| View previous topic :: View next topic |
| Author |
Message |
Goverp
Advocate
Joined: 07 Mar 2007
Posts: 2249
|
 Posted: Sun Apr 06, 2025 9:21 am Post subject: Reach my Pi over cellphone network ? |
 |
|
I have a remote setup with a Raspberry Pi (amongst other devices) attached to the Internet via a fibre-optic network ISP's router.
The Pi runs sshd,and sets a dynamic DNS name using duckdns.org, and the routers uses port forwarding to enable an SSH connection over the Internet (set for certificate-only login, and rate-limiting in the firewall - amusing to count the number of failed bot login attempts). I log in from home to check the Pi and network are alive and well. To save money, I am replacing my fibre network supplier and their router with a 4G/5G cellphone network router and SIM. But port forwarding and dynamic DNS don't work using the cellphone network.
The base problem is that the cellphone network won't allow port forwarding, and I think the dynamic DNS is also doomed, as they use CGNAT. Looking at the router, it has a 192.168.0.0 subnet address on the LAN, as you'd expect, but a 10.0.0.0 subnet address on the WAN, which I suppose is half the CGNAT thingy, which I'm guessing gets connected to an available Internet address from the cellphone network's subnet. The cellphone router has port forwarding configured, but that's only on the 10.0.0.0 subnet (and that works), but it doesn't reach the real Internet.
I'm guessing three possible solutions:
1) reverse the setup - setup a dynamic DNS for my home PC (on wired Internet) and get the Pi to periodically try to connect to it - I'm guessing this means setting up a VPN on my home PC, not something I've ever tried.
2) Does IPV6 sort this out? Some cellphone carriers in the UK offer IPV6 network addresses, and the cellphone router supports that. In theory there should be no NAT stuff in the way. That's probably too good to be true! I can't see the cellphone ISP allowing anyone to attach any random server to the public Internet over their network. (Of course, the SIM I have now is for an ISP that's yet to offer IPV6, and I expect the services that do will be rather more expensive, thereby defeating the whole plan).
All thoughts and suggestions gratefully received.
3) I wonder if I could connect to the 10.0.0.0 address using my home PC via tethering on my cellphone, which is on the same ISP. duckdns let me set an entry for that, seems sort of wrong!
_________________
Greybeard |
|
| Back to top |
|
 |
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 55273
Location: 56N 3W
|
| Posted: Sun Apr 06, 2025 12:20 pm Post subject: |
|
|
Goverp,
| Quote: | | ... a 4G/5G cellphone network router and SIM ... |
That's a Pi HAT, or possibly a USB dongle.
| Quote: | | ... as they use CGNAT. |
That's game over. Its two or more layers of NAT. You have no control over the carrier NAT(s), so there is no way in from the outside.
The Pi will need to connect to the outside world.
| Code: | | ... setting up a VPN on my home PC ... |
or on some system that both Pi and your home PC can reach.
If the box in the middle was a postbox, ssh would work.
ssh to your home PC would work too. Then you need to keep the credentials on the Pi secure.
I've tried several different VPNs at home, even wireguard, all with the same degree of success. Absolutely none at all :) but I was probably being too clever, so don't let that put you off.
I should have started with the defaults, then broken it from there. :)
You still need to keep the VPN credentials secure on the remote end.
IPv6 would give you public IP addresses (at least, it should) but cellphone networks are notorious for blocking ports, then charging extra if you really want to use them.
I wouldn't put it past a cellphone network to restrict you to site local addresses, either. IPv6 NAT is a thing too.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
Goverp
Advocate
Joined: 07 Mar 2007
Posts: 2249
|
| Posted: Sun Apr 06, 2025 1:34 pm Post subject: |
|
|
| NeddySeagoon wrote: |
| Quote: | | ... a 4G/5G cellphone network router and SIM ... |
That's a Pi HAT, or possibly a USB dongle.
|
In this case it's a big white box with aerials sitting in on the windowsill, a D-Link DWR-978. The Pi is on one ethernet port.
I might be too cynical, but I suspect it's not worth trying IPV6, so it looks like I'm going to delve into OpenVPN and/or wireguard and their ilk.
_________________
Greybeard |
|
| Back to top |
|
|
Ralphred
l33t
Joined: 31 Dec 2013
Posts: 781
|
| Posted: Sun Apr 06, 2025 2:04 pm Post subject: |
|
|
| Goverp wrote: | | I suspect it's not worth trying IPV6 |
If you can get a predicable* address it works well, a couple of mates and I already use firewalled ipv6 as an "unencrypted pseudo-VPN" | Quote: | | Of course, the SIM I have now is for an ISP that's yet to offer IPV6, and I expect the services that do will be rather more expensive, thereby defeating the whole plan |
You can get sims with static IPV4 adresses, but that's going to defeat your "save money" objective (we used to give them, in routers, to some of the "still learning" wayfaring engineers because it was cheaper than pulling the high level guys from their tasks to drive to site to give support) but they weren't cheap, like twice the monthly cost of the average unlimited data sim. No one I've used charges for more IPV6, but that's not on the mobile side so.
| Quote: | | amusing to count the number of failed bot login attempts ... CGNAT |
Still undecided on which is the bigger devil of these two...
*EDIT: I was just messing with some html, as a PoC: | Code: | <html>
<body>
<a href="ssh://someuser@[aaaa:bbbb:cccc:dddd::eeee:ffff]">SSH session</a>
</body>
</html> |
^^ This works, so erm, DM if "predictability" becomes an issue, and you can't work round it with dynamic dns services, I have a plan... |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
