Manage 4G LTE Router behind NAT with no support for STUN/XMPP

I am are trying to configure GenieACS to manage an industrial 4G LTE router (Make - Proscend, Model - M360-P) remotely. The router is behind CGNAT and the public IP is assigned by the ISP dynamically. The router is able to reach the GenieACS server but ACS server is not able to reach the router.
I have tried using STUN/XMPP, but the router doesn’t support any of these configurations.

It will be of great help if someone can share with me any other alternate method to achieve remote management of CPEs behind CGNAT, where the CPEs don’t support STUN/XMPP.

Thanks you!

One Option would be to get your GenieACS Server also behind the CGNAT of your Provider, if it is possible.

It is also possible to reduce the inform interval to a very low number and store the tasks for the next inform. Unfortunately currently this is only possible via the api.

Thank you for your response, the devices are located in remote places with a 4G SIM installed on them. So the option of GenieACS being behind the same CGNAT is not possible.

Regarding the other option of using tasks/api, would you be kind enough to point me to an example documentation/implementation which I can follow. I am new to GenieACS and not a programmer, so excuse me for asking simple questions :slight_smile:
Appreciate your response!

I had another question, is it possible to connect the router to an IPSec VPN (e.g StrongSwan on GenieACS) on the GenieACS Sever. Then have the router and GenieACS Server communicate over private IP instead of Public IP, this should solve the issue of GenieACS trying to send request to the router behind CGNAT over Public IP which cannot be traced back to the router.

Hi, it’s possible if the 4G Router has support for VPN connections but I don’t think you really want the extra overhead. Another idea, if your provider allows direct connections inside their network using the private IPs, would be to have your ACS connected with one interface to a similar 4G LTE router and update a dynamic DNS record (like: with the private IP you receive and use this on all your deployed routers.

It depends on the network layout of the mobile carrier, if your acs server has it’s own cellular uplink, it can be possible, that the acs can reach the cpe. On the ACS Server or the router the routes must be set in that way, that the carrier nat ip’s are routed over cellular and all other traffic over the main line.

This is the api reference:

Thank you Iavira & Jonas for the response, I am not well versed with networking concepts and programming. I am not sure if I will be able to implement your suggestions. But will give it a try, if there is any article/blog with step-by-step process to implement your suggestion then it will be very helpful.

Thank you!

A simple test for the way over the cellular would be, getting a second device within the mobile network.

Then opening the connection request URL, that can be found with in genieacs on the device page.
If it works, a user name and password question will appear.

If that also works, you could go on with setting up a router or the routes on the genieacs sever, depending on your setup.