I have a LTE modem where my provider only getting a public IPv6. So my goal is to reach my router from a ddns provider by wireguard. Doesn't sound very hard... i thought...
At first i created the ddns scripts and it updates the ipv6, all fine. But, i tried to ping the domain and got "Destination unreachable: Address unreachable"
So i started to look why and logged all firewall traffics to see whats happening. Nothing... Ok, after some research i saw that if i make "curl -6 icanhazip.com" from my client i get an other IP than if do this on my router.
If i try to connect e.g. with wireguard, to the IPv6 from the router, nothing in the logs.
If i try to connect e.g. with wireguard, to the IPv6 from the client, firewall shows some rejects. (they are another topic, cause i'm allowing incomings for the wireguard port.
I'm not an expert with the network stuff, so i'm pretty sure this is only a misconfiguration.
If you can help me to configure OpenWRT to access it by Wireguard that would be great! And please tell my why the WAN IPv6 differs from router and a connected client oO
Most 4g/ 5g cellphone providers typically only hand out a single /64 prefix to their customers, which is a bit of a problem when it comes to routing (as routing pretty much implies having one subnet on your wan and a distinct one for you to assign on lan, this usually means the WAN IPv6 address should be from another prefix than the one you'll hand out to your clients - but ISPs don't like that). You can basically just cheat around that, by using a BRouter (bridige-router) setup, proxying the internal subnet to wan.
So next was to find out how to put the modem into bridge. I did not found anything about bridge mode, "only" lots of AT commands where are the most confusing me
So, i have a Quectel EG25-G modem which is connected via pc express by an usb lane.
If someone could help me just with the first steps i would be very thankful
And if someone need the whole AT commands documentation.
If it is, you probably don't need to change anything with the modem. The next test would be to open a port on the router such as 22 for SSH (make sure you have a secure password) then try to reach it from outside by manually entering the WAN IP that you see into a port scan site.
T-Mobile USA does allow incoming connections (not all companies do). If you find that is also the case on your network then you can next look into ddns. After the test, don't leave port 22 open to the Internet, it will get constantly probed.
By design all of your LAN machines should have different IPv6 that are within the same /64. The ISP routes the whole /64 to your line, so someone on the Internet can reach each machine individually on its globally unique /128. It is a bad idea to allow outside access to every LAN machine of course, so by default the firewall doesn't allow any. You will need to add a destination address based forwarding rule to the OpenWrt firewall for each server you offer.
