I’ve been a long-time user of Teltonika products, starting with your 3G routers, but this is my first time posting in the forums.
I currently use Teltonika routers with a Three network SIM card and the 3internet APN, which allows me to port forward and use DynDNS. I wanted to ask if there’s a way to achieve port forwarding or communicate with the router when using other carriers like EE, Vodafone, or O2, which use CGNAT?
Would a VPN be a viable solution for this, or is there another method that could work? I appreciate any help or insights you can provide.
A regular retail SIM, Vodaphone, O2 etc. will present a WAN interface IP that is ‘hiding’ behind CGNAT. This means that Internet based clients will not be able to see the ‘true’ IP of your router’s WAN interface - for this reason, port forwarding will not work.
The 3 potential solutions to this are:
obtain a SIM with a Public IP, but advisable still to deploy a VPN tunnel.
use a site-2-site / end user-2-site VPN, as long as one side of the VPN tunnel has a Public IP. The VPN will have to be initiated from the side of the tunnel WITHOUT a Public IP.
use a vpn matching service / relay service, such as ZeroTier, Tailscale or RMS, if both ends of the VPN tunnel DO NOT have a Public IP.
Port Forwarding is less than desirable from a security perspective and instead, VPN’s are usually employed, thus negating the need to Port Forward, and giving you less exposure to security risks emanating from the internet.
Hi Mike, Thanks for your response. I’m not very familiar with VPNs, so I’d appreciate some additional guidance. We’re looking for a solution where the VPN server has a fixed IP address, and Teltonika routers can connect to that VPN. This way, anyone with the fixed IP can log in via a web browser without needing to use a desktop client. Could you recommend a VPN service that would be suitable for this setup?
There are many options out there … I suggest you write down a clear statement of requirement / functionality required, along with any limiting factors / constraints.
You’ll need to be clear about the various infrastructure platforms your solution needs to support.
Do your research, identify possible options and then ask questions.
I say this because, as a general rule, this forum is for support of Teltonika devices and their interoperability and not for solution design from scratch.
This is my personal view, others may well have a different opinion. You never know, someone might be kinder.
Start looking at Wireguard to see if the client platforms will run it - it’s compact and efficient.
Hi Mike - I have done an image and hopefully this explains better. We ideally want a hosted VPN service with fixed IP which will then link to RUT routers and then we can forward routes to the desired device and have this across multiple sites using a SIM card which assigns CGNAT not a public or fixed IP address.
So the first thing to point out is that you will need vpn software running at both ends of your tunnel. This software should run on your PC or the local router/gateway that the PC connects to. From there the tunnel will be established over the internet, often via a 3rd Party VPN Relay Service, to the VPN software running on the Teltonika device.
With Manchester’s router hiding behind CGNAT, most people would use a VPN Relay Service, and ZeroTier is available on a RUT955 running firmware version RUT9_R_00.07.06.16.
ZeroTier has clients that will work on Windows / MacOs / Linux / Android etc. if you are going to load the VPN software on the End-User Device, to connect.
There are other options that don’t involve a 3rd party service, but as I don’t do solution design from scratch, you’re on your own, and you’ll have to do the legwork yourself. There is plenty of information out there e.g. RUT955 doesn't accept Wireguard as an option that doesn’t require a 3rd party relay service.
Once the tunnel is established you can use something like iVMS-4200, running on you PC, to point directly at the IP of your NVR, without having to port forward (assuming you are running a HikVision NVR). The only thing to watch out for is the bandwidth requirement, streaming vidio/audio over your LTE infrastrucure and link.
If you are running Hikvision NVR’s, you should be able to use Hik-Connect as an option, without having to set up a seperate VPN or have any ports forwarded.
