I am trying to configure a MAX BR1 (3g) to allow port forwarding so that I can:
A) SSH from the outside world into a PC which is connected directly to one of the ethernet LAN jacks.
B) Access a stand-alone IP camera which is running a web server on port 1421 and connected to the other ethernet jack.
The LAN addresses for computer and camera are assigned with DHCP and reserved by MAC address. I have the default firewall rules (allow everything).
I had a MAX BR1-LTE where I was able to do this by setting up port forwarding on ports 22 and 1421 to the correct LAN addresses. I believe I have set up the BR1 the same way, but I can’t access the camera or get SSH to connect.
Any ideas how to get SSH to a PC on the LAN to work? How does the firewall interact with port forwarding? Is there a way to log attempted connections so I can get better ideas of what’s going on?
Can you confirm you have a routable public IP on the WAN connection? A lot of cellular carriers only hand out private IP’s to the devices connected to their network, so you may need to subscribe to a static IP if they offer it.
I can ping the WAN IP from the outside world, and I have a dynamic dns daemon running on the LAN PC which seems to be updating the external server correctly.
How do I test if the IP is ‘routable’ and ‘public’?
If you go to the dashboard of the BR1 and click on details for the cellular link. It will have a IP address and if you can ping that address it is a public/routable IP. Keeping in mind that you need to be remote of that network to perform the ping test.
As long as there is no firewall rules on the BR1 and the service provider isn’t blocking ports this port forward should work properly. To further investigate please open a support ticket here: http://cs.peplink.com/contact/support/
SOLVED - Thank you Jarid and Pepwave for your help.
The ultimate issue is that if you have a dynamic IP addresses on Verizon’s 3G network, inbound connections on well-known ports are blocked before they ever get to your device.
I was able to solve my problem by using the port-mapping feature of the port-forwarding menu to translate traffic on an unblocked port to the ones I needed.
In this thread you touched on a couple of things that I think may bear on a problem I’m having:
I’m using a MAX BR1-LTE on AT&T’s network, and need access from the outside world through various ports from 5000 to 6000. The MAX BR1 firewall is wide open, and I believe I have the port forwarding set up correctly, yet a port scan returns all ports blocked. I can’t even ping it from outside.
This turned out not to be an issue with ashelly’s situation, but you asked whether the WAN IP was a routable public IP address. Mine is not - it’s a 10.whatever on AT&T’s network. But I have a dynamically assigned address through dyndns.com.
Is this likely my problem? I’m unclear on why whatever address translation occurs between dyndns.com and AT&T and my modem would not make my ports visible from outside.
I’ve been around the block a bunch of times with AT&T over the last week, trying to get a dynamic public address assigned. Before I shorten my life even further, I’d like to be sure that this would even solve my problem.
(BTW, I have a separate WAN connection through Clearwire WiMax - with a public IP - through which all of the above works just fine. It’s just slow.)
I also had a similar problem with AT&T. The 10.x address means you are inside their lan and behind some sort of router or router-like object doing NAT and firewall. As far as I can tell, all traffic originating from the outside world is blocked in this configuration. The only way I was able to get in from the outside was to have a public static ip assigned. I 'm not sure they even do public dynamic.
I think it may be also possible to keep the private dynamic and solve this by going in a different direction: If you can set up a VPN, your device can automatically try to maintain a connection. Then your device is the originator and the traffic is allowed. But I haven’t explored this option yet.
Thanks for the detailed reply!
I’m exploring the VPN idea - between the MAX BR1 and VPN routers behind a Clearwire WiMax modem. No luck so far, but I don’t know whether it fails because of AT&T, Clearwire, or (most likely) problems with my VPN settings. Yet another variable is that neither of the VPN routers I’ve tried is a Cisco, Pepwave or Juniper device. But I’ve also tried enabling the MAX BR1’s IP Passthrough, and letting a Linksys-Cisco router behind it do the VPN.
Anyway, I’m nervous about VPN reliability and remote maintenance with dynamic addresses at both ends. Maybe I’ll be better off coughing up the $500 to AT&T for a static public IP.
Well, after much drama I now have a public static IP through AT&T, but find that nearly all ports are still blocked. I still can’t ping it. Port 80 seems to be the only port open.
Hopefully it’s a simple matter to get AT&T to unblock the ports I need; I haven’t yet tried.
ashelly, in your AT&T experience, was there anything further you had to do once you got a public static ip assigned?
Thanks!
Some ports are still going to be blocked at the carrier level. You’ll need to set up port forwarding rules and map those ports to something that is open - this is the ‘Port Mapping’ option. Ports such as 8080, 8888, 9090, and 9999 have worked for us in the past.