell mac-address=74:54:7D:FC:1B:F8 server=default /ip dhcp-server network add address=192.168.88.0/24 comment="default configuration" gateway=\ 192.168.88.1 /ip dns set servers=220.127.116.11,18.104.22.168 /ip dns static add address=192.168.88.1 name=router /ip firewall filter add action=accept chain=forward comment="default configuration" \ connection-state=established,related disabled=yes add action=drop chain=forward comment="default configuration" \ connection-state=invalid disabled=yes add action=drop chain=forward comment="default configuration" \ connection-nat-state=!dstnat connection-state=new disabled=yes \ in-interface=ether1-gateway add action=accept chain=input/forward fragment=yes protocol=tcp add action=accept chain=input/forward fragment=yes protocol=udp /ip firewall nat add action=masquerade chain=srcnat comment="default configuration" \ out-interface=ether1-gateway add action=accept chain=dstnat dst-port=8291 protocol=tcp add action=src-nat chain=srcnat disabled=yes out-interface=ether1-gateway \ src-address=192.168.88.108 to-addresses=22.214.171.124 add action=accept chain=dstnat disabled=yes dst-address=126.96.36.199 \ to-addresses=192.168.88.108 add action=src-nat chain=srcnat disabled=yes src-address=192.168.88.108 \ to-addresses=188.8.131.52 add action=dst-nat chain=dstnat in-interface=ether1-gateway protocol=tcp \ to-addresses=192.168.88.108 to-ports=0-65535 add action=dst-nat chain=dstnat in-interface=ether1-gateway protocol=udp \ to-addresses=192.168.88.108 to-ports=0-65535 add action=dst-nat chain=dstnat dst-address=184.108.40.206 dst-port=4369 \ protocol=tcp to-addresses=192.168.88.101 to-ports=4369 add action=dst-nat chain=dstnat dst-address=220.127.116.11 dst-port=4369 \ protocol=udp to-addresses=192.168.88.101 to-ports=4369 add action=dst-nat chain=dstnat disabled=yes dst-port=123 in-interface=\ ether1-gateway protocol=udp to-addresses=192.168.88.108 to-ports=123 add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface=\ ether1-gateway protocol=tcp to-addresses=192.168.88.108 to-ports=123 add action=dst-nat chain=dstnat disabled=yes dst-port=500 in-interface=\ ether1-gateway protocol=udp to-addresses=192.168.88.108 to-ports=500 add action=dst-nat chain=dstnat disabled=yes dst-port=4500 in-interface=\ ether1-gateway protocol=udp to-addresses=192.168.88.108 to-ports=4500 /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set pptp disabled=yes set udplite disabled=yes set dccp disabled=yes set sctp disabled=yes /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh disabled=yes set api disabled=yes set api-ssl disabled=yes /ip upnp set enabled=yes /ip upnp interfaces add interface=bridge-local type=internal add interface=ether1-gateway type=external /system clock set time-zone-autodetect=no /system identity set name=01165-person-name /system routerboard settings set cpu-frequency=650MHz protected-routerboot=disabled
First I setup your typical dst-nat for the ports to the local device IP and confirmed it is in fact the right device and IP, and reserved the DHCP lease for the microcell. I played around with the rules.
No luck. For giggles I tested forwarding to other devices on the local network, and scanning with nmap showed the ports open. When I set the rules back to the Microcell nmap shows no ports reachable. Furthermore I can not even ping the microcell on the local network, which seems strange. I see the following.
SEQ HOST SIZE TTL TIME STATUS
0 192.168.88.108 84 64 0ms port unreachable
I had our network admin check my dst-nat port forwarding rules forwarding all ports (minus winbox) to the darn thing, he said they looked fine and should work. I thought to try this myself and then when I spoke to the AT&T support he said if the forwarding doesn't work try to DMZ it.
Then I tried a different public IP altogether and just tried to SRC-NAT and DST-NAT to hopefully bypass the masquerade and effectively DMZ. (please forgive me I'm a total n00blette over here...)
And finally I realized several things. We supplied the router, but someone else did the internal networking and there is a switch or hub and wiring between where the microcell is. The Mikrotik hAP Lite is in a garage with thick walls. I will have him tomorrow plug it in directly to the port on the mikrotik and see if we have joy port forwarding to it then. Problem is GPS might not sync inside the garage :/
Second, the ATampersandT support said sometimes the problem is the nat itself. I tried to bypass it but could not as-is. My admin suggested making port 4 a slave to the WAN ether1-gateway so that hardware switching would fully bypass the routerOS and then I could assign a public IP directly to the Microcell using the Tower's router to issue it via a custom DHCP network. (The tower is MIkrotik )
I am probably over thinking this, and that's why I am coming to you guys on bended knee and humbly asking for any advice you might have. I did search forums but could not find a similar question or answer for this.
Several things the support people shared with me, for what it's worth.
1. Dropping Fragmented Packets should be turned off. I found a rule to do that I tried, no dice.
2. IPSec Passthrough should be off? I honestly don't know what this is.
3. MTU should be 1492. and I did try switching the interfaces all to 1492 and 1480. I switched it back though as it didn't fix it and I don't know what I'm doing enough to mess with it.
4. Latency should be under 50ms. I was pinging google DNS at 10ms-17ms-21ms responses.
5. Also I've been up for two days straight and I can't remember what else but I wrote it down, somewhere... I will probably realize later when I read this it's totally incoherent.
6.Support said the error code he was receiving from the microcell (i guess it calls home, often) only happens when ports are blocked. not the error for a bad unit etc.
The device is showing internet status and GPS status indicators so *should* work.
could be a bad microcell
could be I'm an idiot I am missing something glaringly obvious to you guys
could be some unknown reason why mikrotik and microcell won't play nice. Might just have to get him a different router?
could be a local device causing conflict (that's right, I'm looking at you DirecTV box!! o.0 )
While I originally became obsessed with and doubted my firewall rules, I am not sure if it's actually the culprit and tomorrow will have them plug in directly to the dish feed and assign a Public IP directly to the Microcell. If that works i'll try the port on the actual Mikrotik, so I know it's not the switch in the dudes house. I will keep you apprised.
In the meantime, ya'll can tell me what the best way I might setup this here fancy thingymajigger to work best?