Community discussions

MikroTik App
 
user18273
newbie
Topic Author
Posts: 29
Joined: Sat Feb 20, 2021 9:20 pm

Port forward from LTE

Mon Mar 27, 2023 6:15 pm

Hello,

So i was using ZTE 5G modem as internet source in bridge mode. All routing where done on "wAP LTE6 kit Mikrotik". It got internet over ETH1 from ZTE, and over ETH2 internet was passed to the main switch. ZTE stopped working so i've send it to the warranty and swapped SIM card from broken ZTE to wAP LTE6 kit Mikrotik.

All routing (and port forward) was done on Mikrotik even with ZTE (because ZTE slow and very basic and worked only in bridge mode).
For all port forwarding rules where set "all ethernet" as source (In. interface). As ZTE gone and SIM card is now directly in the Mikrotik, i've changed port forwarding rule and instead on "All Ethernet" i've set "LTE". BUT it's not working :( it's not doing port forwarding. And yes, we have fixed public IP on our sim card.

Any ideas how to solve this issue?

Thank you.
You do not have the required permissions to view the files attached to this post.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Port forward from LTE

Mon Mar 27, 2023 6:32 pm

Select in In. Interface lte1 and in Action section select dst-nat action and To Address <local_ip>
 
user18273
newbie
Topic Author
Posts: 29
Joined: Sat Feb 20, 2021 9:20 pm

Re: Port forward from LTE

Mon Mar 27, 2023 6:35 pm

That's what i did in the first place. And it is not working :|
It looks like you have to change only one parameter (from all ethernet to lte1). But this is not working :(
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forward from LTE

Mon Mar 27, 2023 6:37 pm

/export file=anynameyouwish ( minus serial number and any public WANIP information )
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Port forward from LTE

Mon Mar 27, 2023 6:40 pm

The port also needs to be allowed on the "input" in the /ip firewall filter for the same port/protocol as the dst-nat to work. And it should be added just below the ICMP input accept rule. The dst-nat rule is still needed.

Note here....this part is critical:
And yes, we have fixed public IP on our sim card.

since most standard LTE services use CGNAT, which would not allow port forwarding.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Port forward from LTE

Mon Mar 27, 2023 6:40 pm

This should work (unless you have some other rules that affect this), also To Ports doesn't need to be added if the same as port in Dst. Port. Examining configuration export could help.
 
user18273
newbie
Topic Author
Posts: 29
Joined: Sat Feb 20, 2021 9:20 pm

Re: Port forward from LTE

Mon Mar 27, 2023 6:43 pm

/export file=anynameyouwish ( minus serial number and any public WANIP information )
Sorry. Did not understand correctly. But i don't need to export anything. I only need to make some changes in port forwarding so it could port forward FROM LTE1 (sim card) to ETH2. Previous configuration was working from ETH1 port forward to ETH2. Now my internet is coming not from ETH1, but from LTE1, while main switch still on the ETH2.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Port forward from LTE

Mon Mar 27, 2023 6:45 pm

The port also needs to be allowed on the "input" in the /ip firewall filter for the same port/protocol as the dst-nat to work.
Is that correct? I don't have such rule in my configuration, and dstnat forwarding works. I have only input rules for accessing ROS system services (VPNs)
 
user18273
newbie
Topic Author
Posts: 29
Joined: Sat Feb 20, 2021 9:20 pm

Re: Port forward from LTE

Mon Mar 27, 2023 6:45 pm

The port also needs to be allowed on the "input" in the /ip firewall filter for the same port/protocol as the dst-nat to work. And it should be added just below the ICMP input accept rule. The dst-nat rule is still needed.
You mean on the same FW NAT rule, on this page:
You do not have the required permissions to view the files attached to this post.
 
user18273
newbie
Topic Author
Posts: 29
Joined: Sat Feb 20, 2021 9:20 pm

Re: Port forward from LTE

Mon Mar 27, 2023 6:46 pm

The port also needs to be allowed on the "input" in the /ip firewall filter for the same port/protocol as the dst-nat to work.
Is that correct? I don't have such rule in my configuration, and dstnat forwarding works. I have only input rules for accessing ROS system services (VPNs)
Do you have your internet over sim card, from LTE1 ?
 
