I have several BR1 Mini modems. We are using Telnyx for our multi-carrier SIM provider. When I log into my BR1 (and also on our Telnyx portal), the IP address is 100.80.XX.XXX, which has a geolocation based in the US. However, any device that is connected to that modem is getting an IP address of 185.246.XX.XX which is a UK based address. Our servers are setup to only allow US based IP address access, so all of our devices using the BR1 Mini and the Telnyx SIM card are not able to access our server.
First question is why, or how, can the modem be showing one IP address, but all the devices connected to that modem show a different address?
Second question, is there anyway to force the devices to get the same IP address that the modem is showing?
Thanks.
100.80.XX.XXX is private IP space for CGNAT providers. That it is registered to IANA doesn’t make it US IP space. It is nobody’s IP space (or everyone’s). and is not directly routable on the internet.
185.246.XX.XX is the CGNAT space of your cellular provider Telnyx. You will have to discuss with them their relationship with geolocation database providers.
Q#1… CGNAT…
Q#2… the answer is no. Not if your provider is using CGNAT. They may have contract levels that provide direct IP addresses, but there is no gurantee that they will be listed as “US” which seems to be the issue you have of them.
Since you are contracting with telnyx directly I see no reason why you wouldn’t allow their IP space to your servers directly, or run a fusionHUB and establish secured trust. A security policy that likes “US IPs” which includes random Server farms, consumer grade ISPs and unknown tor/VPN systems, but doesn’t trust a contracted provider seems like a poor policy.
Thanks for the great explanation. Unfortunately we don’t have control on the server (it is a partner of ours), so we just have to abide by their security protocols. I will work with Telnyx to see what they can do.
While I am waiting on responses from Telnyx and from our partner on this situation, I would like to explore any other options I might be able to pursue on my own to remedy the situation. Can I utilize a VPN or any other routing features on my own to work around this issue? The modems we are using are Pepwave BR1 Mini’s.
With a BR1 MINI you are allowed 2 speed fusion peers. You can either purchase SFcloud, or run your own FusionHub in AWS, or VLTR, on prem, or the cloud of your choice. (search for examples of how to deploy a FusionHub)
You configure all of your BR1 Mini’s to connect to the central VM. As -PRM devices they should not require FusionHub licenses as long as they are on primecare.
You would then use the outbound policy to send the traffic to the server via the SFTunnel. You can do this by DNS name, IP address or range, or other rules.
Your partner’s server will only see the IP of the FusionHub.
You could of course use IPsec VPN, or OpenVPN if you already have central resources, but with a SFTunnel you have the advantage of soothing and bonding. Peplink makes using their technology easy, any other VPN’s are up to you.
I have started researching the options you have mentioned and am trying to educate myself on the details of each option. I do have a Surf SOHO MK3 router in our office, and I was able to establish a pepVPN connection from one of our BR1’s to the SOHO. The IP address on the BR1 matched the IP address of the SOHO (…baby steps as I am learning). I discovered this won’t be a good option though because the SOHO can only accept two VPN connections (5 with a license) and I have about 30 BR1’s. Is there anyway to connect multiple BR1’s to a single VPN connection on the SOHO?
I am trying to find the most cost effective and reliable option possible. I only have primecare on a few of the BR1’s, so I would like to avoid that expense if possible, although I understand there are some benefits to that service.
Considering the fact that my only need is to get these BR1’s a local IP address, would your recommendation still be to deploy FusionHub, and to put all of these BR1’s on primecare? Or is there any other options, like running multiple BR1’s into a single VPN connection, that would be more cost effective? Thanks again for your help, as I try to understand all the options available and how to implement them.
Peplink wants its pound of flesh, either primecare, or fixed licenses. For the BR1’s that aren’t on primecare you would need FusionHub licenses… I don’t know at what cost. Larger central servers (like a 310X or 580X) come with more licenses, not the Soho.
I don’t know what other systems you have, if you use cisco or juniper router/networking you caould connect via IPsec vpn… You really don’t want VPN… you want your two service providers to have a meeting of the minds… Schedule a technical session with the wireless telco and the server group and ask “how can we make this all work in the best way”
Thanks for your help. I was able to learn a little bit and also got our SIM provider to help us with some static IP addresses that are US based.