Hi All,

My router dial PPPoE with ethernet1 to ISP fiber converter.
Once pppoe established, interface <pppoe-out1> has local address: 100.91.214.57 and remote address: 100.123.1.62.
The dynamic public ip: 183.80.67.230
My Lan ip: 192.168.100.0/24

Would need help for any setting so that I can see my router webconfig login when I use the public ip via internet.

The real reason is that I would need to configure VPN but the router is not “visible” when access from internet by public ip.

Thanks for any idea and comment.

Which device? You have to configure it first in LAN. By default access is permitted only from LAN. In the config you can specify access from WAN too.

It is RB 3011 UiAS-RM.

In LAN, it’s accessible. But from Internet, it’s not. I have no idea, seems no route from public ip to router ip.

Once the public ip link with pppoe ip, I think my router can be accessible from internet with VPN. Would need your advice.

It is RB 3011 UiAS-RM.

In LAN, it’s accessible. But from Internet, it’s not. I have no idea, seems no route from public ip to router ip.

Once the public ip link with pppoe ip, I think my router can be accessible from internet with VPN. Would need your advice.

Just read what I wrote: you have to configure it to allow access (also) from WAN (Internet). Consult the product documentation.

Greetings to Mikrotik user from Ho Chi Minh City!

Once pppoe established, interface <pppoe-out1> has local address: 100.91.214.57 and remote address: 100.123.1.62.
The dynamic public ip: 183.80.67.230

looks like you don't have a public IP, the one you are using, is shared between a number of users on your ISP's network. so when a VPN connection from the Internet reaches 183.80.67.230, it reaches your ISP's router, which will not forward the traffic to your router and will reject the request or just drop it.

of course you can request ( and most likely to have to pay for) an public IP from your ISP, then it will be assigned to your pppoe connection.

Greetings to Mikrotik user from Ho Chi Minh City!

Once pppoe established, interface <pppoe-out1> has local address: 100.91.214.57 and remote address: 100.123.1.62.
The dynamic public ip: 183.80.67.230

looks like you don't have a public IP, the one you are using, is shared between a number of users on your ISP's network. so when a VPN connection from the Internet reaches 183.80.67.230, it reaches your ISP's router, which will not forward the traffic to your router and will reject the request or just drop it.

of course you can request ( and most likely to have to pay for) an public IP from your ISP, then it will be assigned to your pppoe connection.

Yeah that could indeed be the case here.

Here's some more info https://networkengineering.stackexchange.com/a/49262 :

RFC6598 defines 100.64.0.0/10 as prefix for Shared Address Space. If you get an address from this prefix you are very likely behind a provider based NAT. Same is true for addresses from RFC1918 prefixes (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). Providers may also use public address for shared addressing.
You can test if you are behind a NAT by using websites like this
http://ip.bieringer.de/cgn-test.html (click the button "Test supported protocols" and then see what's in the Status field)
https://tools.ietf.org/html/rfc6598
https://tools.ietf.org/html/rfc1918

.

Code: Select all

$ ipcalc 100.64.0.0/10
Address:   100.64.0.0           01100100.01 000000.00000000.00000000
Netmask:   255.192.0.0 = 10     11111111.11 000000.00000000.00000000
Wildcard:  0.63.255.255         00000000.00 111111.11111111.11111111
=>
Network:   100.64.0.0/10        01100100.01 000000.00000000.00000000
HostMin:   100.64.0.1           01100100.01 000000.00000000.00000001
HostMax:   100.127.255.254      01100100.01 111111.11111111.11111110
Broadcast: 100.127.255.255      01100100.01 111111.11111111.11111111
Hosts/Net: 4194302               Class A

How would I say thanks to all of you mutluit and solar77 for your kind support.

I already called ISP to set public ip the same with wan ip/pppoe ip. Now, webfig/router is accessible with public ip via internet.

P/s: seems unable to select multiple posts for SOLVED marks

thank you for letting us know it's working. Many poster won't feedback on our suggestions which is a shame.
not important to vote a solution, it's not like we would get paid for it

How would I say thanks to all of you mutluit and solar77 for your kind support.

I already called ISP to set public ip the same with wan ip/pppoe ip. Now, webfig/router is accessible with public ip via internet.

P/s: seems unable to select multiple posts for SOLVED marks

You are welcome. Glad to see it's solved now.
The credit goes to @solar77, so you should mark posting #5.

Sorry guys for interruption. But where I can set WAN parameters in order to connect to wAP LTE device from remote ?

Sorry guys for interruption. But where I can set WAN parameters in order to connect to wAP LTE device from remote ?

Is your device already operational? Do you have access to WAN/Internet?
Do you mean admin access to your device from WAN? (a very bad idea in respect to security)
Or do you rather mean port forwarding?

