NAT (Forwarding) in T-Mobile Gateway

  • 9 December 2021
  • 51 replies
  • 61244 views


Show first post

51 replies

My nat was strict and couldn’t play in a party on Xbox.

Great lad at customer service had me run 2 speed tests and that pushed me into whatever and now the nat is open. Yay for cgnat 

@jarrodsfarrell what solution are you using to tunnel? I’ve setup ngrok to get around the port-forwarding on a laptop running behind the T-Mobile 5G POS Modem, but it’s not persistent. Every time I lose power or the internet connection is interrupted, the tunnel drops and I lose all remote connectivity. With CG-NAT I don’t see how it’s ever going to be possible to host an OpenVPN server from inside my network, even with port-forwarding, so I have to find something more durable.

I plugged my Xbox into the modem with an ethernet cable and now I can sign into Xbox Live as well as party chat through Xbox when I couldn't do either before. My Nat is moderate but doesn't seem to affect gameplay on Call of Duty. 

  1. You static ip the PC. 2) Use TCP View to find ports and ip addresses used by app. 3) Open on PC Firewall or Endpoint. 4) Open or port forward ports. 5)Test

@wildernessfamily Thank you for that well detailed response! I’m looking forward to that Youtube tutorial when you get around to it 😉

Just another success story here, if you’re the type who knows how to use SSH tunneling.

T-Mobile (business, in my case; don’t think it matters) can’t do port forwarding.  But my ssh tunnel(s) worked, at least for a little bit.  I use autossh, which re-establishes connections when they fail (due to routing changes, etc).  It has been very reliable for me in the past to get around bad/broken NAT situations.

But I found that my ssh tunnels would only last for a short time (Arkadyan modem, using a router on the LAN connection).  Then I read from another post somewhere else on this forum that t-mobile simply closes TCP connections without traffic after a period of time (looks like maybe as short as 5m).

So I changed the ssh settings on my server to add a keep-alive, and all is working perfectly.  I have three ports forwarded on my LAN through an ssh connection to a server in the cloud; you could probably use ngrok for this (free accounts I think).  I have a camera, ssh to a server, and another port forward to an IoT device, and all three have been working perfectly without interruption for over a week.  I get between 120 and 250Mbps down and 30up pretty consistently.

I’m sold, and am currently on hold cancelling my AT&T DSL account! 

Could you run thru a quick setup?? I’m jus tryna to game on my pc and Tmobile internet is blocking some of my games from connecting. I’m using Persistent SSH which is and alternative to autossh.

It would be much appreciated.

@arcanenox OpenVPN here since our existing ADSL with TDS allows our public IP to be reached. But for your issue specifically I don’t have a tidy solution given I was going to suggest Cloudflare’s Argo Tunnel, but it looks like it might be limited to protocols that can give a hint to what service they’re trying to access or require software on the client otherwise for some turducken solution. https://danishshakeel.me/creating-an-ssh-tunnel-using-cloudflare-argo-and-access/

Full disclosure, I’m not certified in any capacity for network engineering: I’m a hobbyist.

But having to establish a tunnel with Argo then OpenVPN for local access is obviously not a nice solution. If someone has a better solution it’d be nice, but my working theory if I have to deal with this is renting a cheap VPS and set up OpenVPN to connect my firewall to with some route trickery to route traffic from the VPS to the firewall over OpenVPN. And if I’d want to expose a service from within my network then I’d use a IP Table rule to port-foward the traffic.

E.g.

VPS OpenVPN announces it handles IPs going to 192.168.0.0/16, 192.168.7.0/24 is where VPN clients live, and 192.168.1.0/24 is where the home network lives.

IP route on the VPS to direct 192.168.1.0/24 to whatever IP the firewall is given by OpenVPN (192.168.7.2 as example.)

IP route on the firewall (if needed) to direct 192.168.7.0/24 to the VPS (192.168.7.1 as example.)

So when I’m connected to the VPS VPN, accessing a service on 192.168.1.5 routes to the VPS, the VPS routes to the firewall, and the firewall routes it to the service. And the service can reply back in reverse order.

Overall hopefully reducing cruft in the connection. But does mean trading the OpenVPN job from my firewall to the VPS and losing some convenience (I can mint config files in pfSense to quickly get my devices working as an example.)

