Remote Web Admin without InControl2

I have a Peplink Max BR1 Pro 5G router, and I have updated it to the latest firmware. I have a static IP assigned to my sim card, and I am trying to remotely connect to the router via the web for remote management, etc. All the documentation I can find refers me to the IC2 application. However, we have opted to not use that application.
I found the ‘Web Admin Access’ settings under System/Admin Security. But I’m still missing something. Where can I find documentation to configure remote web admin the manual way?

That is the main on/off switch. Just above it you can force HTTPS and just below it you can change the port that it listens on. This works great.
What other configuration options are you looking for?

1 Like

As Michael says, set username and password (change the username away from admin) set security to https, web admin access to LAN/WAN, web admin port change to something unexpected.

Then further down under WAN connection access settings make sure the WAN IP of the cellular WAN is ticked.

Then just visit that WAN IP and your customer port in your browser.

1 Like

I’m sorry … I’m still missing something. Please see the attached picture …

Is that obscured IP shown on the cellular connection on Peplink dashboard in the CGNAT range of to I expect it is, in which case AT&T is blocking inbound access to your router.

1 Like

No … the IP does not fall within the range you listed. However, I did not know that AT&T themselves would block inbound traffic like that. I will reach out to them and see what they say about my IP.

In addition to what @MartinLangmaid said, I’ll mention that I don’t think I have seen a situation where AT&T cellular did not present a address to the user. If this is the case, as in the range that Martin mentioned, you are not going to get inbound through their CGNAT. IPv4 Private Address Space and Filtering - American Registry for Internet Numbers
If this is the case I’d respectfully suggest a call to AT&T will likely not be fruitful. The solution is to make an outbound connection through the CGNAT.

1 Like

If you have the ability to come from a device or network with a fixed IP that you can establish an IPSec VPN to, you could configure an IPSec VPN between the Peplink router and that device/network.

As long as the carrier does not block IPSec traffic you should be ok.

If the remote router is using a cellular connection with a standard SIM, aggressive mode works well for the Peplink router IPSec VPN setup.

Then configure a new VLAN with an IP address that you advertise into the VPN as a local route.

As long as you have a route to that IP from the device/network at the control end you should be able to reach the new VLAN IP address and access the web admin page that way.

That would make it a LAN connection, which may give you greater scope for limiting the WAN admin connection options.

Here’s the main thing to understand, and I am referring to your image…

With CGNAT/NAT on the carrier side, which is the Norm, not the exception, you won’t be able to directly browse to the router.

IF the two IPs you noted in your screenshot are different, then there is a NAT involved and you won’t be able to connect. And that’s because the carrier/network’s external “Public IP” won’t forward new incoming connections to your router’s WAN IP. When you make an outbound connection to an external server/website/service, the carrier’s systems will map the external and internal IPs and the TCP/UDP ports involved in an internal memory map (NAT Table) and allow responses to be routed back. But this same thing does NOT occur if someone on the Internet side tries to initiate a new connection toward your router.

Telco’s like AT&T/T-Mobile do offer business plans with optional public IPs. Typically at a higher cost. So you could ask for a different plan that has a public IP, and see if that works.

1 Like