Hi all, bit of an obscure question I know, but there are plenty of fellow IT types and people in rural locations on this forum, so someone may well have trodden the path that I'm looking at. I'm looking at changing a rural office's main internet connection from woefully slow DSL to a 4G based connection. Initial experiments on EE look very hopeful with much better speeds.
However it appears that EE block all incoming connections from the Internet, which is a problem as they run an OpenVPN based setup for a satellite office to connect to their server.
Does anyone know if there are 4G providers offering a broadband-replacement without that restriction? I appreciate that it's not something everyone needs, but there must be some people about who connect to their own VPN / services / want to check their CCTV cameras externally.
I assume it's the EE router that blocks the connections, not the SIM? If so, would an EE SIM in a 4G broadband setup from someone like Solwise work?
No, it's my own router with a 4G -> Ethernet modem now attached. EE are using CGNAT within their network (presumably to help with IP range shortage). The IP address assigned to the "outside" of the router is not what I see when I Google "What's my IP", so there is some translation going on in the EE network.
Is it because it's a domestic service rather than something aimed at businesses?
Move the server and in the other direction?
I know this is stating the obvious but have you spoken to EE?
Yes, spoken to EE and they have confirmed that all their (mobile) network will block incoming connections, I had hoped there would be options on the broadband replacement packages to be more land-line like. Forum posts suggest that other mainstream mobile networks are the same (with the possible exception of some unofficial tweaking on the Three network, but their coverage is not as good in the area).
Reversing the client / server setup has been considered, however the other office is also rural with poor DSL, so if this works well, they may well be moving to a 4G connection in the near future.
They all use CGNAT, I've seen issues where for example 4G backup doesn't work on one carrier, but does on others. So even the implementation of CGNAT varies across the carriers. At the time I was working for one of the carriers, and even internally we couldn't get a SIM with a fixed IP, well at the scale we required for the customer deployment.
The mobile broadband forum on ISPReview is a great source of information on using 4G/5G, for example on EE
https://www.ispreview.co.uk/talk/threads/4g-cgnat-is-frustrating.34309/
This is backed up by this
https://www.3grouterstore.co.uk/3G/FAQ.html
Thanks, @Russel96, that was pretty much where I'd got to.
There do seem to be some people advertising what looks like what I want, e.g. Comms365 but I've no real way of knowing if they're a. going to do what I actually need and b. cost a reasonable amount. I'd hoped to find someone on here with first hand knowledge. However the ISP Review site looks like a good place to post next. Thanks.
Replacing OpenVPN with ZeroTier could be an alternative to avoid needing inbound connections in either site.
Agree, I’d look at a service like zero tier. There’s no getting around CGNAT really, even if inbound traffic is allowed you can’t NAT through.
Only other thing I can think of and it depends on your router and skills.
1: You initiate a connection to the site via its DSL connection
2: A host or the router at the site recognises this connection and decides it needs to phone home
3: Phone home being a destination IP address that is policy routed outbound via your 4G connection
4: The starts for example a LAN to LAN VPN tunnel
5: Connection is now setup that you can then access your CCTV
6: Have a timeout on the VPN connection, say drops after XYZ seconds of in-activity
Cheers for the suggestions, everyone! Yup, alternative VPNs are being looked at, though with OpenVPN offering their own cloud service for free up to 3 connections, that's my first option.
But I'd have preferred not to have to re-jig significantly for the sake of an Internet connection not being what I expected. I'd thought that there was a reasonable overlap between 4G being the only option for connecting a remote shed and wanting to keep an eye on the CCTV at said remote shed.
Phone home being a destination IP address that is policy routed outbound via your 4G connection
I don't think that works with CGNAT. The IP of your 4G router is on a private subnet (192... or 10...) that you can't route to from the internet. The public IP for that subnet is shared with 200+ other users and so far as I know you can't route from that to your private IP.
It would be a public IP for the other end of the VPN tunnel. You'd have a route policy setup to prefer the 4G connection over the DSL. If the tunnel is setup for LAN to LAN you would encapsulate inside it the private IP address ranges of the LAN subnets you want to route over the internet.
I'm sat here using a Draytek router that has a VDSL connection and a 4G connection. I've polices setup to prefer one connection over another, for example high bandwidth time insensitive services will go out via the 4G and latency sensitive (example, voice and interactive video, DNS) go out via the VDSL. All works fine.
I could setup the Draytek as a remote client VPN server. So I could say use a SSL connection from my laptop in via the VDSL connection onto the local LAN. Then SSH onto a RaspberryPI on my Local LAN. From that PI I could then trigger an outbound connection to the internet to my chosen destination, that would be routed out via the 4G connection on my router, triggering the setup of a LAN to LAN tunnel, both based on pre-defined policies.