user18273
newbie
Topic Author
Posts: 29
Joined: Sat Feb 20, 2021 9:20 pm

Re: Port forward from LTE

Mon Mar 27, 2023 6:48 pm

since most standard LTE services use CGNAT, which would not allow port forwarding. [/i]
You mean there is no way to make port forward using sim card (lte1) as internet source? :|
hard to believe..
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Port forward from LTE

Mon Mar 27, 2023 6:49 pm


Is that correct? I don't have such rule in my configuration, and dstnat forwarding works. I have only input rules for accessing ROS system services (VPNs)
Do you have your internet over sim card, from LTE1 ?
Yes, I'm using Chateau LTE12. My WAN (internet) inteface is lte1
 
user18273
newbie
Topic Author
Posts: 29
Joined: Sat Feb 20, 2021 9:20 pm

Re: Port forward from LTE

Mon Mar 27, 2023 6:51 pm

Yes, I'm using Chateau LTE12. My WAN (internet) inteface is lte1
And you only have "in.interface" as lte1 and port forward is working for you ? :|
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Port forward from LTE  [SOLVED]

Mon Mar 27, 2023 6:51 pm

since most standard LTE services use CGNAT, which would not allow port forwarding. [/i]
You mean there is no way to make port forward using sim card (lte1) as internet source? :|
hard to believe..
If is the same SIM as was in ZTE and from there it worked, I doubt that ISP changed something in the mean time, but also can be APN configuration (I have different to get public IP, not network APN)
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Port forward from LTE

Mon Mar 27, 2023 6:52 pm

since most standard LTE services use CGNAT, which would not allow port forwarding. [/i]
Sorry for being confusing: If you have a public IP, you really just need to add an input rule with action accept in the IP > Firewall > Filter page. Your title is going to attract attention, so more a note for others, not your case. e.g. having a public IP on LTE is not common
Last edited by Amm0 on Mon Mar 27, 2023 6:54 pm, edited 1 time in total.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Port forward from LTE

Mon Mar 27, 2023 6:54 pm

With the default firewall and QuickSet, you need to allow the input traffic to router.

LTE is/should be in WAN interface list, so the !LAN rule in /ip/firewall/filter would drop the traffic incoming traffic for the LTE's public IP. The dst-nat rule looks right. But it will never get hit because the !LAN is dropping it.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Port forward from LTE

Mon Mar 27, 2023 6:54 pm

Yes, I'm using Chateau LTE12. My WAN (internet) inteface is lte1
And you only have "in.interface" as lte1 and port forward is working for you ? :|
Yes, I actually use In. interface list WAN (which is set to lte1) but it should be the same, others settings as I posted before.
 
user18273
newbie
Topic Author
Posts: 29
Joined: Sat Feb 20, 2021 9:20 pm

Re: Port forward from LTE

Mon Mar 27, 2023 6:59 pm

If is the same SIM as was in ZTE and from there it worked, I doubt that ISP changed something in the mean time, but also can be APN configuration (I have different to get public IP, not network APN)
Wooow. You maybe right!!!
i see that now i have NOT my external IP.

Yes, it is the same SIM card, and there is no way ISP could change it. As it was working fine, i just removed sim card from ZTE, put in to Mikrotik and that's it. It's not working any more. So maybe there is a catch with APN settings.
 
user18273
newbie
Topic Author
Posts: 29
Joined: Sat Feb 20, 2021 9:20 pm

Re: Port forward from LTE

Mon Mar 27, 2023 7:03 pm

If is the same SIM as was in ZTE and from there it worked, I doubt that ISP changed something in the mean time, but also can be APN configuration (I have different to get public IP, not network APN)
YES !!!!
You are my saver !!!

I only add one setting in APN and it started to work (with LTE1) as In.interface!!!

Thank you !!!!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forward from LTE

Mon Mar 27, 2023 7:05 pm

As long as
a. you have a proper formatted dst-nat rule
b. have the default firewall rule blocking all WAN traffic except for dst-nat or
own rule allowing dst-nat OR
no firewall rules (meaning all is permitted).

It should work. If it does not then it would seem you are stuck and need to contact ISP for a real IP.

Para 5 applies -- viewtopic.php?p=885249#p885249
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Port forward from LTE

Mon Mar 27, 2023 7:07 pm

If is the same SIM as was in ZTE and from there it worked, I doubt that ISP changed something in the mean time, but also can be APN configuration (I have different to get public IP, not network APN)
YES !!!!
You are my saver !!!

I only add one setting in APN and it started to work (with LTE1) as In.interface!!!

Thank you !!!!
I guess manual not Network APN
 
user18273
newbie
Topic Author
Posts: 29
Joined: Sat Feb 20, 2021 9:20 pm

Re: Port forward from LTE

Mon Mar 27, 2023 7:07 pm

With the default firewall and QuickSet, you need to allow the input traffic to router.

LTE is/should be in WAN interface list, so the !LAN rule in /ip/firewall/filter would drop the traffic incoming traffic for the LTE's public IP. The dst-nat rule looks right. But it will never get hit because the !LAN is dropping it.
It was only the APN problem :)
It was using default APN and i was getting random IP address. That's where the problem was.
After i changed to correct APN, (and in.interface to LTE1), all started to work!

thank's to Optio !!!
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Port forward from LTE

Mon Mar 27, 2023 7:08 pm

With the default firewall and QuickSet, you need to allow the input traffic to router.

LTE is/should be in WAN interface list, so the !LAN rule in /ip/firewall/filter would drop the traffic incoming traffic for the LTE's public IP. The dst-nat rule looks right. But it will never get hit because the !LAN is dropping it.
It was only the APN problem :)
It was using default APN and i was getting random IP address. That's where the problem was.
After i changed to correct APN, (and in.interface to LTE1), all started to work!

thank's to Optio !!!
No problem
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Port forward from LTE

Mon Mar 27, 2023 7:09 pm

So the issue was the "Use Network APN" was checked... That would cause the APN that set to not be used. Good catch.

And I guess the default firewall now does deal with the dst-nat. Learn something new.
Last edited by Amm0 on Mon Mar 27, 2023 7:10 pm, edited 1 time in total.
 
user18273
newbie
Topic Author
Posts: 29
Joined: Sat Feb 20, 2021 9:20 pm

Re: Port forward from LTE

Mon Mar 27, 2023 7:09 pm

I guess manual not Network APN
Yes. ISP long time ago, gave me a custom APN, but i really forgot this.
On the APN configuration there was "internet" but not the custom with proper hostname.
 
user18273
newbie
Topic Author
Posts: 29
Joined: Sat Feb 20, 2021 9:20 pm

Re: Port forward from LTE

Mon Mar 27, 2023 7:10 pm

So the issue was the "Use Network APN" was checked... That would cause the APN that set to not be used. Good catch.
Very good catch. I was looking for a problem absolutely in other place :)
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Port forward from LTE

Mon Mar 27, 2023 7:11 pm

I guess manual not Network APN
Yes. ISP long time ago, gave me a custom APN, but i really forgot this.
Same here, network is CGNAT, custom provided - public
 
user18273
newbie
Topic Author
Posts: 29
Joined: Sat Feb 20, 2021 9:20 pm

Re: Port forward from LTE

Mon Mar 27, 2023 7:19 pm

Yes. ISP long time ago, gave me a custom APN, but i really forgot this.
Same here, network is CGNAT, custom provided - public
one small configuration line, makes many servers down 🙃
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port forward from LTE

Mon Mar 27, 2023 7:51 pm

Will adjust article accordingly!!
 
User avatar
cascom
newbie
Posts: 40
Joined: Wed Oct 24, 2018 5:22 am
Location: Texas
Contact:

Re: Port forward from LTE

Fri Jan 12, 2024 5:30 pm

The port also needs to be allowed on the "input" in the /ip firewall filter for the same port/protocol as the dst-nat to work. And it should be added just below the ICMP input accept rule. The dst-nat rule is still needed.

Note here....this part is critical:
And yes, we have fixed public IP on our sim card.

since most standard LTE services use CGNAT, which would not allow port forwarding.
Can you give an exaple of this filter rule setup?
I have same issue trying to forward a port with a static IP on an lte modem in my mikrotik sxt
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Port forward from LTE

Fri Jan 12, 2024 8:07 pm

Take a look at this article in docs... LTE should be same as anything WAN for port forwarding –
https://help.mikrotik.com/docs/display/ ... forwarding

It's also possible even if you a public IP that LTE carrier does not let you bind to privileged ports (e.g. ports below 1024).

If you still have issues post a sanitized config.

Who is online

Users browsing this forum: No registered users and 62 guests