Yeah, updates can cause grief!
Trying to picture your setup, is it:
Modem - router - switch?
One big source of confusion in these discussions is the term “router” because most broadband routers are not actually routers! They are hybrid devices containing a modem, router and (Layer 2) switch.
I think i should describe it better
4g ISP router no wifi — switch —- switch ports
Switch port 1 — Asus Router house wifi
Switch port 2 — house powerline extender — shop powerline to wifi adapter — Emlid Base Station
The base is the only thing bypassing the house router.
My ISP also owns the wan facing router. I can log in to my ISP’s customer portal and add a firewall rule, the rules get pushed to routers every night. I’ve had a couple ISPs like that.
The ISP’s router feeds my own router (I’m double NAT’ing), I have a firewall rule set there as well.
Your ISP should be able to set up a firewall rule for you.
My friend
Classic Router has input rj45 wan and out 3-4+ lan’s and wifi interface.
Modem is device witch combines technologies
example
input can bee : 4G, adsl, hfc or optics etc…
output are lan ports and wifi
Bridge mode
is bridge between devices,
device brigged does not getting ip from isp but device witch is connected to it and it’s only one ip.
So you connect router to it and router is getting on wan ip directly from isp’range.
When isp’s modem is at dhcp mode
That modem is getting ip from isp’s range of adress on wan witch is hfc input, optical … and all devices are getting 192.168.9.0/24 range
Becose many of those modems are limitted with posibilities people are putting isp’s device to bridge and getting behind it pro routers.
so , when you buy public ip , modem is at bridge mode, your router on his wan getting public ip, then you can do port forwarding.
This public ip is yours and no one else is using it.
when you do not having public ip, you are nated with along 5-6000 users.All of you have same public ip.
Right, this makes more sense.
It sounds like you are on a privately owned mesh with a shared WAN link, I was assuming a single LAN behind a modem / router.
Is this a corporate service? I have never heard of a managed home router before (actually, there was FON in Spain now I think back), but I have (and still do) managed a fair few corporate networks before where the customer would have to submit change requests for any changes to be made to their network.
@PotatoFarmer, I get you, that makes perfect sense. May I ask why you don’t just get a Wifi router though. My home office setup is similar to yours in design, but I have an ADSL router, modem, switch device connected to a power line (I’m assuming EOP?) Wifi hotspot in the workshop.
That makes sense @daner. I’ve heard of this type of ISP network maybe 10 years ago when ipv4 addresses were scarce and ipv6 wasn’t adopted yet, but never since then. I remember gamers being angry because game servers would ban a user’s IP and it would ban everyone else too.
It’s not a corporate service @bluerabbit, just a residential connection. My ISP own a device in my home which is both a modem and a router. I cannot access that device directly, but I am able to login to my online customer portal and make some limited setting change requests, like port forward rules and local IP. These changes are pushed to the device during maintenance hours in the middle of the night. Since I have trust issues and do not want their firewall to be my protection (and I need a WAP anyway), I’ve simply plugged my own typical homeowner router’s (router/bridge/WAP) wan port into my ISP device’s LAN port, and connect everything in my home to my personal router. That way I at least know that I own my firewall. Anything I want to port forward from my network to the outside world, I have to port forward through both routers. My ISP occasionally reminds me that I’m double NAT’ing and that I may experience issues and should just ditch my router, but I don’t care.
Thats why you tell your isp to put your modem at bridge , and then you do not have double NAT, only your router’s.
That is the point of bridge.
The isp router can only be their device, network access is locked to the hardware and sim, not just the sim. So I have to have the asus for house wifi.
The ethernet to the shop uses the yards electrical wiring, the adapter in the shop has wifi built in. But can be run in transparent mode.
I liked ipv4, 5-6000 users is hidden behind one ip, you can download torrent’s with no fear 
For gaming you jus buy your own and no problem.
In my country (Serbia) we still use ipv4.
my internet is relatively good , i live in a vilage and i have two links to home.
One is wifi direct link with ubiquity air grid 100/100 of transfer rate and hfc 350/35mb/s
I share my public address with many other of my ISP’s customers. In fact they have a pool of public addresses they use. My ISP router has no public IP address. Now that IPv4 is pretty much exhausted, this is probably the norm now. Carrier-grade NAT they call it (in other words double NAT).
I have a VPS with Linode that can proxy connections for me back through a VPN to my computers in my shop and house. Although Tailscale makes even that unnecessary.
One other way to sidestep this carrier-grade NAT business is if you can get IPv6 addresses from your ISP. IPv6 does away with NAT for the most part. My ISP is Telus and they’ll never support IPv6 I’m afraid. They barely support anything really. Probably the most inept and customer-hostile telecom company I have ever done business with.
