Configuring port forwarding on MAX BR1


#1

I am trying to configure a MAX BR1 (3g) to allow port forwarding so that I can:
A) SSH from the outside world into a PC which is connected directly to one of the ethernet LAN jacks.
B) Access a stand-alone IP camera which is running a web server on port 1421 and connected to the other ethernet jack.

The LAN addresses for computer and camera are assigned with DHCP and reserved by MAC address. I have the default firewall rules (allow everything).

I had a MAX BR1-LTE where I was able to do this by setting up port forwarding on ports 22 and 1421 to the correct LAN addresses. I believe I have set up the BR1 the same way, but I can’t access the camera or get SSH to connect.

Any ideas how to get SSH to a PC on the LAN to work? How does the firewall interact with port forwarding? Is there a way to log attempted connections so I can get better ideas of what’s going on?

Thanks.


#2

Can you confirm you have a routable public IP on the WAN connection? A lot of cellular carriers only hand out private IP’s to the devices connected to their network, so you may need to subscribe to a static IP if they offer it.


#3

Thank you for the quick response.

I can ping the WAN IP from the outside world, and I have a dynamic dns daemon running on the LAN PC which seems to be updating the external server correctly.

How do I test if the IP is ‘routable’ and ‘public’?


#4

If you go to the dashboard of the BR1 and click on details for the cellular link. It will have a IP address and if you can ping that address it is a public/routable IP. Keeping in mind that you need to be remote of that network to perform the ping test.


#5

Yes, it is a pingable IP in the 75.228.x.x range from Verizon.


#6

As long as there is no firewall rules on the BR1 and the service provider isn’t blocking ports this port forward should work properly. To further investigate please open a support ticket here: http://cs.peplink.com/contact/support/


#7

SOLVED - Thank you Jarid and Pepwave for your help.

The ultimate issue is that if you have a dynamic IP addresses on Verizon’s 3G network, inbound connections on well-known ports are blocked before they ever get to your device.
I was able to solve my problem by using the port-mapping feature of the port-forwarding menu to translate traffic on an unblocked port to the ones I needed.


#8

Awesome, thanks for the update!


#9

In this thread you touched on a couple of things that I think may bear on a problem I’m having:
I’m using a MAX BR1-LTE on AT&T’s network, and need access from the outside world through various ports from 5000 to 6000. The MAX BR1 firewall is wide open, and I believe I have the port forwarding set up correctly, yet a port scan returns all ports blocked. I can’t even ping it from outside.

This turned out not to be an issue with ashelly’s situation, but you asked whether the WAN IP was a routable public IP address. Mine is not - it’s a 10.whatever on AT&T’s network. But I have a dynamically assigned address through dyndns.com.

Is this likely my problem? I’m unclear on why whatever address translation occurs between dyndns.com and AT&T and my modem would not make my ports visible from outside.

I’ve been around the block a bunch of times with AT&T over the last week, trying to get a dynamic public address assigned. Before I shorten my life even further, I’d like to be sure that this would even solve my problem.

(BTW, I have a separate WAN connection through Clearwire WiMax - with a public IP - through which all of the above works just fine. It’s just slow.)

Thanks for any guidance you can provide!


#10

I also had a similar problem with AT&T. The 10.x address means you are inside their lan and behind some sort of router or router-like object doing NAT and firewall. As far as I can tell, all traffic originating from the outside world is blocked in this configuration. The only way I was able to get in from the outside was to have a public static ip assigned. I 'm not sure they even do public dynamic.

I think it may be also possible to keep the private dynamic and solve this by going in a different direction: If you can set up a VPN, your device can automatically try to maintain a connection. Then your device is the originator and the traffic is allowed. But I haven’t explored this option yet.


#11

Private IP addresses like 10.x.x.x do not work with dyndns providers. You will need to get a public static IP from AT&T.


#12

Thanks for the detailed reply!
I’m exploring the VPN idea - between the MAX BR1 and VPN routers behind a Clearwire WiMax modem. No luck so far, but I don’t know whether it fails because of AT&T, Clearwire, or (most likely) problems with my VPN settings. Yet another variable is that neither of the VPN routers I’ve tried is a Cisco, Pepwave or Juniper device. But I’ve also tried enabling the MAX BR1’s IP Passthrough, and letting a Linksys-Cisco router behind it do the VPN.

Anyway, I’m nervous about VPN reliability and remote maintenance with dynamic addresses at both ends. Maybe I’ll be better off coughing up the $500 to AT&T for a static public IP.

Thanks!


#13

Well, after much drama I now have a public static IP through AT&T, but find that nearly all ports are still blocked. I still can’t ping it. Port 80 seems to be the only port open.
Hopefully it’s a simple matter to get AT&T to unblock the ports I need; I haven’t yet tried.
ashelly, in your AT&T experience, was there anything further you had to do once you got a public static ip assigned?
Thanks!


#14

Some ports are still going to be blocked at the carrier level. You’ll need to set up port forwarding rules and map those ports to something that is open - this is the ‘Port Mapping’ option. Ports such as 8080, 8888, 9090, and 9999 have worked for us in the past.