Badge

From what I understand, T-Mobile deploys 464XLAT. Meaning your IPv4 connections are translated over IPv6. This means IPv4s are not assigned in anyway to a traditional home-ISP, and instead IPv4 WAN are pooled and NAT’d together. This was reportedly done due to IP assignment issues, and used to mitigate and rollout to IPv6 at the same time. Business customers have the option to purchase a static IP which will remove your connection from the NAT pool and begin translating inbound IPv4 connections as if they were direct native IPv4. I’m not sure why T-Mobile is unable to provide this for free to all consumers. It may be a result of simply not having enough IPv4 allocation available, in which case how is that ever going to be fixed without freeing up used IPv4s? Or, it may be a system scalability issue that may need resolved. Who knows, but understand this problem is a little bit more complex than simply clicking a button. Currently for consumer home internet plans, there are no options for inbound IPv4 addresses, or opting out of the NAT system that the rest of the mobile-device network uses.

So you can learn from my mistakes.  First you will need a reason to switch to a business account,  it is not unlimited data.  Comes with 100 for 50 and 300 for 70/month. Can I do port forwarding?  Don’t know yet but will post the results

it comes with unlimited data, at least on my plan it does

 

 

Could you run thru a quick setup?? I’m jus tryna to game on my pc and Tmobile internet is blocking some of my games from connecting. I’m using Persistent SSH which is and alternative to autossh.

It would be much appreciated.

You’ll need to have these two settings enabled on the ssh server into which you are setting up the tunnels:

ClientAliveInterval 60
ClientAliveCountMax 2

Without these, the ssh connection will eventually die, even with something like autossh (presumably also Persistent SSH).

Then there is a tunnel per device/port from some ssh host on your LAN (like a Raspberry Pi or whatever) to the ssh out on the internet which you will be using as a gateway:

autossh -N -p22 -R *:8000:192.168.1.2:8500 user@gateway.host.net

That command sets up a tunnel between your Raspi (or whatever) on your LAN to the gateway machine, with a port 8000 tunnel to the 192.168.1.2 device on your LAN on port 8500.

So now I can reach port 8000 on the 192.168.1.2 device from the outside world from gateway.host.net:8500.

For example, if you want to be able to ssh on a device 192.168.1.33 (on port 22), then you could set up:

autossh -N -R *:8222:192.168.1.33:22 user@gateway.host.net

and then you can do “ssh -p8222 root@gateway.host.net” and you will be ssh’d to root@192.168.1.33 on port 22.

 

 

The T-Mobile network is working as designed.   NAT464 is a transition strategy.  Your phone, or your home Internet device, is assigned a public, globally routable, unique IPv6 address.  It is better for everyone, everywhere, if we speed up the transition to IPv6.  When you request an IPv4 site, your device does NAT46 and then carries the traffic to a NAT64 gateway operated by T-Mobile on the Internet edge.  It works very, very well.  The downside, of course, is that you do not have a globally routable IPv4 address on which you can expose ports.

It is possible to expose ports, but of course only on your IPv6 address.  This means that you would only be able to connect to it from IPv6 clients.  For many applications this is an acceptable tradeoff.  As the supply of IPv4 addresses continues to become more problematic, you should expect other providers to begin adopting this strategy as well.

It is possible to expose ports, but of course only on your IPv6 address.

 

No, it not possible to expose ports, even for IPv6 addresses, if you are using the gateway they gave me.

There is no provision for inbound routing at all; all inbound access is blocked.  I can’t verify what they do for local IPv6 connections currently (DHCPv6 with SLAAC?), but the addresses assigned on the inside network were either not globally routable, or they are blocked at the router (for good reason).

So your only choice for accessing a device/devices on the internal network of a T-Mobile Home/Business Gateway is through port forwarding through an external host, like ngrok or ssh forwarding through a server on which you have an account.

I can’t edit my post above, but I got the ports backward in this sentence:

So now I can reach port 8000 on the 192.168.1.2 device from the outside world from gateway.host.net:8500.

 

You would reach port 8500 on the LAN device via port 8000 on the internet host; my last example got the ports correct.

