Hello,

So i was using ZTE 5G modem as internet source in bridge mode. All routing where done on "wAP LTE6 kit Mikrotik". It got internet over ETH1 from ZTE, and over ETH2 internet was passed to the main switch. ZTE stopped working so i've send it to the warranty and swapped SIM card from broken ZTE to wAP LTE6 kit Mikrotik.

All routing (and port forward) was done on Mikrotik even with ZTE (because ZTE slow and very basic and worked only in bridge mode).
For all port forwarding rules where set "all ethernet" as source (In. interface). As ZTE gone and SIM card is now directly in the Mikrotik, i've changed port forwarding rule and instead on "All Ethernet" i've set "LTE". BUT it's not working it's not doing port forwarding. And yes, we have fixed public IP on our sim card.

Any ideas how to solve this issue?

Thank you.

Select in In. Interface lte1 and in Action section select dst-nat action and To Address <local_ip>

That's what i did in the first place. And it is not working
It looks like you have to change only one parameter (from all ethernet to lte1). But this is not working

/export file=anynameyouwish ( minus serial number and any public WANIP information )

The port also needs to be allowed on the "input" in the /ip firewall filter for the same port/protocol as the dst-nat to work. And it should be added just below the ICMP input accept rule. The dst-nat rule is still needed.

Note here....this part is critical:

And yes, we have fixed public IP on our sim card.

since most standard LTE services use CGNAT, which would not allow port forwarding.

This should work (unless you have some other rules that affect this), also To Ports doesn't need to be added if the same as port in Dst. Port. Examining configuration export could help.

/export file=anynameyouwish ( minus serial number and any public WANIP information )

Sorry. Did not understand correctly. But i don't need to export anything. I only need to make some changes in port forwarding so it could port forward FROM LTE1 (sim card) to ETH2. Previous configuration was working from ETH1 port forward to ETH2. Now my internet is coming not from ETH1, but from LTE1, while main switch still on the ETH2.

The port also needs to be allowed on the "input" in the /ip firewall filter for the same port/protocol as the dst-nat to work.

Is that correct? I don't have such rule in my configuration, and dstnat forwarding works. I have only input rules for accessing ROS system services (VPNs)

The port also needs to be allowed on the "input" in the /ip firewall filter for the same port/protocol as the dst-nat to work. And it should be added just below the ICMP input accept rule. The dst-nat rule is still needed.

You mean on the same FW NAT rule, on this page:

The port also needs to be allowed on the "input" in the /ip firewall filter for the same port/protocol as the dst-nat to work.

Is that correct? I don't have such rule in my configuration, and dstnat forwarding works. I have only input rules for accessing ROS system services (VPNs)

Do you have your internet over sim card, from LTE1 ?

since most standard LTE services use CGNAT, which would not allow port forwarding. [/i]

You mean there is no way to make port forward using sim card (lte1) as internet source?
hard to believe..

Is that correct? I don't have such rule in my configuration, and dstnat forwarding works. I have only input rules for accessing ROS system services (VPNs)

Do you have your internet over sim card, from LTE1 ?

Yes, I'm using Chateau LTE12. My WAN (internet) inteface is lte1

Yes, I'm using Chateau LTE12. My WAN (internet) inteface is lte1

And you only have "in.interface" as lte1 and port forward is working for you ?

since most standard LTE services use CGNAT, which would not allow port forwarding. [/i]

You mean there is no way to make port forward using sim card (lte1) as internet source?
hard to believe..

If is the same SIM as was in ZTE and from there it worked, I doubt that ISP changed something in the mean time, but also can be APN configuration (I have different to get public IP, not network APN)

since most standard LTE services use CGNAT, which would not allow port forwarding. [/i]

Sorry for being confusing: If you have a public IP, you really just need to add an input rule with action accept in the IP > Firewall > Filter page. Your title is going to attract attention, so more a note for others, not your case. e.g. having a public IP on LTE is not common

With the default firewall and QuickSet, you need to allow the input traffic to router.

LTE is/should be in WAN interface list, so the !LAN rule in /ip/firewall/filter would drop the traffic incoming traffic for the LTE's public IP. The dst-nat rule looks right. But it will never get hit because the !LAN is dropping it.

