I recently signed up for T-Mobile internet, and I am VERY disappointed that I could not even forward NAT traffic to my home security system. I saw that this was discussed 7 months ago in a previous thread, and hope the developers will notice this. The speed is great, and the same as was advertised in the chat.I would like this issue to be resolved so that I don't need to continue with Optimum (Morris Broadband).

I'm fairly confident that this device (Nokia) is able to handle all of these things. I think what has happened here is T-Mobile threw a very locked down firmware on the device to make setup easy. The following things need to happen.Provide settings to place the gateway in bridge mode. This will allow customers to keep their existing setups and NAT fine.Provide settings to turn off the wifi in the gateway COMPLETELY. Turning off broadcast and reducing power to minimal is not sufficient.Make all of these settings accessible only through the web admin page. The average consumer doesn't need this stuff, but the power user who is smart enough to know how to login to the admin web page should be able to modify these settings. Ultimately, I just want "a dumb modem" just like I get with the cable co. I don't want or need T-Mobile helping me by dumbing down the device.

T-Mobile Home Internet uses CG-Nat - which means end users share IP addresses. Unless they move away from that (which they will not since it would require completely new infrastructure) you will not be able to do port forwarding. There simply is no way to identify YOUR unique address since you do not have one - it is shared. However, there is a solution which does work - I am using it. Paketriot https://packetriot.com/ allows tunnels to be created which will have a unique endpoint which will then allow you to hit a port in YOUR internal network. There are other providers like Packetriot. I like Packetriot because it has the option to create a Windoze Service for all your tunnels. Nice when the machine reboots because you can have the service autostart. Most of the providers offer a free tunnel so you can try it out.They should not call this Home Internet it is really a home hotspot.

They need to fix their screwy xlat464/cgnat style network first.As long as they continue to filter that unsolicited inbound traffic at the higher network layers, won't matter what options are available/configured on our local modems/routers. It is actually getting nixed at the outer edges of the networks, so it never makes it to the modem, much less the router.

I spoke with TMobile Home Internet technical support over the past week. They are working on the port forwarding feature within their 5g modem/router, but it's not available or ready yet. 2 different techs said they have a workaround, however (& it doesn't require 3rd party services).I haven't tested it yet, but what you need to do is, & many of us have this setup already, connect via Ethernet (wire) the garbage can LAN port <-> YOUR own router. Then configure port forwarding on YOUR router. That's it. (Your router needs to support ipv6! Not sure if we need to allow ipv6 passthrough for this.)Now, I was educated a long time ago on IPv4 & they barely touched on IPv6, so I don't know a lot about it, but this would never work this way with IPv6. Ipv6, however can allow passthrough so public "internet" can pass through a router, which is why I'm "buying" this theory. Ie, you can go through T-Mobiles garbage can, and then your router, and you device (call it a PC) could have a public IPv6 IP, which is why port forwarding could work this way.Anyone have time to test & report back? Or comments?I previously had a dynamic public IP (ipv4) that I made work with my domain name via ZoneEdit that allowed my PC to update ZoneEdit with public Ip changes since it was dynamic. With this NEW setup, I'm not exactly sure how that would work, or if my DNS service will play nicely or even support ipv6 or if ZoneEdit will either. And I have numerous services that I need to "hit" MY router & forward internally, such as a VPN, RDP, FTP, website, etc - not sure if all that will play nicely - or if all the services, like VPN client, can point to a domain->ipv6 ip & work. Like will the VPN client config & SW accept this new format?Anyways, lot of testing & messing around needed! Please report back with any updates!

