This has come up a few times in the Facebook group. This is a overview of my router mode configuration with Mikrotik.
As a disclaimer there may be problems with my specific configuration but I hope it gives you a idea on how to use router mode so you can do 1:1 NAT for traffic shaping and accounting, or even just to give customers public addresses. If anyone believes I may be doing something wrong please help me out and correct me!
The eNB has to have internet access to connect to the cloud services - via NAT or public addressing.
At this point is recommended to firewall the eNB or keep it on private address space. I am running in Router mode with a public address on the eNB. I allow all outbound established/related and block everything inbound to the eNB. Make sure your eNB is firewalled if you put it on public space! I believe @jesse may know better what to block, but, it’s advised to at least block SNMP, SSH, and HTTP/HTTPs to the eNB. I took a nuclear approach and blocked everything not in my management address space.
The settings we will be changing are under the LTE Settings > LGW settings.
My example uses 10.1.50.1/24 as the pool. You can use whatever address space fits your network as the pool.
On the ‘LGW Settings’ page we want to look at ‘LGW Mode’. We want to set it to router (by default I believe it’s set to NAT.) Under ‘LGW IP Pool’ we set 10.1.50.1. Currently you have no choice but to dedicate a /24 to the pool, so we decided to do private addressing.
In order to access this address space you will need a static route to the public or private address you assigned to the WAN interface of the eNB.
Example: /ip route add distance=1 dst-address=10.1.50.0/24 gateway=address-of-eNB-here
We run OSPF in our network and in order to get to this address space from the rest of the network I had to enable ‘Redistribute Static Route’ in the OSPF instance. There may be a better way to do this without doing so, but I am not sure.
‘IMSI IP Binding’
This is where you tell the eNB what static IP to bind to what IMSI. The IMSI is SIM card specific so you will have to know what sim card is in use at every customer.
Before we deploy a customer we assign the IMSI a static address (example - 10.1.50.21). If you have “Remote HTTPs access” enabled in the UE you will be able to remotely manage the UE with this address if you have the static route in place.
Now that the CPE is assigned a static address we can take and do a 1:1 NAT or 1 to MANY if you need to.
In our example we have a small subnet set aside and we assign a /32 to the bridge interface per customer, and then NETMAP from the private IP to the public IP. There is multiple ways to do this - pick what fits best for you. I am tight on address space at the moment and /32s are the best way for us to conserve at a slowly growing site.
Example: /ip firewall nat add action=netmap chain=srcnat comment=“Customer Name” src-address=10.1.50.21 to-addresses=public-address-here
Another note… When I originally set this up I was having issues with the eNB and this was the configuration I found to work. I don’t see why it would not work with a simple SRCNAT rule instead of the NETMAP action. I just have not had time to revisit it and I don’t want to break customers.
Now the UE is able to establish connections outbound to the world via it’s own or shared address. If it has it’s own you can apply traffic shaping policy via the local router or a more centralized shaping solution.
I am not currently allowing inbound access to our LTE customers by design, and this is a short coming. You can easily add a DSTNAT rule to overcome this. We have not had to yet, but, we are only servicing residential customers at this point. If it comes to this I would prefer to dedicate a router for it instead of having it setup on our site router. You may also want to firewall ports to the UE, like SNMP. Currently there is no way to restrict SNMP, it answers by default with the community of ‘public’.
Please also see the LGW guide: