NAT (Forwarding) in T-Mobile Gateway

  • 9 December 2021
  • 51 replies
  • 60415 views

Userlevel 2
Badge

I recently signed up for T-Mobile internet, and I am VERY disappointed that I could not even forward NAT traffic to my home security system.   I saw that this was discussed 7 months ago in a previous thread, and hope the developers will notice this.  The speed is great, and the same as was advertised in the chat.

I would like this issue to be resolved so that I don’t need to continue with Optimum (Morris Broadband).


51 replies

Userlevel 2
Badge

I’m fairly confident that this device (Nokia) is able to handle all of these things.  I think what has happened here is T-Mobile threw a very locked down firmware on the device to make setup easy.

 

The following things need to happen.

Provide settings to place the gateway in bridge mode.  This will allow customers to keep their existing setups and NAT fine.

Provide settings to turn off the wifi in the gateway COMPLETELY.  Turning off broadcast and reducing power to minimal is not sufficient.

Make all of these settings accessible only through the web admin page.  The average consumer doesn’t need this stuff, but the power user who is smart enough to know how to login to the admin web page should be able to modify these settings.

 

Ultimately, I just want “a dumb modem” just like I get with the cable co.  I don’t want or need T-Mobile helping me by dumbing down the device.

Userlevel 1
Badge

T-Mobile Home Internet uses CG-Nat - which means end users share IP addresses. Unless they move away from that (which they will not since it would require completely new infrastructure) you will not be able to do port forwarding. There simply is no way to identify YOUR unique address since you do not have one - it is shared. 

However, there is a solution which does work - I am using it. Paketriot https://packetriot.com/ allows tunnels to be created which will have a unique endpoint which will then allow you to hit a port in YOUR internal network. There are other providers like Packetriot. I like Packetriot because it has the option to create a Windoze Service for all your tunnels. Nice when the machine reboots because you can have the service autostart. Most of the providers offer a free tunnel so you can try it out.

They should not call this Home Internet it is really a home hotspot.

Userlevel 5
Badge +5

They need to fix their screwy xlat464/cgnat style network first.

As long as they continue to filter that unsolicited inbound traffic at the higher network layers, won't matter what options are available/configured on our local modems/routers.  It is actually getting nixed at the outer edges of the networks, so it never makes it to the modem, much less the router.

I spoke with TMobile Home Internet technical support over the past week. They are working on the port forwarding feature within their 5g modem/router, but it's not available or ready yet. 

2 different techs said they have a workaround, however (& it doesn't require 3rd party services).

I haven't tested it yet, but what you need to do is, & many of us have this setup already, connect via Ethernet (wire) the garbage can LAN port <-> YOUR own router.  Then configure port forwarding on YOUR router. That's it. (Your router needs to support ipv6! Not sure if we need to allow ipv6 passthrough for this.)

Now, I was educated a long time ago on IPv4 & they barely touched on IPv6, so I don't know a lot about it, but this would never work this way with IPv6. Ipv6, however can allow passthrough so public "internet" can pass through a router, which is why I'm "buying" this theory.  Ie, you can go through T-Mobiles garbage can, and then your router, and you device (call it a PC) could have a public IPv6 IP, which is why port forwarding could work this way.

Anyone have time to test & report back? Or comments?

I previously had a dynamic public IP (ipv4) that I made work with my domain name via ZoneEdit that allowed my PC to update ZoneEdit with public Ip changes since it was dynamic. With this NEW setup, I'm not exactly sure how that would work, or if my DNS service will play nicely or even support ipv6 or if ZoneEdit will either. And I have numerous services that I need to "hit" MY router & forward internally, such as a VPN, RDP, FTP, website, etc - not sure if all that will play nicely - or if all the services, like VPN client, can point to a domain->ipv6 ip & work. Like will the VPN client config & SW accept this new format?

Anyways, lot of testing & messing around needed!  Please report back with any updates!

