Community discussions

MikroTik App
 
accarda
Member Candidate
Member Candidate
Topic Author
Posts: 214
Joined: Fri Apr 05, 2019 4:06 pm
Location: Italy

LTE with public IP, but no opened ports.

Thu Dec 23, 2021 7:41 am

Hi all,
finally I was able to find out an APN to set to my SXT LTE6 router different than the standard "internet" value and I can see it's working (because all other APNs indicate for my provider didn't give me IP from modem).
Previously with "internet" APN I was getting a private IP 10.x.x.x on lte1 interface and even though I had CA working, I was not exceeding 50Mbits downstream.
Now after setting the proper APN for computers, tablets (provider is Vodafone Italy) I get assigned IP 109.x.x.x (which should not be a CGNAT IP based on address) and when I check speedtest I get around 100Mbits, limited by ethernet limits for such device.
However, when I set some port forwarding or I open some port, I don't see any traffic hitting the router.
As I'm not an expert about what mobile providers do (but I understand that based on SIM card profile and APN they can limit as much as they need), is it possible that even though I get public IP assigned, I'm still running in a sort of CGNAT scenario ?
I have tried to traceroute several destinations and before with default APN I was getting several 10.x.x.x after first hop, now with 109.x.x.x IP I get first 3 hops that timeout and no IP indicated, then some 192.168.x.x is fourth hop and then public IPs. This makes me thinking that I'm behind some sort of NAT.

Thanks for sharing your opinion, Armando
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4324
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: LTE with public IP, but no opened ports.

Thu Dec 23, 2021 3:49 pm

So obviously confirm with your carrier if they are using CGNAT on the APN would be the best info. I'd think if you didn't signup for some service with your carrier, it's very unlikely any APN is going to give you a routable, non-block public IP simply without their involvement.

I don't now specifically in Italy, but in US, you need to do quite a few things to get an APN that has a public address without CGNAT. While there is now a standard block of IP assigned to CGNAT to use, a CGNAT device actually don't care if they use what IP – they get hidden by NAT anyway. I recalled at one carriers using the DoD non-routable block.

So even with a public IP, it's still be possible it uses CGNAT, perhaps likely. Although since you are using at least two APN, one given you a private and one a public - that is a little strange. Although your carrier, may just have a newer APN that uses the "correct" IP block for CGNAT, while another APN is "older" that some public block for CGNAT block for the devices/phone/Mikrotik.

The only other things...may want to look at your Mikrotik config – specifically the firewall. If you think you should have a "real" public IP, then making sure the LTE interface is in the WAN interface list (Interface>Lists then + WAN=lte1) and your firewall rules are correct. A bad firewall config might also look like a CGNAT – so if you not familiar with IP>Firewall and think you should have a real public IP from your carrier, that's be first place.

I do know the Mikrotik will forward ports to LTE, if the cell network isn't using CGNAT.
 
accarda
Member Candidate
Member Candidate
Topic Author
Posts: 214
Joined: Fri Apr 05, 2019 4:06 pm
Location: Italy

Re: LTE with public IP, but no opened ports.

Thu Dec 23, 2021 7:26 pm

Thanks for sharing your thoughts.
About firewall settings and the like I have checked them and are ok, as I was using them already with a VPN established to my CHR to bypass the CGNAT issue with previous APN setting.
Actually I do have another SIM used on another LTE router (which is a leased one, no mgmt at my side) from same provider, which has a business profile and in this case I get public IP without CGNAT.
Currently I was checking with my phone and tested the different IP classes that I get based on different APN settings and now on MK device I’m getting the same class as with the usual APN used for iPhone devices. Previously with APN=internet I was getting the profile for hotspot usage.
Anyway it’s clear that this consumer grade SIM has this limitation with CGNATed IP, so I will continue to use VPN to CHR to work around it to get traffic from internet.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4324
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: LTE with public IP, but no opened ports.

Fri Dec 24, 2021 12:31 am

Forgot one to look at here: If the is a "Use Network APN" uncheck that (in Interface>LTE>APN Profile). That will cause it to use what the SIM has provisioned on the card – which may not be static IP APN (even if the ICCID is enabled for doesn't mean it got written to the card.