I was researching a project I was doing and came across this thread. I have T-Mobile @ home internet. The speeds are amazing compared to what I had prior to T-Mobile. On the T-Mobile router, I have three bars out of 5. I have on average 300Mbps ↓ and on average 20-45Mps ↑. I'm very happy with the speeds. However, I can't connect to my Home Assistant, security cameras, and my media center. I have an ASUS router that I have flashed with OpenWRT and I have tried several tricks, including doing DDNS updates every 10 minutes to my DNS server, CloudFlare. Nothing really worked. I spoke to T-Mobile technical support. That was just painful. I went to a supervisor. Finally, I had to state, "I'm a 4th decade computer engineer, I have the highest licenses from the FCC in amateur radio communication. And what you are saying is so horribly incorrect". I spent an hour teaching the supervisor. Finally, I decided to try their business internet. It was the same price as the home internet. Plus, for an extra $3.00 I could have a static IP address. They send me this Inseego router. It wasn't even a quarter of the size of the @home internet router. It was about 1/8th of the size of the @home router. Before turning it on, I knew this was not going to work. Surprise, Surprise, it did not! Most of the time, I had the blue flashing light, meaning I barely had a signal. Sometimes it would switch to 4G. When I had only one bar (very weak signal), I was getting 14 Mbps ↓ and 2 Mpbs ↑. I found a spot in the house that I was getting three bars (good signal strength) and the speed was even worse. 8-14 Mps ↓ and 0.5 Mps ↑. This was not going to work. I cancelled the business account.I did find a workaround. Or the best that is possible with the situation we are all in.CloudFlare has a very generous free tier. I have many domain names. I have one that my entire family uses. CloudFlare has a very generous free tier on their Zero Trust feature. I use a Raspberry Pi Zero that costs $15.00. They're back in stock. If they are out of stock, they come back in stock very quickly. I have already received for this month (July 2023). I installed CloudFlared on the Zero W. Then in CloudFlare's Zero Trust I can set up sub domains to each device that I want. Home Assistant can have ha.familydomain.tld. Media Server, jellyfin.familydomain.tld, etc. Works with no problem. HOWEVER, there are two downsides. One, Zero Trust free tier does not "allow" and I use rapid quotes on allow. If you want to stream video, such as with your Plex or JellyFin Media server, you have to upgrade your Zero Trust plan to their $5.00 streaming service. However, as long as it's not to much, I heard they don't really say anything. But, technically, you could be cut off.Second, is that I have a NextCloud server for my family too. When, uploading files to NextCloud outside your LAN, you can only upload a max file size of 100mb due to CloudFlare's restrictions on their network unless you upgrade. Even if you upgrade, it's not that much. That's the only thing that's really horrible with this alternative work around to T-Mobiles restrictions on port forwarding. Other than that, it works very well!I'm going to create a YouTube video next week on how to set this all up. When I finish the video, I'll post an update with the link.Good luck!

NAT (Forwarding) in T-Mobile Gateway

Bogie
Network Novice
Hace 2 años
PortalWizard wrote:

My nat was strict and couldn’t play in a party on Xbox.

Great lad at customer service had me run 2 speed tests and that pushed me into whatever and now the nat is open. Yay for cgnat

What speed tests did he have you run? I've been trying to change it on my XBox series X and it won't even allow me to play a game
EricNorcal
Network Novice
Hace 2 años
Just another success story here, if you’re the type who knows how to use SSH tunneling.
T-Mobile (business, in my case; don't think it matters) can't do port forwarding. But my ssh tunnel(s) worked, at least for a little bit. I use autossh, which re-establishes connections when they fail (due to routing changes, etc). It has been very reliable for me in the past to get around bad/broken NAT situations.
But I found that my ssh tunnels would only last for a short time (Arkadyan modem, using a router on the LAN connection). Then I read from another post somewhere else on this forum that t-mobile simply closes TCP connections without traffic after a period of time (looks like maybe as short as 5m).
So I changed the ssh settings on my server to add a keep-alive, and all is working perfectly. I have three ports forwarded on my LAN through an ssh connection to a server in the cloud; you could probably use ngrok for this (free accounts I think). I have a camera, ssh to a server, and another port forward to an IoT device, and all three have been working perfectly without interruption for over a week. I get between 120 and 250Mbps down and 30up pretty consistently.
I’m sold, and am currently on hold cancelling my AT&T DSL account!
phenomdadon
Network Novice
Hace 2 años
EricNorcal wrote:

Just another success story here, if you’re the type who knows how to use SSH tunneling.

T-Mobile (business, in my case; don't think it matters) can't do port forwarding. But my ssh tunnel(s) worked, at least for a little bit. I use autossh, which re-establishes connections when they fail (due to routing changes, etc). It has been very reliable for me in the past to get around bad/broken NAT situations.

But I found that my ssh tunnels would only last for a short time (Arkadyan modem, using a router on the LAN connection). Then I read from another post somewhere else on this forum that t-mobile simply closes TCP connections without traffic after a period of time (looks like maybe as short as 5m).

So I changed the ssh settings on my server to add a keep-alive, and all is working perfectly. I have three ports forwarded on my LAN through an ssh connection to a server in the cloud; you could probably use ngrok for this (free accounts I think). I have a camera, ssh to a server, and another port forward to an IoT device, and all three have been working perfectly without interruption for over a week. I get between 120 and 250Mbps down and 30up pretty consistently.

I’m sold, and am currently on hold cancelling my AT&T DSL account!