See also:
https://www.youtube.com/watch?v=E03gh1huvW4

Hello.

No my device is not optional yet. I have access to WAN/Internet definitely:)).
What I'VE done I set up firewall rule: Tcp, dst port...
As well as DDNS was enabled.
My task is to reach a device by remote in secure way.
I will share a picture with you in order to make it more clear. Take a look please.

My plan is to use a router as primary connectivity for Base Station (IoT solution ). Router will retrieve internet from SIM card which one is inserted in the device.


If you have any further question ask I will try to explain you.
Looking forward a response from you

Kinds.

Via the DDNS address you can connect to your WAN router.
Do you already know how you will connect? Using which application, protocol and port?
Normally, one should use VPN to access the LAN from WAN.
As said, you can also use port-forwarding if you want connect to a single service running in your LAN, like a ssh server etc.:
dst port 22 --> forward to LAN-IP port 22
(of course you can also use some different port numbers)

I have no idea mutluit. Please, could you be so kind and do me a favour in choosing a secure method?
I have no idea where I should apply port forwarding and which one port I shall use.


Sorry for inconvenience.

Please, assist me:)..

Aidas

I have no idea mutluit. Please, could you be so kind and do me a favour in choosing a secure method?
I have no idea where I should apply port forwarding and which one port I shall use.

Sorry for inconvenience.

Please, assist me:)..

Aidas

It is still unclear what exactly you want: do you want to access your whole LAN from Internet?
Or do you want to access from Internet just a single service like a web-server, ftp-server, ssh-server etc. that is running inside your LAN?
Shall this access be for you only, or for your friends, or for anybody?
As first you should make a simple drawing of your LAN/WAN, and specify what services are running in your LAN, and what you want to achieve.
But, maybe there is some misconception, maybe you mean something very different than WAN-to-LAN access.

Please read my previous suggestion, in this very post!
before we get into the practical method of accessing the router, either by VPN or port-forwarding, do you have a public accessible IP address? It does not seems to be the case by the look of it.
from your post: 84.15.182.234, belongs to ISP:Bite Lietuva which is an wireless ISP.
please first speak to your ISP and establish this IP address is assigned to you, before continue.

Please read my previous suggestion, in this very post!
before we get into the practical method of accessing the router, either by VPN or port-forwarding, do you have a public accessible IP address? It does not seems to be the case by the look of it.
from your post: 84.15.182.234, belongs to ISP:Bite Lietuva which is an wireless ISP.
please first speak to your ISP and establish this IP address is assigned to you, before continue.

Right. He seems to be using the local IP in DDNS. "/ip cloud" has such an option, I read somewhere.
"use-local-address" --> https://wiki.mikrotik.com/wiki/Manual:IP/Cloud

Code: Select all

 
$ nslookup 84.15.182.234
234.182.15.84.in-addr.arpa      name = IN-84-15-182-234.bitemobile.lt.

$ nslookup ae850bba6de8.sn.mynetname.net
Name:   ae850bba6de8.sn.mynetname.net
Address: 10.1.84.70

indeed, the screen capture shows he is behind NAT and the last line gives the answer: "remote connection may not work"
looks like he's got an private IP from the ISP, normal for mobile network.

indeed, the screen capture shows he is behind NAT and the last line gives the answer: "remote connection may not work"
looks like he's got an private IP from the ISP, normal for mobile network.

No, "use-local-address" means to assign the local IP instead of the public IP to the DDNS record, ie. in DNS.
In that case the dns name can of course be used only in LAN, ie. behind the NAT border.

good to know. but in this case, even he assign local IP to DDNS record, he still won't be able to access his wAP LTE remotely (from the internet)
the simple way to get this to work, is that you need to buy a public IP from the ISP

good to know. but in this case, even he assign local IP to DDNS record, he still won't be able to access his wAP LTE remotely (from the internet)
the simple way to get this to work, is that you need to buy a public IP from the ISP

Yes, it depends whether he already gets from his ISP a public IP for himself only, or whether that public IP is a shared public IP.
With a shared public IP he of course cannot reach his router from WAN.
See also viewtopic.php?f=13&t=161393&p=795024&hi ... IP#p795024 ("RFC6598 defines 100.64.0.0/10 as prefix for Shared Address Space. ...")

Hello guys.

Sorry, had limited time, that's why I delayed with my response.
So the model is: I want to access my Base Station Unit ( restart it by remote ) the main use case and primary connectivity. Secondary connectivity for the base station, Virtual SIM card. Access only for me and hight security.
SIM card is provided by Bite and I have no idea what kind of IP I have with it...But the company have ordered 100 pieces of SIM's we are the Business customer as you realized and suppose could try to deal with them regarding IP's.

