Port forward on LTE

Shy · Sun Jul 12, 2020 12:40 pm

hi
I do have Huwaei E8732 that is doing NAT, I've configured the Mikrotik as DMZ on it and it should be published with its external IP (fix ip).
how do I config the port forward for the LTE interface with the external IP on the Mikrotik side ?

thanks in advance

mkx · Sun Jul 12, 2020 2:40 pm

In theory port-forwarding is configured the same way regardless the WAN interface technology.

In practice, many MNOs firewall traffic even though users get globally-routable IP addresses (as opposed to CGNAT addresses). Which means it might be possible you can't really do port forwarding into your LAN because connections are blocked already by ISP.

Shy · Sun Jul 12, 2020 3:08 pm

I am not behind NAT, that's why I mentioned fix ip
since the lte interface doesn't familier with its external IP how do I make the right rule for that?

gotsprings · Sun Jul 12, 2020 3:10 pm

Do you have a public IP at the LTE modem.

In the US... You don't unless you paid extra for a static IP.

anav · Sun Jul 12, 2020 3:12 pm

You are contradicting yourself........
"I do have Huwaei E8732 that is doing NAT,"
"I am not behind NAT, that's why I mentioned fix ip"

In any case, if the modem is getting a public IP and you have the MT setup on the MODEM as forwarding everything (all ports) to the MT, then treat the MT fixed IP as your public IP.

add chain=dstnat action=dst-nat protocol=xxx dst-port=xxxx dst-address=fixedwanip \
to-address=ipofserver

Shy · Sun Jul 12, 2020 4:15 pm

Let me explain it please,

The LTE external IP has fix public ip.
The Dongle itself is doing NAT on 192.168.8.0/24 and the Mikrotik gets 192.168.8.100 , on the dongle device 192.168.8.100 is configured as DMZ.

I want the external IP of the LTE to do port forward from
Ext ip x.x.x.x 》》 192.168.8.100 [MT] 》》 192.168.88.100 [Int host] on port 80

Shy · Sun Jul 12, 2020 4:18 pm

Do you have a public IP at the LTE modem.

In the US... You don't unless you paid extra for a static IP.

I pay more for that

Shy · Sun Jul 12, 2020 4:19 pm

You are contradicting yourself........
"I do have Huwaei E8732 that is doing NAT,"
"I am not behind NAT, that's why I mentioned fix ip"

In any case, if the modem is getting a public IP and you have the MT setup on the MODEM as forwarding everything (all ports) to the MT, then treat the MT fixed IP as your public IP.

add chain=dstnat action=dst-nat protocol=xxx dst-port=xxxx dst-address=fixedwanip \
to-address=ipofserver

How the chain will work if the mikrotik doesnt familoer with the external fix ip?

anav · Sun Jul 12, 2020 4:22 pm

Draw a diagram as your explanations are more confusing then helpful.
How many routers do you have?
How many ISP connections do you have?
Who supplies the dongle??

Shy · Sun Jul 12, 2020 4:41 pm

+---------------------------------------+
|                                       +----->  Fiber (CAT6) ether1    (external IP ISP)
|           Mikrotik hEX s              |
|                                       |
|                                       +----->  USB dongle E8732   (GW 192.168.8.1)
|                                       | 192.168.8.100
+--------------------+------------------+
                     |  192.168.88.1
                     |
                     |
                     |
                     |
                     |
                     +--------------->+-------------------------------+
                                      |                               |
                                      |      lan switch               |
                                      |                               |
                                      +-----+-------------------------+
                                            |
                                            |
                                            |
                                            |
                                            |
                         +---------------+  |
                         |   RPI         +<-+
                         |               |
                         +---------------+ 192.168.88.100

anav · Sun Jul 12, 2020 4:48 pm

Just create two rules to cover off both wans.

