It’s a frequently asked question we get from customers who have deployed an SXT-LTE or LHG-LTE device out on a remote site somewhere and they would now like to know how to get into that device to check on how it’s performing.
First, we need to understand a little about how the mobile phone carriers supply these devices with internet access; they often use a system called CGNAT.
When the device makes a connection to a website, they will present to that website a Public IP address; except that the Public IP address is not unique to that one single device, it is shared amongst thousands of LTE devices: customers’ mobile phones, tablets as well your MikroTik LTE router – so, one cannot connect directly to your device from the internet.
If the LTE router can only make outgoing connections and incoming connections are impossible, how can we connect to it from outside? There are two solutions: one is to purchase a SIM card from a provider that can guarantee the public IP is dedicated to that SIM card account and is not shared with any other user, or you will need to use outgoing connections only – we do this by using a VPN.
There are a number of different types of VPN we can choose from, but we have found that many providers struggle to make certain types of VPN protocol reliable stay connected. L2TP/IPSec is a favourite choice of VPN, but it can prove to be unreliable with certain providers. PPTP is not recommended as it is vulnerable to attack as it has an insecure encryption system. SSTP is the most reliable VPN we have found for this task. We are only interested in gaining access to the router, not streaming the whole internet over SSTP and therefore although it is not the fastest VPN type, it is more than adequate for ‘remote monitoring and control’ of a MikroTik LTE device.
You will need the remote MikroTik to VPN to a central fixed point, preferably another MikroTik device. This can be a CHR hosted in AWS, a CHR hosted in your own data centre, or back at the office. As long as the centralised VPN server is sitting behind a dedicated and fixed static public IP address.