Community discussions

MikroTik App
 
h45h3ncryp73d
just joined
Topic Author
Posts: 8
Joined: Wed Aug 18, 2021 1:36 pm

Chateau 5G prot forwarding - help needed

Sat Oct 15, 2022 8:35 pm

I need to open port forwarding on 443 port to port 9547 on Chateau 5G where WAN access is provided via lte1 interface (with dynamic IP address).
I'm using RouterOS 7.5 and did not want to post exported and anonymized config (at least for now as I should purge it additionally as for some reason hide-sensitive is not working for me).
I've tried two different solutions but none of them seem not to be working:

Approach A:
Firewall -> Address Lists -> New
Name: WAN
Address: somename.duckdns.org

Firewall -> NAT -> New:
General tab:
Chain: dstnat
Protocol: 6 (tcp)
Dst. Port: 443
In. Interface: WAN
Action tab:
Action: dst-nat
To Addresses: <LOCAL_DEVICE_IP_ADDRESS>
To Ports: 9547

Approach B:
Firewall -> Address Lists -> New
Name: WAN
Address: somename.duckdns.org

Firewall -> NAT -> New:
General tab:
Chain: dstnat
Src. Address List: WAN
Protocol: 6 (tcp)
Dst. Port: 443
Action tab:
Action: dst-nat
To Addresses: <LOCAL_DEVICE_IP_ADDRESS>
To Ports: 9547

I'm obviously missing something ... please help me out figure what I'm missing. I'm guessing bridge is somehow involved but not sure how ... Thank you.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14423
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Chateau 5G prot forwarding - help needed

Sat Oct 15, 2022 10:23 pm

 
h45h3ncryp73d
just joined
Topic Author
Posts: 8
Joined: Wed Aug 18, 2021 1:36 pm

Re: Chateau 5G prot forwarding - help needed

Sun Oct 16, 2022 6:34 pm

Thank you, very interesting and educative post, unfortunately does require a bit of time as it should. Will try to figure it out.
Long story short from what I've figured out steps 5 and 6 are related for providing access for dynamic WAN IP addresses.

Step 5 got me thinking I might not have a public IP at all as when I enable Cloud / DDNS I get a message "Router is behind a NAT. Remote connection might not work." ... Actually since I'm accessing WAN through lte interface I guess CGNAT might involved in blocking my WAN access ...
Whatsmyip.org is showing the same IP as Mikrotik Cloud / DDNS so I really don't know if there is any other way to figure if CGNAT is play or not ... Will try ping.eu/port-chk/
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 858
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Chateau 5G prot forwarding - help needed

Sun Oct 16, 2022 8:05 pm

Thank you, very interesting and educative post, unfortunately does require a bit of time as it should. Will try to figure it out.
Long story short from what I've figured out steps 5 and 6 are related for providing access for dynamic WAN IP addresses.

Step 5 got me thinking I might not have a public IP at all as when I enable Cloud / DDNS I get a message "Router is behind a NAT. Remote connection might not work." ... Actually since I'm accessing WAN through lte interface I guess CGNAT might involved in blocking my WAN access ...
Whatsmyip.org is showing the same IP as Mikrotik Cloud / DDNS so I really don't know if there is any other way to figure if CGNAT is play or not ... Will try ping.eu/port-chk/
Does "whatismyip.org" show you the same IP that you see when you check the IP-address on the WAN-interface of the device itself ?
What are the 2 first digits of the "public" IP on your LTE/5G IP interface ? Normally providers would use standardised CGNAT-ranges. (eg. 100.64.0.0/10) towards their clients.


This warning
--------------
Shows a warning message if IP address sent by the device differs from the IP address in UDP packet header as visible by the MikroTik's Cloud server. Typically this happens if the device is behind NAT. Example: "DDNS server received request from IP 123.123.123.123 but your local IP was 192.168.88.23; DDNS service might not work"
--------------

So when the Mikrotik creates the UDP-packet it contains the IP-adres of your LTE/5G interface so if there is different when the UDP-packet is received at the Mikrotik cloud-services this warning should be fired. You have no other public-IP on this device? No other ISP-connection?
 
h45h3ncryp73d
just joined
Topic Author
Posts: 8
Joined: Wed Aug 18, 2021 1:36 pm

Re: Chateau 5G prot forwarding - help needed

Mon Oct 17, 2022 2:26 pm

whatismyip.org is showing exactly the same IP as lte1 interface ... and I don't have any other WAN interfaces.
I'm sorry but I'd rather not disclose my IP provider's first digits but I've checked and the whole range is assigned to my mobile provider. Judging from my past experience there is a 99.99% chance my provider is using CGNAT and that is actually the bare source of my issue. I'm even more sure of it as I'm actually not using a mobile Internet rather "ordinary" unlimited mobile tariff which at certain point had and still has some advantages over mobile Internet tariff. I've sent an inquiry to see if they'll be willing to remove CGNAT for my number ...
 
h45h3ncryp73d
just joined
Topic Author
Posts: 8
Joined: Wed Aug 18, 2021 1:36 pm

Re: Chateau 5G prot forwarding - help needed  [SOLVED]

Fri Oct 21, 2022 11:27 pm

Solved. Asked My ISP to remove me from CGNAT and assign public IP ... I know CGNAT specifications SHOULD use 100.64.0.0/10 IPv4 range but this DOES NOT have to be the case and actually never was for me! So what actually gave me the hint I might be behind it was Cloud DDNS message indicating I was behind (CG)NAT. I simply forgot about this simple fact - if you're using LTE/5G as your WAN provider/access there is almost 100% certainty you're behind CGNAT.
Thank you both for your help!

Who is online

Users browsing this forum: AidanAus, Semrush [Bot] and 13 guests