Can't remember if that setting is only in V7 (which is what we mainly use with LTE now) or if it's also in later V6s too.
 
accarda
Member Candidate
Member Candidate
Topic Author
Posts: 214
Joined: Fri Apr 05, 2019 4:06 pm
Location: Italy

Re: LTE with public IP, but no opened ports.

Fri Dec 24, 2021 6:45 am

Thanks for the hint, it was worth a try.
Actually that function is on v7.x, so I updated the router to it and tried also with different APN values, which ended up with same results not providing an IP on LTE interface.
Went back to the working one, but still under CGNAT after testing few ports.
Anyway at least now I'm running Ros v7.1.1 on this router and by having used the different APN I'm getting double the speed from the LTE side.
Now I can even think to relief this small router from using IPSec and consider using wireguard (if it's less CPU intensive than IPSec) after that I will have switched also CHR to v7.x.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: LTE with public IP, but no opened ports.

Fri Dec 24, 2021 8:32 am

Generally Mobile Network Operators use firewalls (even with DPI enabled) between internet and the whole of mobile access network even if they hand out public IP addresses to end devices (LTE modems). And they block all inbound connections. Surely there are exceptions to this rule, but there are only few.
 
accarda
Member Candidate
Member Candidate
Topic Author
Posts: 214
Joined: Fri Apr 05, 2019 4:06 pm
Location: Italy

Re: LTE with public IP, but no opened ports.

Fri Dec 24, 2021 9:25 am

Thanks mkx,
I have noticed that all inbound traffic is blocked when checking conn tracking and lte1 traffic.
This is my backup connection, the primary one uses a business grade SIM and in that case I get full public IP without CGNAT.
I will see to enable a wireguard VPN to a CHR that I have in order to bypass this CGNAT, so that I can obtain inbound traffic also from this WAN connection.
I just have to read more about wireguard as from this end I’m on dynamic IP behind CGNAT, so I will have to see if I can “initiate” the tunnel from one side only (from LTE) toward CHR or like on MK website where they indicate both sides should set end-point each.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4324
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: LTE with public IP, but no opened ports.

Fri Dec 24, 2021 10:15 pm

I just have to read more about wireguard as from this end I’m on dynamic IP behind CGNAT, so I will have to see if I can “initiate” the tunnel from one side only (from LTE) toward CHR or like on MK website where they indicate both sides should set end-point each.
Wireguard would make a lot of sense if you're using V7 on both side.

We sometime use SSTP between CGNAT'ed LTE, to another MT with static/public – since it's pretty simple to setup. IKEv2 would also a choice, but that's on the other end of difficulty. Something like EoIP or plain IPSec will not work behind CGNAT.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1611
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: LTE with public IP, but no opened ports.

Fri Dec 24, 2021 11:05 pm

Generally Mobile Network Operators use firewalls (even with DPI enabled) between internet and the whole of mobile access network even if they hand out public IP addresses to end devices (LTE modems). And they block all inbound connections. Surely there are exceptions to this rule, but there are only few.

Limiting the end-to-end communication by complete shut off inbound traffic to the CPE would be a very strange thing to do even for an MNO. So far I haven't come across anyone who has that kind limitation but they might exist. However, there may be differences between corporate and private subscriptions where the company subscriptions usually are completely open while private ones can filter ports like for example SMTP (port 25). APN usually controls the customer's ability to get a public and/or static IP address so forth..

Limiting access to the internal core network is complete different matter though.

Merry Xmas !!
 
accarda
Member Candidate
Member Candidate
Topic Author
Posts: 214
Joined: Fri Apr 05, 2019 4:06 pm
Location: Italy

Re: LTE with public IP, but no opened ports.

Sat Dec 25, 2021 7:44 am

Wireguard would make a lot of sense if you're using V7 on both side.
Yes, indeed, therefore I have migrated also my CHR into Ros v7.1.1.
I tried to establish such site-to-site connection, even though I had some trouble initially as I have changed the UDP port after that both server/peer were created.
I discovered that both private/public keys are generated based on listening port that you choose; so if you change that port after all, you will have to re-generate the key pairs.
Now it's working fine and I can see that the CPU load on LTE router is not more than usual when it routes traffic; however I have noticed a sensible drop in speed (almost 50%) of the current max speed I'm achieving without VPN.
But I'm ok, at least now I have again a working solution which doesn't bother CPU that much and bypass the CGNAT stuff at the same time.

Who is online

Users browsing this forum: vingjfg and 18 guests