​​​​

I was researching a project I was doing and came across this thread. I have T-Mobile @ home internet. The speeds are amazing compared to what I had prior to T-Mobile. On the T-Mobile router, I have three bars out of 5. I have on average 300Mbps ↓ and on average 20-45Mps ↑. I’m very happy with the speeds. However, I can’t connect to my Home Assistant, security cameras, and my media center. I have an ASUS router that I have flashed with OpenWRT and I have tried several tricks, including doing DDNS updates every 10 minutes to my DNS server, CloudFlare. Nothing really worked. I spoke to T-Mobile technical support. That was just painful. I went to a supervisor. Finally, I had to state, “I’m a 4th decade computer engineer, I have the highest licenses from the FCC in amateur radio communication. And what you are saying is so horribly incorrect”. I spent an hour teaching the supervisor. Finally, I decided to try their business internet. It was the same price as the home internet. Plus, for an extra $3.00 I could have a static IP address. They send me this Inseego router. It wasn’t even a quarter of the size of the @home internet router. It was about 1/8th of the size of the @home router. Before turning it on, I knew this was not going to work. Surprise, Surprise, it did not! Most of the time, I had the blue flashing light, meaning I barely had a signal. Sometimes it would switch to 4G. When I had only one bar (very weak signal), I was getting 14 Mbps ↓ and 2 Mpbs  ↑. I found a spot in the house that I was getting three bars (good signal strength) and the speed was even worse. 8-14 Mps ↓ and 0.5 Mps ↑. This was not going to work. I cancelled the business account.
I did find a workaround. Or the best that is possible with the situation we are all in.
CloudFlare has a very generous free tier. I have many domain names. I have one that my entire family uses. CloudFlare has a very generous free tier on their Zero Trust feature. I use a Raspberry Pi Zero that costs $15.00. They're back in stock. If they are out of stock, they come back in stock very quickly. I have already received for this month (July 2023). I installed CloudFlared on the Zero W. Then in CloudFlare’s Zero Trust I can set up sub domains to each device that I want. Home Assistant can have ha.familydomain.tld. Media Server, jellyfin.familydomain.tld, etc. Works with no problem. HOWEVER, there are two downsides. One, Zero Trust free tier does not “allow” and I use rapid quotes on allow. If you want to stream video, such as with your Plex or JellyFin Media server, you have to upgrade your Zero Trust plan to their $5.00 streaming service. However, as long as it’s not to much, I heard they don’t really say anything. But, technically, you could be cut off.
Second, is that I have a NextCloud server for my family too. When, uploading files to NextCloud outside your LAN, you can only upload a max file size of 100mb due to CloudFlare’s restrictions on their network unless you upgrade. Even if you upgrade, it’s not that much. That’s the only thing that’s really horrible with this alternative work around to T-Mobiles restrictions on port forwarding. Other than that, it works very well!

I’m going to create a YouTube video next week on how to set this all up. When I finish the video, I’ll post an update with the link.
Good luck!
 

I agree TMobile could have made this much easier by providing an internet facing IP address, as well as IP scope control and other things. But there are easy ways to get your setup working if you have another router.

To start, just have another router and connect either of the yellow ports of the TMobile gateway connected to the internet port (WAN) of your router. Now you have complete control over your internal network with DHCP, Scope, Static IPs if you want, Firewall rules for the internet, etc.

The next thing is to use something like the free version of TeamViewer, which will create the path through the internet to your computer for remote access and you can remote into your computer from outside the network whenever you want.

For security system viewing, just setup the viewing app on your home computer (which you probably already have) and remote into your computer and view your cameras that way. TeamViewer has a version for Windows computers, phones, tablets, Linux, MacOS, Raspberry Pi. So pretty much any device you have.

I know this is a workaround for T-Mobile's lack of services on the gateway, but it works great, it’s reliable, it’s a free solution, and restores functions many people need. It’s also only takes a couple of minutes to setup. I use it all the time and I have no issues. I’m sure you could do this with other remote services that are available, but I prefer TeamViewer over many of the non-trusted remote services available.