A. PRIMARY WAN
In this scenario, you will only be able to port forward using a public IP from the ether1 ISP connection

add chain=dstnat action=dst-nat protocol=tcp dst-port=80 { either dst-address=fixedwanip or in-interface-list=WAN for dynamic wanip } \
to-address=ipofserver

B. LTE BACKUP WAN
In this scenario, you will only be able to port forward using the fixed wanip provided by the dongle on your LTE connection.

add chain=dstnat action=dst-nat protocol=tcp dst-port=80 dst-address=fixedwanip

CZFan · Sun Jul 12, 2020 4:52 pm

You will have to do port forwarding on the USB dongle. If that is not possible, then you will have to configure the USB dongle in bridge / passthrough mode (if possible) so it can pass the public IP directly to the Mikrotik and then do port forwarding on the Mikrotik

Shy · Sun Jul 12, 2020 4:56 pm

Its opened as dmz already so it sbould be ok from the dongle side.
What i dont understand how that mikrotik will know fixedwanip belongs to lte interface

anav · Sun Jul 12, 2020 5:00 pm

Because its identified in a number of places............
ip dhcp client
Ip routes.

Shy · Sun Jul 12, 2020 5:04 pm

external wan IP?
its not defined no where
the dongle is on 192.168.8.x

Updated: I configured dst address as none and incoming interface as lte1 and it worked!
now I just need to make sure that this host is routing through the lte1 as default...

CZFan · Sun Jul 12, 2020 5:04 pm

Its opened as dmz already so it sbould be ok from the dongle side.
What i dont understand how that mikrotik will know fixedwanip belongs to lte interface

You will have to tell the Mikrotik whatever enters each WAN interface must leave same WAN interface going out to Internet, i.e. route rules and or mangle rules

anav · Sun Jul 12, 2020 5:22 pm

Mangle??
I thought the LTE was a failover ISP, not concurrent???

Shy · Sun Jul 12, 2020 5:39 pm

It has traffic monitor rule to move to lte once fiber is loaded (if...)

e.g.
who can help me to understand how mangle ports are doing a port forward from external ips when firewall rules do not "block" them by default?

CZFan · Sun Jul 12, 2020 6:05 pm

If the USB device does not know about the LAN subnet, then you can try the "fake" DMZ method (I hate the person that coined this "DMZ" phrase on these home devices) like you stated you have done already.

This way the "DMZ" forwarding will have to point to your Mikrotik, then your Mikrotik will have to do further port forwarding to your LAN device. Obviously then NATing out to USB modem will have to be done on Mikrotik also.

Leaving same WAN interface as it entered, see https://wiki.mikrotik.com/wiki/Manual:PCC for examples, also many posts / topics on forum on this subject

Other option is to get a Mikrotik LTE device so you can properly configure routing, port forwarding, etc.

Shy · Sun Jul 12, 2020 6:08 pm

if course if the LTE would be able to act as a "modem" only it would be preffered but I assume its possibly only on E3372 and not E8732

Shy · Sun Jul 12, 2020 6:10 pm

I already have "Sticky ISP" Mangle rules so the server is accessible outside through the right WAN
but I wonder if its better to let the "whole" route from that machine through the 2nd ISP link

gotsprings · Wed Jul 15, 2020 6:50 am

Mangle to mark the connections.

Routing rule to catch the output.

Port forward on LTE

Port forward on LTE

Re: Port forward on LTE

Re: Port forward on LTE

Re: Port forward on LTE

Re: Port forward on LTE

Re: Port forward on LTE

Re: Port forward on LTE

Re: Port forward on LTE

Re: Port forward on LTE

Re: Port forward on LTE

Re: Port forward on LTE

Re: Port forward on LTE

Re: Port forward on LTE

Re: Port forward on LTE

Re: Port forward on LTE

Re: Port forward on LTE

Re: Port forward on LTE

Re: Port forward on LTE

Re: Port forward on LTE

Re: Port forward on LTE

Re: Port forward on LTE

Re: Port forward on LTE