We have been wondering if RemoteWinBox was a good fit for LTE. So we talked to Evan Feldman at West Michigan Communications who told us that he found out about us on a Reddit thread about how to access WinBox through NAT and he says that he loves the RemoteWinBox service and uses it with his LTE customers.
“RemoteWinBox has saved us countless hours and it’s been a life saver” — Evan Feldman.
What about LTE is a problem?
In particular, some of the carriers like AT&T, Verizon and T-mobile will provide service to your modem by using NAT (Network Address Translation).
What’s wrong with NAT? Nothing too bad, really in the outbound direction. But, in the inbound traffic direction, without a port forward there’s not really and good way to access services behind the NAT. In addition, they’re likely to be leveraging CG-NAT (Carrier Grade NAT) and your modem’s public IP will likely change often.
So if you’re using another carriers SIM, your MikroTik LTE router/modem will probably receive an RFC1918 IP address in the 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16 range. And good luck getting a tier 1 carrier to give you a port forward over a SIM card!
In other cases, some operators use their own LTE equipment which can only run in NAT mode (looking at you, Baicells), resulting in the same limitation.
Ultimately, the issue is that when NAT is involved, using WinBox from the WAN becomes hard, and using WinBox from the LAN requires being on site!
We hear that a lot of you out there use MikroTik SXT or WAP modem + routers. My next blog post will probably be about how to use RemoteWinBox and passthrough mode to remove a layer of NAT for the customer, but still be able to use WinBox remotely. Stay tuned…
Here’s a visual of how RemoteWinBox punches through LTE
How can I do my own Remote WinBox access?
We wanted to take a minute to talk about the use case here, describe the problem and share what’s going on with our solution. Evan says, “it’s a lot of work and effort to turn up a VPN concentrator, keep it secure and maintain servers. With RemoteWinBox it’s way less work, way less headache.”
So first off, what’s it take to get remote WinBox access similar to what you can do with our dashboard? Here’s a quick summary for the DIY’ers out there:
- Spin up a VPN concentrator and provision/commission it. You can do this in AWS, Azure, Google cloud or a slew of other cloud platforms, not to mention physical hardware in your own Data Center, if you have one. I talked at a MUM a few years ago exactly on this topic – watch it here!
- You should definitely spend some time and effort hardening the VPN concentrator. I’ve shared some security best practices on a recent blog post if you want some tips. Security best practices, Part 1 —Security best practices, Part 2 — Security best practices, Part 3
- Don’t forget to keep your VPN concentrator firmware up to date to avoid exploits! Here’s my top 5 newbie MikroTik tips
- Connect your MikroTiks to the VPN concentrator using outbound VPN interfaces (SSTP, L2TP, etc.)
- Manage allowed IP endpoints on your concentrator and/or set up road-warrior VPN access (sorry guys, no blogs on this… yet)
Is there an easier solution?
The RemoteWinBox core service does all of what we talked about above and more (realtime graphs, health data and maps) for $.50 / MikroTik, just in case you’re not into DIY and would rather start managing your MikroTik fleet in just a few minutes and clicks.