Good Luck

The problem with that is we are out of IPV4 IP addresses. We have been out for a while now. The world seems to be incredibly slow at adapting to IPV6. I’m sure between costs for the ISPs and the ancient devices out there that have never or will ever be updated for IPV6 is also an issue. Now an easier solution would be for T-Mobile to just give us a usable IPV6 address as many of our modern devices will be able to use that. 

Hello Everyone.

If anyone needs to port forward for a DVR security camera system. Forget it.

However, if your DVR has a Cloud P2P option, it will work.

I have a HikVision DVR and I successfully connected my phone with their Cloud P2P.

 

I would imagine that any DVR that uses a Cloud P2P service will work because it bypasses the need to Port Forward.

Hope this helped someone.

Good Luck!

Not to be pessimistic but TMO has known about this issue since inception. They aren’t going to fix it. Or they aren’t knowledgeable enough to do so. Needless to say, TMO is just a step to getting better services in my rural location. TMO doesn’t seem to care. They laud themselves as customer-centric but TMO is just another business innit for the money. Yay capitalism. 

If they could fix this issue for us their customers, maybe they wouldn’t be viewed as they are. 
 

Userlevel 3
Badge +2

The port forwarding is a huge issue around here. Others have said it involves IPv6 and so forwarding can’t be done. They can explain why.

Some suggestions have been VPN, ZeroTier or Tailscale. I’ve seen PFSense mentioned here too but can’t figure out how a firewall downstream from the can can port forward. 

After 8 very good months of fast, reliable service here in Tampa I'm about to cancel. I need to open one simple port to allow some services and TMO Home Internet can’t seem to do it and I’m not spending hours trying to figure out some sort of work around. 

Calling Frontier Fiber in the morning got 1GB fiber fir $69 or maybe 2GB Fiber for $150… either way I’m done w/ TMO. Kind of sux because otherwise it worked will.

 

J

Badge

I can't use noip with t-mobile because it doesn't support it, but if it was just bridging I could.

 

I'm not willing to wait around for another device when the speeds I get right now are just fine and the device I have is capable of the functions I need.

Sorry, you’re incorrect.  You can setup NOIP on other devices other than just your modem.  I set it up on my local server.  But, this doesn’t work as T-Mobile doesn’t assign you a unique IP address (it’s shared with hundreds/thousands of other people).  So even if you setup NOIP, that doesn’t help one bit.  Nor would port forwarding or bridge mode.

You’re failing to understand the problem.  The issue is how the T-Mobile network is setup for a security aspect.  It was setup to be a secured network for phones.  It’s not capable of working with a DDNS service, bridge mode, or port forwarding.  That’s why they disabled these features on the T-Mobile modem, as they would never work.  Keep in mind that Nokia added these features to this modem firmware when they designed it (for other markets).  When T-Mobile wanted to use it, they had to disable features as they don’t work on their network, not because they wanted to limit the device.

The new modem won’t resolve the problem either.  It may happen along with a T-Mobile network change, but a modem alone can’t fix the problem, either a firmware update or new hardware.  The only work-around is a service like ZeroTier until T-Mobile changes their network, which very well may never happen.

Userlevel 2
Badge

Holy sh* man you are saying exactly what I’m stating!  The right thing to do would be instead of trying to work against me, work WITH me to pressure T-Mobile to get this deivce more functional and then we can ALL do whatever we want with it.

 

 

 

All T-mobile has to do is enable the device to bridge.  That’s it.  I know this because that’s how my cable modem worked and I was able to do everything else I wanted from there.  So if you want to sit there and tell me the networking configuration I used for YEARS was ‘incorrect’ and didn’t work, go right ahead…..but you are not helping. You can be an apologist for why they don’t enable these things, but this device is for HOME INTERNET.  I do not sit at home on my phone and nothing else. If that is T-mobile’s position then I’ll be returning it and wait until they grow up.