I want to connect to wAP R LTE router by remote from everywhere I am.

Please guys, elaborate what do you need from me. Looking forward from you soon.
By the way, The screenshoot I shared with you was taken when router were connected to my LAN. In real use case it would serve a SIM card.


Kinds,

Aidas

An IP I retrieved is dynamic by the way but no issue to get a Static due to my test purposes:).

Response from Bite.

get the static public IP, open up port forwarding to your base station as per this example:
https://wiki.mikrotik.com/wiki/Manual:I ... FTP_server

something like this, and change hte protocol to UDP if that is the case.

Should I configure this in firewall rules solar77 (WinBox)?
So as far as I understood I need to have a static IP, is it true?

this command is to be used in Terminal . can be accessed either via winbox, or webfig

yes you need a static IP but essentially you need an public IP that is assigned to the Mikrotik router, meaning this IP belongs to you, even temporarily.

what will direct access to your Mikrotik router:
static public IP
dynamic public IP but assigned to your Mikrotik router and not blocked by your ISP

what will not work:
your Mikrotik only get a private IP and you are behind one public IP address which is shared between a number of client

PS: try not share your own public IP on the forum. None of us need to know this information and I'd suggest you to double check your firewall before using this IP.

on second thought, when you mentioned that you are using 100s SIMs, do you need remote access to all of them? If yes, the cost implication would be significant if you were to request an public IP for each SIM

so stick to my previous advice if you only need access few or you can get all the public IP for free

if you need to access large number of SIMs, then there is an alternative. We use the following setup to manage our customers who use Mikrotik LTE (either SXt or LHG).
the concept is :
1. you setup an VPN server and make sure you have good access to it. for example, this could be your office network. idealy use Mikrotik router for this but you can use any VPN server you like. And yes, a static Public IP would be ideal for this VPN server.
2. you then setup up VPN client on each Mikrotik LTE , so they all connect to this VPN server but make sure you use . So that the main internet traffic does not use the VPN connection as its default route. you will also have to allow winbox access through VPN connection, on every device.
3. Now, as long as you are on the same network as this VPN server, you have access to every Mikrotik LTE device that is connected to it
4. setup firewall so the VPN clients cannot communicate with each other. Nor they can access anything on your VPN network.

improved version is to setup VPN server on the cloud , instead of having all connect back to our office network.
as you can see, there are bit of configuration to do but if you are doing this for 100 SIM, it would make more sense .

also you want to speak to your ISP, to find about if they block VPN. I'd use SSTP between Mikrotiks if they block PPTP.
hope this helps

this command is to be used in Terminal . can be accessed either via winbox, or webfig

yes you need a static IP but essentially you need an public IP that is assigned to the Mikrotik router, meaning this IP belongs to you, even temporarily.

what will direct access to your Mikrotik router:
static public IP
dynamic public IP but assigned to your Mikrotik router and not blocked by your ISP

what will not work:
your Mikrotik only get a private IP and you are behind one public IP address which is shared between a number of client

What I suppose to do if I get a private IP to my SIM, means Mikrotik and public IP address which is shared?:(

What I suppose to do if I get a private IP to my SIM, means Mikrotik and public IP address which is shared?:(

then you set up the whole VPN topology, basically the Mikrotik LTE start the VPN as a client, then you can access the client from the VPN server side.
not worth doing for only a few, in my view.

solar77 please, elaborate, how to do it? By Terminal inside my MikroTik CPE ?

In my office we are connected to hAP ac lite Mikrotik router. I have no idea how should I start to crate a VPN:(.

@AidasA
My dear friend,
the forum is where people give general advice, rather than do it for you.
I can offer more details but it worries me, when you say you don't know how to create a VPN. I can see that you lack basic understanding to the Mikrotik and strongly suggest start searching on Mikrotik wiki such as this one:
https://wiki.mikrotik.com/wiki/Manual:I ... n_Examples

they are many examples available and people here on the forum would be more than happy to assist you when you get into problems. I cannot speak for everybody but I am here to share my knowledge of Mikrotik and help people learning in the same way I was helped. I am not here to do unpaid work.

However if you wish to go down the route of "do it yourself" that's not a problem. read the above-mentioned WiKi, have a go and let us know if you have problems. Just be aware it will be time consuming. My honest opinion is that now you know what the solution is (maybe not exactly how to do it), your company should evaluate cost and hire a consultant to do the job for you. I'd imagine if he's got everything needed, all can be done in couple of hours, this would not cost huge amount of money either.

Alternatively I can let you use our VPN server which is hosted on the Cloud (located in a data center in the UK) at a cost. We can manage these CPE for you and give you access to devices belong to you. But it's probably better to use your existing infrastructure to keep the cost down. So if I was in your position, I'd hire a consultant to setup all up on your company network.