So True, unless the ISP gets snoopy. But the ISP techs are to busy downloading torrents too.
I work at isp i know 
, i get emails from big movie companies for torrents.
Basically they do not look downloaders but seeders.
if we do not do anything, public ip where they detected seeder is added to black list and there is problem with gamers
Then we change public ip and problem solved.
So wnen you finish downloading shut down seedeeng.
My friend found on linux ntrip server
We put it to modem with public ip
done dstnat to machines ip and port and it works.
We used to use rtk2go but iff you have problem with pc ,gps module and you send them empty signal they block your public ip.
Some times they site is down and we are at fieled and steereng do not work.
So we made our ntrip server on linux on our public ip.
Now it forks perfect.
I did something stealthy-similar the other day using ngrok.io (a friend wanted to publish direct, but he didn’t have his router password so port-forwarding wasn’t an option)… From memory, here’s the process. Basically, ngrok runs on your PC and creates an outbound tunnel for an internal service.
Register an account at ngrok.io - free plan is fine
Receive an auth-token here and the command to store it: ngrok - secure introspectable tunnels to localhost
At the command line, run “ngrok tcp 2101” to stand a tunnel up forwarding port 2101 on the machine ublox is running (I’m assuming ublox and ngrok on same machine, use “ngrok tcp ubloxip:2101” if not).
It’ll give you info on what the tunnel will be called, and this will change EVERY time you start ngrok unless you upgrade to a paid plan. Don’t have it handy, but it might be something like 5.tcp.eu.ngrok.io:14997, so that’s IP 5.tcp.eu.ngrok.io and port 14997 in AGO.
C:\Downloads> ngrok tcp 192.168.0.21:80
Worked a treat! here, 192.168.0.21 is my raspberry pi, and I’m running this from my PC.
if your device won’t take host names, ping the ngrok DNS name to get the IP
here, 3.67.62.142
Also, I’ve written an rtkbase setup tutorial here: RTKBase - a tutorial
2 cents, perhaps late.
If you are trying to use RTK2go.com:2101 from your home or office PC network, you do not NEED port forwarding (and NAT is occurring locally behind you back as multiple machines share the IP your router was assigned). This is because you making an outbound connection an most firewalls are set to allow that. It is the inbound connection they block by default.
If you are going to run your own NTRIP Caster (the free SNIP Lite model or any other) then others users outside of your network will need to be able to find it (in this case by IP) and connect to the machine with hosting your Caster. Now you need both a) new firewall rule (on your router) to allow inbound connections (probably on port 2101) and b) a NAT rule to port forward that traffic from your router on that port to the IP and port to where the host PC resides on your local network. [And if you get all that working, some folks also like to use DDNS to attached a URL to their IP.]
Because you are pushing out your base station data to RTK2go, there are generally no changes you need to make in your local internet. And that was part of the goal when it was setup, although the original motivation was also that many ISPs charge way too much $$ for a static IP.
I use Emlid and its great, but even with it I find getting the router out of the mix helps greatly. Usually the ISP gives you a terrible router/modem, so you end up running a second behind it giving a double NAT.
Try making your base station connected directly to the ISP equipment.
I think that in going such a route, in effect you expose any and all services on the emlid to the internet, direct, that way. That would likely include your web admin interface too.
I think that is the point, the service is connecting with the corrections reliably.
So if someone could find the emlid on the carrier system, figure out it had a login, know the password and username. What could they do? Not a whole lot. Look at a satellite chart?
In the worst case scenario, install some malicious software on it and use it as a relay to attack others. No idea how the emlid hangs together tho, but any time you expose a terminal or service, you’re open to potential abuse.
I think you watch too many hacker movies.
How would you connect your computer to the ISP connection if you are 99% of the worlds population, directly to the ISP equipment. Connecting to the Internet does have risks, but most are overblown.
The only way the emlid can send corrections is by sending them to a known domain or static IP to connect. The chances of someone coming back up an unreserved IP pool, that is constantly changing through carrier NAT is very unlikely. Unless you click on a link in an email or something that loads the malicious software so they can find your computer.
Writing malicious software for emlids sounds like the most effort to get no bitcoins.
Well, I work in IT security, so there’s that…
The chances of someone coming back up an unreserved IP pool, that is constantly changing through carrier NAT is very unlikely
That’s not how it works, an IP address is there and yeah, it could be your emlid today, it could be someone else tomorrow. The point is, it’s on the internet advertising a service at a reachable address. I’d still class it as minor risk to be honest. I do this sort of thing for a living and I didn’t even DMZ my rtkbase 