Badge

Holy sh* man you are saying exactly what I’m stating!  The right thing to do would be instead of trying to work against me, work WITH me to pressure T-Mobile to get this deivce more functional and then we can ALL do whatever we want with it.

 

 

 

All T-mobile has to do is enable the device to bridge.  That’s it.  I know this because that’s how my cable modem worked and I was able to do everything else I wanted from there.  So if you want to sit there and tell me the networking configuration I used for YEARS was ‘incorrect’ and didn’t work, go right ahead…..but you are not helping. You can be an apologist for why they don’t enable these things, but this device is for HOME INTERNET.  I do not sit at home on my phone and nothing else. If that is T-mobile’s position then I’ll be returning it and wait until they grow up.

Actually, we’re not at all saying the same thing.  You believe the modem could be updated with a few feature and it would work.  I’m saying that’s not the case, as you’re basically behind T-Mobile’s NAT/VPN so enabling features on the model wouldn’t solve the problem one bit.

How exactly do do believe enabling bridge mode would solve your problem?  You’re comparing your cable company’s network with T-Mobile, which are TOTALLY different.  Your cable company didn’t hide your connection behind a NAT/VPN.  You could identify your home connection with a unique IP address which you could access remotely (with or without a DDNS like NoIP).  But T-Mobile’s network doesn’t work like your cable company.  Every connection is like a VPN or NAT, where there’s not a unique IP address, but it’s shared with many other people.

So, lets’s say bridge mode is available on your T-Mobile modem.  How would you remotely access your home modem?  By IP? Via a DDNS like NoIP?  Nope!  As there’s still not a unique IP address assigned to your home connection, it’s shared with thousands of other people.  So you would try to access your home network and it could never route to your home.

So I’m sorry, you don’t know what you’re talking about.  You have limited knowledge and basing your assumptions on how your cable company’s network is configured, when in reality T-Mobile’s network isn’t at all setup the same way, and as a result, your assumption that bridge mode will solve everything is totally wrong.  Sorry, it’s not as simple as that.

Not sure if anyone answered this exactly yet.....But, sounds like you can port forward. What you need to do is switch over to a business account. The monthy cost is the same, but you have to add $5 per month for a static IP address and also get their FX2000 modem. Then you can port forward. I have not tested it yet, I literally just ordered it.
Service:
https://www.t-mobile.com/business/solutions/business-internet-services/small-business-internet

Modem:
https://inseego.com/products/fixed/fx2000-tmobile/

Thanks for the responses.

I ended up taking the SmartThings hub to my current home (where I have Frontier FIOS service) and I got the SmartThings hub online there. I then moved the hub to my new home (T-Mobile 5G service) and connected it via Ethernet to the modem. It came online and has been working well. It appears the issue is only with the initial registration. 

Just another success story here, if you’re the type who knows how to use SSH tunneling.

T-Mobile (business, in my case; don’t think it matters) can’t do port forwarding.  But my ssh tunnel(s) worked, at least for a little bit.  I use autossh, which re-establishes connections when they fail (due to routing changes, etc).  It has been very reliable for me in the past to get around bad/broken NAT situations.

But I found that my ssh tunnels would only last for a short time (Arkadyan modem, using a router on the LAN connection).  Then I read from another post somewhere else on this forum that t-mobile simply closes TCP connections without traffic after a period of time (looks like maybe as short as 5m).

So I changed the ssh settings on my server to add a keep-alive, and all is working perfectly.  I have three ports forwarded on my LAN through an ssh connection to a server in the cloud; you could probably use ngrok for this (free accounts I think).  I have a camera, ssh to a server, and another port forward to an IoT device, and all three have been working perfectly without interruption for over a week.  I get between 120 and 250Mbps down and 30up pretty consistently.