Yes, I'm using Chateau LTE12. My WAN (internet) inteface is lte1

And you only have "in.interface" as lte1 and port forward is working for you ?

Yes, I actually use In. interface list WAN (which is set to lte1) but it should be the same, others settings as I posted before.

If is the same SIM as was in ZTE and from there it worked, I doubt that ISP changed something in the mean time, but also can be APN configuration (I have different to get public IP, not network APN)

Wooow. You maybe right!!!
i see that now i have NOT my external IP.

Yes, it is the same SIM card, and there is no way ISP could change it. As it was working fine, i just removed sim card from ZTE, put in to Mikrotik and that's it. It's not working any more. So maybe there is a catch with APN settings.

If is the same SIM as was in ZTE and from there it worked, I doubt that ISP changed something in the mean time, but also can be APN configuration (I have different to get public IP, not network APN)

YES !!!!
You are my saver !!!

I only add one setting in APN and it started to work (with LTE1) as In.interface!!!

Thank you !!!!

As long as
a. you have a proper formatted dst-nat rule
b. have the default firewall rule blocking all WAN traffic except for dst-nat or
own rule allowing dst-nat OR
no firewall rules (meaning all is permitted).

It should work. If it does not then it would seem you are stuck and need to contact ISP for a real IP.

Para 5 applies -- viewtopic.php?p=885249#p885249

If is the same SIM as was in ZTE and from there it worked, I doubt that ISP changed something in the mean time, but also can be APN configuration (I have different to get public IP, not network APN)

YES !!!!
You are my saver !!!

I only add one setting in APN and it started to work (with LTE1) as In.interface!!!

Thank you !!!!

I guess manual not Network APN

With the default firewall and QuickSet, you need to allow the input traffic to router.

LTE is/should be in WAN interface list, so the !LAN rule in /ip/firewall/filter would drop the traffic incoming traffic for the LTE's public IP. The dst-nat rule looks right. But it will never get hit because the !LAN is dropping it.

It was only the APN problem
It was using default APN and i was getting random IP address. That's where the problem was.
After i changed to correct APN, (and in.interface to LTE1), all started to work!

thank's to Optio !!!

With the default firewall and QuickSet, you need to allow the input traffic to router.

LTE is/should be in WAN interface list, so the !LAN rule in /ip/firewall/filter would drop the traffic incoming traffic for the LTE's public IP. The dst-nat rule looks right. But it will never get hit because the !LAN is dropping it.

It was only the APN problem
It was using default APN and i was getting random IP address. That's where the problem was.
After i changed to correct APN, (and in.interface to LTE1), all started to work!

thank's to Optio !!!

No problem

So the issue was the "Use Network APN" was checked... That would cause the APN that set to not be used. Good catch.

And I guess the default firewall now does deal with the dst-nat. Learn something new.

I guess manual not Network APN

Yes. ISP long time ago, gave me a custom APN, but i really forgot this.
On the APN configuration there was "internet" but not the custom with proper hostname.

So the issue was the "Use Network APN" was checked... That would cause the APN that set to not be used. Good catch.

Very good catch. I was looking for a problem absolutely in other place

I guess manual not Network APN

Yes. ISP long time ago, gave me a custom APN, but i really forgot this.

Same here, network is CGNAT, custom provided - public

Yes. ISP long time ago, gave me a custom APN, but i really forgot this.

Same here, network is CGNAT, custom provided - public

one small configuration line, makes many servers down

Will adjust article accordingly!!

The port also needs to be allowed on the "input" in the /ip firewall filter for the same port/protocol as the dst-nat to work. And it should be added just below the ICMP input accept rule. The dst-nat rule is still needed.

Note here....this part is critical:

And yes, we have fixed public IP on our sim card.

since most standard LTE services use CGNAT, which would not allow port forwarding.

Can you give an exaple of this filter rule setup?
I have same issue trying to forward a port with a static IP on an lte modem in my mikrotik sxt

Take a look at this article in docs... LTE should be same as anything WAN for port forwarding –
https://help.mikrotik.com/docs/display/ ... forwarding

It's also possible even if you a public IP that LTE carrier does not let you bind to privileged ports (e.g. ports below 1024).

If you still have issues post a sanitized config.