For my part, I live on a boat, using the Inseego Wifi Router.  Bandwidth is good, but I have the problem when trying connect to Minecraft hosted instances and playing astroneer.  I also have an Android Samsung A52, that I use as a hotspot on the T-Mobile Network.  Zoom works for meetings w/ work (kind of had to set up my laptop as a DMZ machine to get it to work).  Long story short.  I have an iPhone that has Verizon, and no problems.  On the Verizon network I have no problem with Minecraft, Zoom, or Astroneer.  Whatever T-Mobile is doing on their network to hack around their lack of IP addresses (or whatever their major malfunction is) does not appear to exist on Verizon.  I tried ZeroTier and was not able to get it to work, but I’m sure I probably could if I had the time/motivation to get a VPN properly working.  The main problem is that the IP address that presents to the Internet can never route back to my actual box, e.g. you connect to the outside world but the  IP address presented to the Internet  will never route back to your local box because of the way CGNAT (carrier grade NAT) that is being implemented on T-Mobile.  In other words, you make a connection to a remote host and they try to connect back to the IP address that they think you are connecting from and it doesn’t actually connect back to the host that you are connecting from.  It’s not a problem w/ the modem or your device, it’s on the T-Mobile network.  It works on Verizon, not on T-Mobile.  If you want to solve this problem either T-Mobile has to fix their broken network, or you need to switch to Verizon.

 

Edit: ignore my reply.

No, it not possible to expose ports, even for IPv6 addresses, if you are using the gateway they gave me.

 

I suppose that’s possible.  Maybe try a different gateway, like a MikroTik with your SIM card moved to it.  Most providers are shy to let just any IPv6 inbound connection succeed, since that would create a pretty obvious security problem.

By the way, if you want to open more than just a single port, I highly recommend Ace Innovative [https://www.aceinnovative.com/internet-access/static-ip-vpn/].  For $15/month you get an unrestricted IPv4 /29 and IPv6 /64 and they even send you the router.

I recently purchased a new home that came with a “Home Automation Kit”. This included a Ring doorbell, Samsung Smartthings Hub (to connect to Z-Wave thermostats) and a Genie Aladdin Connect garage Door Control Module. I have the T-Mobile 5G modem with WiFi turned off and a Netgear AP connected for WiFi. 

The Ring doorbell works over WiFi. The Samsung Smartthings Hub will not connect (using Ethernet port on T-Mobile modem or WiFi). The Aladdin Connect module will not connect via WiFi. 

The installer immediately indicated that the Smartthings hub would not work with my “hot spot” and it didn’t. 

Has anyone been able to get a Smartthings Hub working with the T-Mobile 5G modem.

Badge

I spoke with TMobile Home Internet technical support over the past week. They are working on the port forwarding feature within their 5g modem/router, but it's not available or ready yet. 

2 different techs said they have a workaround, however (& it doesn't require 3rd party services).

I haven't tested it yet, but what you need to do is, & many of us have this setup already, connect via Ethernet (wire) the garbage can LAN port <-> YOUR own router.  Then configure port forwarding on YOUR router. That's it. (Your router needs to support ipv6! Not sure if we need to allow ipv6 passthrough for this.)

Now, I was educated a long time ago on IPv4 & they barely touched on IPv6, so I don't know a lot about it, but this would never work this way with IPv6. Ipv6, however can allow passthrough so public "internet" can pass through a router, which is why I'm "buying" this theory.  Ie, you can go through T-Mobiles garbage can, and then your router, and you device (call it a PC) could have a public IPv6 IP, which is why port forwarding could work this way.

Anyone have time to test & report back? Or comments?

I previously had a dynamic public IP (ipv4) that I made work with my domain name via ZoneEdit that allowed my PC to update ZoneEdit with public Ip changes since it was dynamic. With this NEW setup, I'm not exactly sure how that would work, or if my DNS service will play nicely or even support ipv6 or if ZoneEdit will either. And I have numerous services that I need to "hit" MY router & forward internally, such as a VPN, RDP, FTP, website, etc - not sure if all that will play nicely - or if all the services, like VPN client, can point to a domain->ipv6 ip & work. Like will the VPN client config & SW accept this new format?

Anyways, lot of testing & messing around needed!  Please report back with any updates!

​​​​

This doesn't work because the ports can't route from the T-Mobile gateway to the router. Also, the way T-Mobile's network is setup, it's basically a no-go.

I did get some things to work using the ZeroTier software. But, it needs both the ZeroTier server software running on the local device you want to access and the ZeroTier client software running from the device you want to connect from. This works from my phone (running the ZeroTier client) to my NAS (running a ZeroTier server on a Docker container).