I’m sold, and am currently on hold cancelling my AT&T DSL account! 

ok, so this is an interesting conversation, I came here via google for the same reason you guys did. I live in an RV, so a service like this is super interesting to me, but I also work in tech and some kind of public access to the network behind the T-Mobile device is pretty important to me for stuff like HomeAssistant, some kinds of file transfer I have to use, etc.

idk if T-Mobile is “incapable” of not using CG-NAT for this. if you’re doing NAT you can do routing; they’re comparable levels of compute-intensiveness. whether or not they will actually do it is another question; I am also skeptical (though this would be huge for me).

in my particular situation I have a lab environment with a public-facing IP hosted for me at a datacenter not far away from me. has anyone tried using Nebula to solve this “no publicly routable IP” issue? (Nebula is more or less self-hosted ZeroTier, I think) https://github.com/slackhq/nebula

Badge

Thanks for the update,  I ordered one too.  Not sure what I am getting but it is coming.  Will update when it arrives

So I’m having NAT Issues for my ps4 where I’m trying to connect with people in elden ring which I need a NAT 2 and I have no idea how to change the NAT type from 3 to 2 on my 5g gateway please help help help help help is there any way around this or a way 

On the waiting list ‘ere.

As far as I’m reading there’s passthrough which’ll let me reuse our existing network and maybe treat the modem as a dumb modem like we’re doing to our ADSL modem. Our modem doesn’t even do the job of providing DHCP; effectively as if we connected directly to our ISP’s network.

However, from reading it sounds like T-Mobile is doing carrier level NAT for IPv4 similar to what I’ve been hearing with Starlink on their equipment; basically I could be sharing 18.0.12.3 between five other customers.

And IPv6 is not our silver bullet since it sounds like T-Mobile’s network is filtering requests before it even hits the equipment if I’m understanding what I’m reading.

IPv4 is a nice-to-have but at the same time it’s deadweight going forward since IPv4 served it’s purpose and is more of a nuisance. I can grab a IPv4 address---until IPv6 reigns supreme on public Wi-Fi---and set up tunneling and be happy with that so I can control my smart-home server wherever.

Not sure if anyone answered this exactly yet.....But, sounds like you can port forward. What you need to do is switch over to a business account. The monthy cost is the same, but you have to add $5 per month for a static IP address and also get their FX2000 modem. Then you can port forward. I have not tested it yet, I literally just ordered it.
Service:
https://www.t-mobile.com/business/solutions/business-internet-services/small-business-internet

Modem:
https://inseego.com/products/fixed/fx2000-tmobile/

@Jackson300zx: Just to follow up if you have successfully tested the NAT and Port-forwarding features of inseego FX2000 gateway. I talked to T-mobile rep about this and she told me that

Small Business Internet (SBI):
Gateway: Nokia 5G21 and Arcadyan KVD21
Note: Static IP eligibility - Not Included

Business Internet (BI)
Gateway:
• Nokia 5G21
• Inseego FX2000
• BYOD (Bring your own device)
Note: Static IP eligible (Inseego only)

Only BI can ask for static IP, not SBI

Badge

So you can learn from my mistakes.  First you will need a reason to switch to a business account,  it is not unlimited data.  Comes with 100 for 50 and 300 for 70/month. Can I do port forwarding?  Don’t know yet but will post the results

 

@carSmart: Actually, I already successfully opened a small business account with unlimited data for $50/month with TMO by using my EIN (TMO allows SBA under your SSN but because I already have a TMO family plan under my SSN and I don’t want to convert my family plan to biz plan) and got inseego FX2000 gateway (after several phone calls to the right department) and tried it out.

I configured gateway port-forwarding for my security camera system, however, it seemed only working when my iPone connected to LAN. When I tried to view my camera remotely from work, either connected to work WiFi or TMO network, I was unable to view them at all. I think it was not just simply port-fowarding issue, TMO might block port-access request in the front end.

  TMO also blocked access to some websites due to their contents or securities. 

