Hi,

I'm trying to configure a 3G modem as a backup internet connection (using Netcomm's 3G "Travel" router and a pfSense box as well as DynDNS). I'm implementing this by way of a script that implements failover routing, meaning under normal circumstances, nothing will listen on the 3G data connection unless my primary ADSL connection is down. This will avoid any data blowouts. For testing, I'm having some services listen on PCs configured to use the 3G router as their default route even though my ADSL is still up.
Yes I know the risks of having listening services and those risks are managed and mitigated (fail2ban etc).

Outbound works fine, inbound doesn't work at all over 3G.

I've noticed using Wireshark that when attempting a remote inbound TCP connection, I always get TCP connections appear from the POV of the client end to open and then just about immediately reset (in order, SYN, SYN-ACK, ACK as expected, but then an immediate RST ACK). This is when attempting to connect from a PC on my ADSL connection to any port on the public IP (118.148.x.x and 118.149.x.x) of the 3G connection, whether that be to the 3G router or directly plugged in to my laptop for testing.

I also notice I get the same RST behaviour when trying to connect to an IP address allocated to the 3G connection even *after* yanking the stick out of the router or laptop's USB socket - so it's not the router or test laptop sending the SYN-ACKs and RSTs.
The behaviour I'm expecting instead would of course be connection timeouts instead of immediate resets, given the modem/test laptop is then physically incapable of receiving or responding to the incoming connection once unplugged.


Amusingly, if I point my laptop via the 3G modem to GRC's "Shields Up" firewall tester and get it to scan all service ports, this behaviour of the ports seeming to initially open means that test declares that nearly ALL ports that it scans are "open" except for a few filtered Windows networking ones (139 etc). Other firewall testers yield similar results.

So I was wondering, despite finding mentions on GZ that 2Degrees don't firewall or filter internet traffic except out-of-state stuff, has this changed for inbound traffic? I can only find mention of one APN for 2D for data, being "internet", so this is the only APN I've tried (I know as a comparison Vodafone offer filtered vs unfiltered APNs).

Does anyone else here successfully use listening services over a 2D mobile data connection from time to time?