Port forwarding doesn't work. TL-WR842N3G + 3G modem ZTE MF637

Hi everyone!
I am trying to access to my local IP cameras from internet for this purpose I have to use 3g usb modem and router. So my configuration is 3g modem with static IP sim (ZTE mf637)--> router (tl wr842n) --> local ip cams and other devices. I have installed 21.02 and configured usb modem on it. Now I can share internet and even access my router configurations from web. But unfortunately port forwarding doesn't seem to work, I cant access from web to my devices and I cant understand what is the problem.

Many mobile data services do not allow incoming connections - i.e. all ports are blocked by the provider

so, port-forwarding won't ever be an option


@jaromanda is absolutely right - most mobile providers use cg-nat which means they port forwarding is not possible.

Interesting - so, what is the first octet of your 3g-USB IPv4 address?

Do you mean that you can access the router configuration from the internet, or are you on your local network accessing it via a web browser?

I will also add that you should never expose the router admin interface to the internet.

It's not a good idea to expose IP cameras to the Internet either since especially the cheap ones have dodgy firmware.

The wan interface should not be up while you're using USB as the wan. Also wan is up with an IP in the same range as lan, which will cause problems.


Thank you guys for your response. I have asked my operator and they say that they don't block any incoming connection or ports. I can even change port via which I get access to luci from web and everything work perfect, so it isn't the issue.

I am using internet, not local network.

IPv4 is 46.13x.xxx.xxx

good, so it's not CGNAT

It's probably your configuration is wrong as mentioned by @mk24

The problem is that when I delete wan interface I am loosing internet connection on local devices

that makes no sense, since the WAN interface has a LAN IP address

I think you'll need to show your /etc/config/network contents

1 Like

Just to verify: how are you getting that IPv4 address? Are you looking at the "IPv4 Upstream" as shown by OpenWrt? Or are you using some other method like googling "what's my IP"? If the latter, what does OpenWrt report as its upstream? The same, or something different? If different, what are the first 2 octets?

Ip4 address is same from both sources as shown in openwrt and from online services. What are octets, are they first 6 numbers or what?

Ok. That verifies that you do indeed have a public ip.

No need to post the response about the first 2 octets, but to answer your question: aaa.bbb.ccc.ddd -each letter grouping is an octet. Ipv4 uses 4 octets separated by periods.

Use ssh to connect to the device.
Then run the following command to verify that packets are hitting the firewall to be redirected: iptables-save -c -t nat | grep 8888

this is what I get in /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr ''
        option netmask ''

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr ''
        option netmask ''
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr 'xx:x:xx:xx:xx:xx'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

config interface 'USB'
        option proto '3g'
        option device '/dev/ttyUSB2'
        option apn 'connect'
        option dialnumber '*99#'
        option ipv6 'auto'

This is what I get

[0:0] -A zone_lan_prerouting -s -d -p tcp -m tcp --dport 8888 -m comm                                                                                         ent --comment "!fw3: WEBCam (reflection)" -j DNAT --to-destination
[1:52] -A zone_lan_prerouting -s -d stat.ip/32 -p tcp -m tcp --dport 8888 -m com                                                                                         ment --comment "!fw3: WEBCam (reflection)" -j DNAT --to-destination
[13:676] -A zone_wan_prerouting -p tcp -m tcp --dport 8888 -m comment --comment "!fw3: WEBCam" -j DN                                                                                         AT --to-destination