  I also found speeds of FX2000 unstable. Speed of ethernet gave 200Mbps and above, while 5G WiFi speed went down to 10Mbps and 2,4G WiFi speed went down to 10Mpbs, both WiFi speed changed frequently, unless I placed the gateway next to my computer. I have very strong TMO 5G coverage in my area. FX2000 came without external antenna, which I think that was the reason and T-mobile should provide external antenna to FX2000 users.

  Anyway, after trying it for a week, I decided to cancel  it and stayed with ATT U-verse.

I will re-consider TMO internet once it can offer bridge-mode on their gateway. At this monent, it just couldn’t meet my requirement. 

Holy sh* man you are saying exactly what I’m stating!  The right thing to do would be instead of trying to work against me, work WITH me to pressure T-Mobile to get this deivce more functional and then we can ALL do whatever we want with it.

 

 

 

All T-mobile has to do is enable the device to bridge.  That’s it.  I know this because that’s how my cable modem worked and I was able to do everything else I wanted from there.  So if you want to sit there and tell me the networking configuration I used for YEARS was ‘incorrect’ and didn’t work, go right ahead…..but you are not helping. You can be an apologist for why they don’t enable these things, but this device is for HOME INTERNET.  I do not sit at home on my phone and nothing else. If that is T-mobile’s position then I’ll be returning it and wait until they grow up.

Actually, we’re not at all saying the same thing.  You believe the modem could be updated with a few feature and it would work.  I’m saying that’s not the case, as you’re basically behind T-Mobile’s NAT/VPN so enabling features on the model wouldn’t solve the problem one bit.

How exactly do do believe enabling bridge mode would solve your problem?  You’re comparing your cable company’s network with T-Mobile, which are TOTALLY different.  Your cable company didn’t hide your connection behind a NAT/VPN.  You could identify your home connection with a unique IP address which you could access remotely (with or without a DDNS like NoIP).  But T-Mobile’s network doesn’t work like your cable company.  Every connection is like a VPN or NAT, where there’s not a unique IP address, but it’s shared with many other people.

So, lets’s say bridge mode is available on your T-Mobile modem.  How would you remotely access your home modem?  By IP? Via a DDNS like NoIP?  Nope!  As there’s still not a unique IP address assigned to your home connection, it’s shared with thousands of other people.  So you would try to access your home network and it could never route to your home.

So I’m sorry, you don’t know what you’re talking about.  You have limited knowledge and basing your assumptions on how your cable company’s network is configured, when in reality T-Mobile’s network isn’t at all setup the same way, and as a result, your assumption that bridge mode will solve everything is totally wrong.  Sorry, it’s not as simple as that.

You are forgetting, that T-Mobile LTE gateway works just fine when switched into a bridge mode! So, it is not the network issue per se, it is a firmware issue on this 5G trashcan.

I agree TMobile could have made this much easier by providing an internet facing IP address, as well as IP scope control and other things. But there are easy ways to get your setup working if you have another router.

To start, just have another router and connect either of the yellow ports of the TMobile gateway connected to the internet port (WAN) of your router. Now you have complete control over your internal network with DHCP, Scope, Static IPs if you want, Firewall rules for the internet, etc.

The next thing is to use something like the free version of TeamViewer, which will create the path through the internet to your computer for remote access and you can remote into your computer from outside the network whenever you want.

For security system viewing, just setup the viewing app on your home computer (which you probably already have) and remote into your computer and view your cameras that way. TeamViewer has a version for Windows computers, phones, tablets, Linux, MacOS, Raspberry Pi. So pretty much any device you have.

I know this is a workaround for T-Mobile's lack of services on the gateway, but it works great, it’s reliable, it’s a free solution, and restores functions many people need. It’s also only takes a couple of minutes to setup. I use it all the time and I have no issues. I’m sure you could do this with other remote services that are available, but I prefer TeamViewer over many of the non-trusted remote services available.

Good Luck

Reply