Does my site need a public IP address for OOB or failover access?

When using cellular OOB or broadband Ethernet OOB for remote access, your Internet provider (i.e. ISP or cellular carrier) will assign either:

• A public, static IP address
• A public, dynamic IP address
• A private IP address (e.g. carrier-grade NAT)
• A private IP address on a routable private APN/VPN

Public, static IP address

Typically, you can access the Opengear device's HTTPS and SSH services directly using this address.  For details on limiting access through the firewall, please refer to this article.

In some cases, your provider may be firewalling this address at their end, preventing direct access.  This can be tested by running tcpdump on the Opengear device to watch for inbound connections, e.g. to test a cellular connection, login to the Opengear CLI as root or an admin user and run:

tcpdump -ntl -i wwan0 tcp port 443

Then launch an HTTPS browser session to the address and watch for the CLI for output.  If there's no output, it's likely the address is being firewalled upstream.  Hit Ctrl-C to stop tcpdump.

To test an Ethernet connection, substitute wwan0 with the interface name that has been assigned your public IP address, e.g. eth1 – run ifconfig or view a Status -> Support Report to determine the interface.

Public, dynamic IP address

If you have a public IP address that changes periodically,  you may configure the Opengear device’s Dynamic DNS client. Alternatively, you may be able to subscribe to a static IP service with your provider.  Otherwise the address is accessible as per above.

Private or firewalled IP address

If you are unable to establish inbound access to the Opengear device, you can configure it to establish an outbound OpenVPN or IPsec VPN tunnel, or reverse/remote SSH port forward (aka Call Home).

The connects to Opengear device to a VPN or SSH server that you do have routed access to, allowing you to connect via this endpoint.  Common solutions include:

• IPsec to a Cisco IOS/ASA device
• Connecting to Opengear Lighthouse

The Opengear's connection manager uses routing table rules to automatically establish or re-establish the outbound connection when the network interface starts, or the Opengear device fails over to a secondary interface.

Private APN/VPN

If you have a specific arrangement with your provider, the Opengear device's private addresses may be routable through dedicated infrastructure linking your network to the provider's network, or accessible via a management portal.  Consult your provider or network team for details.

Failover considerations

If this interface is also being used for outbound failover (System -> IP -> Network Interface -> Failover -> Failover Interface), you may check Dormant Failover Interface to keep it up for inbound access during fail forward.

If you are failing over to a private or other inaccessible address, consider using VPN failover to activate the tunnel during failover, and deactivate it during fail forward.