How to organize communication without a static IP?

S

ssman2019-05-19 12:16:16

Computer networks

ssman, 2019-05-19 12:16:16

There is such an infrastructure:
An industrial controller with a web server, ftp server, modbus TCP (port 502 TCP), and a couple of specialized TCP ports and most likely UDP too. The controller has a built-in firewall, as a result of which the controller only responds to requests from IP addresses that are on the same subnet as it is (i.e., on the local network). The presence of this non-switchable firewall is due to the whole complexity of the connection.
The controller is connected to the Internet through an industrial 4G router with a SIM card from MTS. A VPN server is running on the router, with the help of which it is possible to keep in touch with the controller from any remote computer on the Internet, connecting via VPN. When a SIM card with a static IP is inserted into the router, such a system works and there is a connection. But now, unfortunately, it is not possible to use a SIM card with a static IP due to the policy of the MTS company (no more than 20 IP per company, and for each static IP a one-time fee for connecting is 7000 rubles).
The task is to establish communication on this object without using a static IP. Can anyone suggest what are the options? As I understand it, such a thing as Dynamic DNS will not help here. IP issued by MTS is gray, judging by the experiments.

Reply

Answer the question

In order to leave comments, you need to log in

5 answer(s)

R

rPman, 2019-05-19
@ssman

In your work organization scheme, the biggest mistake is this:

A VPN server is running on the router , with the help of which it is possible from any remote computer on the Internet, having connected via VPN, to keep in touch with the controller.

I do not understand who suggested such a strange scheme of work to you. You should set up only ONE VPN server on a single white (not necessarily static, but preferably) IP address, choosing one (or several, not sure if your equipment can sort out connections when unavailable) from the leading routers (its connection to the Internet should be the most stable , ideally it should be a dedicated server). All other routers must connect to this, forming a single local network, including those who wish to steer your industrial devices.
Those. your devices will remain in the local network, the ip addresses of those who will steer the device must be issued from the ranges in which these devices allow it.

N

Nikolai, 2019-05-19
@nevzorofff

Refuse statics from MTS, raise outgoing VPN from this router to your node with a static address from an adequate provider, and not for 7 kilorubles.
If there is no static address, buy a VPS with statics, Aruba gave out one time for a euro per month.

#

#, 2019-05-19
@mindtester

questions:
- why not forward the cable? (Is it in the tundra?)
- what else can be raised in LAN? I raised the VPN only on MS ISA (that is, always an external ip and all the stuffing), but I vaguely suspect that it is possible to create a VPN tunnel from the inside to some-everyone-convenient-place (like a VPS or a server at headquarters) .. . or raise the client https://ngrok.com inside (provided that the traffic is small, and the party with the ports is not too complicated)

S

Saiputdin Omarov, 2019-05-19
@generalx

Your problem can be solved by the article https://habr.com/ru/company/ru_mts/blog/334610/
what a good comment
https://habr.com/ru/company/ru_mts/blog/334610/#co...