The usual method of implementing a connection to a remote router and to devices on the LAN behind the router is to use port forwarding or a VPN.
Both of these techniques are initiated by the local device (eg router, PC or laptop) and require that the remote router has a public IP address that is static or can be accessed using a dynamic DNS service.
This method is not possible with most 4G (and 5G) connections as these use a technology called CGNAT (Carrier Grade Network Address Translation) which allocates dynamic private IP addresses to 4G connections.
The 4G router and its LAN devices (eg CCTV cameras and VoIP phones) are therefore hidden and can’t be accessed remotely.
The solution to this problem is described below and assumes that routers are used that can be configured to implement the proposed solution. Many consumer grade routers do not have the required capabilities.
We have tested the solution on Mikrotik routers at both the local and remote ends.
The solution is based on implementing a VPN tunnel that is configured with the remote 4G router as the client and the local router as the server. In other words it is the remote 4G router that initiates the VPN connection.
A pre-requisite for this solution is that the local router must have a static public IP address.
The diagram below shows how this solution would be implemented.
The key points to note in the diagram above are:
- the local router must be assigned a static public WAN IP address;
- the remote 4G router is assigned a random CGNAT private WAN IP address (usually in the range 100.64.0.0/10);
- the LAN IP address range of the local and the remote router must be different;
- the local router must be configured as the VPN server and the remote router the VPN client; and
- each end of the VPN tunnel must be assigned a private IP address which must not be in the same range as the local and remote LAN IP addresses.
Other Configuration Requirements
In order for this solution to work it is also necessary to configure static routes in both the local and remote router which enable devices on the local LAN to connect to devices on the remote LAN across the VPN tunnel and vice versa.
To access the router configuration pages it may also be necessary to open the appropriate ports (eg http port 80) on the remote router to allow access over the VPN.
It will also be necessary to open one or more ports on the local router to enable the VPN connection. The ports that have to be open depend on the type of VPN used.
Unless you plan leaving the VPN tunnel permanently open it is relatively safe to use a simple PPTP VPN. Typically, PPTP VPNs are not recommended because of security concerns, but security concerns can be mitigated by disabling the local VPN server and enabling it only when remote access is required.
The remote router will continually be trying to activate the VPN connection and will only be successful when the local VPN server is enabled.
Another benefit of this approach is that it minimises the use of 4G data.
If continuous remote monitoring of (say) CCTV cameras is required then it makes sense to use a more secure VPN protocol such as L2TP or OpenVPN.
Monitoring Additional Remote 4G Routers
It is possible to extend the solution described above to provide remote access to multiple 4G routers and their associated LANs.
This would require each additional remote 4G router to have a LAN subnet that is not used by any of the other remote 4G routers. For the solution described above 192.168.101.1/24, 192.168.102.1/24, 192.168.103.1/24 etc etc would be valid subnet choices for each additional remote router.
It would also be necessary to configure a separate VPN tunnel for each additional remote 4G router. The remote IP address for the VPN tunnel should not be the same as that used by any of the other remote 4G routers.
For the solution described above VPN tunnels with a remote IP addresses of 172.16.0.101, 192.168.0.102, 172.16.0.103 etc etc for each additional VPN would be valid choices. The local VPN tunnel IP address would remain as 172.16.0.1 for each additional VPN tunnel.
We have prepared detailed, easy-to-understand, step-by-step instructions for configuring Mikrotik routers using the VPN solution described above. These can be downloaded for the nominal sum of £5.00 by clicking on this link.
Get In Touch
Click on the contact button to the left (or use our contact form) if you wish to find out more about your internet connectivity options or discuss any other telecommunications or internet issue.
Premitel are an established telecommunications & internet solutions provider serving primarily Edinburgh, the Lothians & Scottish Borders, although we have a few clients throughout the UK and overseas.
Our customers are typically businesses, although that includes the increasing number of home workers.
We specialise in:
- high quality VoIP solutions and services;
- boosting & extending WiFi;
- better & faster internet;
- cordless phone systems; and
- expense reduction.
Our advice is free for relatively straightforward requirements. For more complex projects, we offer a free initial no-obligation consultation.
Premitel in partnership with First City Communications also offer telephone & internet installation & support services for business & residential customers.