Could you run thru a quick setup?? I'm jus tryna to game on my pc and Tmobile internet is blocking some of my games from connecting. I'm using Persistent SSH which is and alternative to autossh.
It would be much appreciated.
Nova
Roaming Rookie
Hace 2 años
From what I understand, T-Mobile deploys 464XLAT. Meaning your IPv4 connections are translated over IPv6. This means IPv4s are not assigned in anyway to a traditional home-ISP, and instead IPv4 WAN are pooled and NAT'd together. This was reportedly done due to IP assignment issues, and used to mitigate and rollout to IPv6 at the same time. Business customers have the option to purchase a static IP which will remove your connection from the NAT pool and begin translating inbound IPv4 connections as if they were direct native IPv4. I'm not sure why T-Mobile is unable to provide this for free to all consumers. It may be a result of simply not having enough IPv4 allocation available, in which case how is that ever going to be fixed without freeing up used IPv4s? Or, it may be a system scalability issue that may need resolved. Who knows, but understand this problem is a little bit more complex than simply clicking a button. Currently for consumer home internet plans, there are no options for inbound IPv4 addresses, or opting out of the NAT system that the rest of the mobile-device network uses.
EricNorcal
Network Novice
Hace 2 años
phenomdadon wrote:

EricNorcal wrote:

Could you run thru a quick setup?? I'm jus tryna to game on my pc and Tmobile internet is blocking some of my games from connecting. I'm using Persistent SSH which is and alternative to autossh.

It would be much appreciated.

You’ll need to have these two settings enabled on the ssh server into which you are setting up the tunnels:
ClientAliveInterval 60
ClientAliveCountMax 2
Without these, the ssh connection will eventually die, even with something like autossh (presumably also Persistent SSH).
Then there is a tunnel per device/port from some ssh host on your LAN (like a Raspberry Pi or whatever) to the ssh out on the internet which you will be using as a gateway:
autossh -N -p22 -R *:8000:192.168.1.2:8500 user@gateway.host.net
That command sets up a tunnel between your Raspi (or whatever) on your LAN to the gateway machine, with a port 8000 tunnel to the 192.168.1.2 device on your LAN on port 8500.
So now I can reach port 8000 on the 192.168.1.2 device from the outside world from gateway.host.net:8500.
For example, if you want to be able to ssh on a device 192.168.1.33 (on port 22), then you could set up:
autossh -N -R *:8222:192.168.1.33:22 user@gateway.host.net
and then you can do “ssh -p8222 root@gateway.host.net” and you will be ssh’d to root@192.168.1.33 on port 22.
Art_C_
Network Novice
Hace 2 años
The T-Mobile network is working as designed. NAT464 is a transition strategy. Your phone, or your home Internet device, is assigned a public, globally routable, unique IPv6 address. It is better for everyone, everywhere, if we speed up the transition to IPv6. When you request an IPv4 site, your device does NAT46 and then carries the traffic to a NAT64 gateway operated by T-Mobile on the Internet edge. It works very, very well. The downside, of course, is that you do not have a globally routable IPv4 address on which you can expose ports.
It is possible to expose ports, but of course only on your IPv6 address. This means that you would only be able to connect to it from IPv6 clients. For many applications this is an acceptable tradeoff. As the supply of IPv4 addresses continues to become more problematic, you should expect other providers to begin adopting this strategy as well.
EricNorcal
Network Novice
Hace 2 años
It is possible to expose ports, but of course only on your IPv6 address.

No, it not possible to expose ports, even for IPv6 addresses, if you are using the gateway they gave me.
There is no provision for inbound routing at all; all inbound access is blocked. I can't verify what they do for local IPv6 connections currently (DHCPv6 with SLAAC?), but the addresses assigned on the inside network were either not globally routable, or they are blocked at the router (for good reason).
So your solo choice for accessing a device/devices on the internal network of a T-Mobile Home/Business Gateway is through port forwarding through an external host, like ngrok or ssh forwarding through a server on which you have an account.
EricNorcal
Network Novice
Hace 2 años
I can’t edit my post above, but I got the ports backward in this sentence:
So now I can reach port 8000 on the 192.168.1.2 device from the outside world from gateway.host.net:8500.

You would reach port 8500 on the LAN device via port 8000 on the internet host; my last example got the ports correct.
Art_C_
Network Novice
Hace 2 años
EricNorcal wrote:

No, it not possible to expose ports, even for IPv6 addresses, if you are using the gateway they gave me.

I suppose that's possible. Maybe try a different gateway, like a MikroTik with your SIM card moved to it. Most providers are shy to let just any IPv6 inbound connection succeed, since that would create a pretty obvious security problem.
By the way, if you want to open more than just a single port, I highly recommend Ace Innovative [https://www.aceinnovative.com/internet-access/static-ip-vpn/]. For $15/month you get an unrestricted IPv4 /29 and IPv6 /64 and they even send you the router.
tnort173
Newbie Caller
Hace 2 años
@wildernessfamily Thank you for that well detailed response! I'm looking forward to that Youtube tutorial when you get around to it 😉