It's a clunky "solution" that only solves some problems. Really, the T-Mobile internet modem needs to add a few features (DNZ as minimum, but port forwarding and assigning an IP address).

I hear there's a new T-Mobile internet modem coming soon that will not only add these features, but also support the higher 5G frequencies for higher speeds. This is great for me as I have a T-Mobile millimeter wave tower on the boulevard right across the street from my house (formally a Sprint tower). But, no word yet on when this will be released. 

My nat was strict and couldn’t play in a party on Xbox.

Great lad at customer service had me run 2 speed tests and that pushed me into whatever and now the nat is open. Yay for cgnat 

What speed tests did he have you run? I’ve been trying to change it on my XBox series X and it won’t even allow me to play a game

I’ve been monitoring this thread for a year or so for the same issues. In my case I needed to get my webserver to allow incoming traffic from outside T-Mobile Home Internet to preview development sites.

Long story short, if you’ve got a similar use case, Tailscale did the trick for me. Installed the webserver as a VM on a Synology NAS, and Tailscale has a package that can be run on DSM. I add development site subdomains to public DNS and route to the tailscale address using an A record. Then I share the webserver tailscale node with whoever I want to preview the site, they connect to tailscale, type in the domain, and it works pretty great. Won’t solve all issues I know….

For local development, I use VirtualMin and configure the primary IP address as the tailscale address, and I add the local address to the site-enabled entries in Apache and my hosts file. Takes a little configuring but I plan to post some steps on how in time. I added a quick article for now on my blog. Hope this helps somebody 🤷‍♂️

Badge

I use smarthing hub mesh system with 6 hubs places around home.  I was using xfinity before and tmobile now.  This uses the Plume technology and yours may be different mine but it does work

 

 

Badge

I’m fairly confident that this device (Nokia) is able to handle all of these things.  I think what has happened here is T-Mobile threw a very locked down firmware on the device to make setup easy.

 

The following things need to happen.

Provide settings to place the gateway in bridge mode.  This will allow customers to keep their existing setups and NAT fine.

Provide settings to turn off the wifi in the gateway COMPLETELY.  Turning off broadcast and reducing power to minimal is not sufficient.

Make all of these settings accessible only through the web admin page.  The average consumer doesn’t need this stuff, but the power user who is smart enough to know how to login to the admin web page should be able to modify these settings.

 

Ultimately, I just want “a dumb modem” just like I get with the cable co.  I don’t want or need T-Mobile helping me by dumbing down the device.

But, since they really need a new modem anyway that supports the higher frequencies, it's probably easier to replace the current units with new units that support the higher frequencies as well as adds the lacking features.

Also, it's more than just port forwarding and bridged mode. Even with this, you still can't access your home remotely as there's not an ip address assigned to the device. This is why a solution like ZeroTier is needed. It doesn't have anything to do with port forwarding or bridged mode, it's that there isn't even an IP address assigned that you can point to. It's like being behind a VPN, which is what ZeroTier allows you to get around. 

Userlevel 2
Badge

The Nokia 5G 3.1 is the newer device.  That's why I was very specific in the model I was discussing.

 

I don't want hackery 3rd party services, I need this functionality in the hardware.  Noip and dyndns solve this anyways, my current router supports this natively.

Badge

.

Badge

The Nokia 5G 3.1 is the newer device.  That's why I was very specific in the model I was discussing.

 

I don't want hackery 3rd party services, I need this functionality in the hardware.  Noip and dyndns solve this anyways, my current router supports this natively.

The Nokia 5G is the latest released modem.  But T-Mobile is releasing a newer 5G modem (which I was referring to) which is not made by Nokia and will also support the higher higher frequency 5G frequencies which the current Nokia modem doesn’t support.

ZeroTier isn’t a hack, it’s method to create a secure link between devices, even through secured networks like T-Mobile.  You can’t use NOIP or DynDNS with T-Mobile.  It’s not that the IP address changes, it’s that the connection is like a VPN connection, so even with the IP address you can’t route to your in-home modem.  There could be thousands of people using the same IP address.

You’re thinking it’s just a port forwarding issue, when that’s not really the problem.  The reason T-Mobile disabled port forwarding and bridged mode is because it won’t work on their network.

Reply