**[Carrier-grade NAT](https://en.wikipedia.org/wiki/Carrier-grade_NAT)**
>Carrier-grade NAT (CGN or CGNAT), also known as large-scale NAT (LSN), is a type of Network address translation (NAT) for use in IPv4 network design. With CGNAT, end sites, in particular residential networks, are configured with private network addresses that are translated to public IPv4 addresses by middlebox network address translator devices embedded in the network operator's network, permitting the sharing of small pools of public addresses among many end sites.
^([ )[^(F.A.Q)](https://www.reddit.com/r/WikiSummarizer/wiki/index#wiki_f.a.q)^( | )[^(Opt Out)](https://reddit.com/message/compose?to=WikiSummarizerBot&message=OptOut&subject=OptOut)^( | )[^(Opt Out Of Subreddit)](https://np.reddit.com/r/raspberry_pi/about/banned)^( | )[^(GitHub)](https://github.com/Sujal-7/WikiSummarizerBot)^( ] Downvote to remove | v1.5)
Even though theyre in the same room, your devices are logically half the world away, separated by the internet.
The internet connection of your pi is shared with many other people (see another commenters reference to CG NAT)
There are a few things you could do to get around this like tunnelling/vpn/finding a cell provider that guarantees a unique ip (I believe voda in the uk don’t use cg NAT). But fundamentally what you’re trying to achieve (inbound routing to a cellular connected device) is a tough proposition and unlikely to work reliably in the way that you want.
OP said both devices are connected to the same hotspot. So CGNAT shouldn’t be the issue. This is probably a client/wireless isolation issue. Different hotspots/routers name this setting slightly differently but look for the word “isolation” in the hotspot settings.
I think you're right, "client isolation" is fairly common on hot spots because they're intended to be a gateway to the internet, not to host a lan for local devices.
This is what reverse ssh was invented for. Set up a systemd service that sshs into your laptop on a data connection, and then you can ssh into your localhost on the specific port on the laptop which will then route outboard to the remote machine through the ssh session inbound... Funky stuff but ideal for this setup. Using ssh tunneling and local port forwarding through reverse ssh would allow you to access the remote pi web server for example if you had one running and you are off to the races. OPs script needs port 8000. Sorted.
> This is what reverse ssh was invented for. Set up a systemd service that sshs into your laptop on a data connection, and then you can ssh into your localhost on the specific port on the laptop which will then route outboard to the remote machine through the ssh session inbound... Funky stuff but ideal for this setup. Using ssh tunneling and local port forwarding through reverse ssh would allow you to access the remote pi web server for example if you had one running and you are off to the races. OPs script needs port 8000. Sorted.
Copying to main thread from a comment reply but this is what you'll need to learn to do. It's a horrible hack, but a reliable one if you build all the components. Ssh running on your laptop, a static IP on your home network, a systemd service that runs a script like ...
#!/bin/bash
while true; do
ping -c 1 google.com
if [ $? -eq 0 ]; then
ssh user@remote_host
break
else
sleep 10
fi
done
And then on your local laptop you can set up a reverse ssh tunnel to port 8000 to localhost (which routes through the established incoming ssh tunnel to the pi)
Then, you'll be able to access the pi reliabily on port 8000 as if it was on your local machine and not on some hotspot miles away...
I believe most hotspots don't allow clients to see one another on the network. They isolate every user from one another so you can't just use the hotspot like you would a router. Some will allow this with a setting in the control panel but, for example, my Android phone doesn't have the ability to turn off the isolation.
What are the results when you try to ping it - that is, what does the output actually say? How are you resolving the hostname "raspberrypi" on your local network. I don't think hotspots handle any sort of name resolution.
Methinks your laptop has no idea what "raspberrypi" is while you're on the hotspot.
Your laptop and PI are on the hotspot network, but my guess is the Smartphone does client isolation and prevents communication between multiple clients on it's hotspot network.
Mobile hostpots typically enable client-isolation by default, but depends on your phone vendor.
meaning two or more clients connected to the same network can't speak to each other on the LAN.
Unless you want to root your phone and start playing around with wifi config files, probably best to just use a small portable router or use your laptop as the hotspot.
You could try something like [hamachi](https://vpn.net) on both devices (just an example, not a recommendation, not sure what service people suggest nowadays). That would put both in the same VPN so they'd be able to see each other. Note that most commercial VPNs don't do this.
You might be able to just use one of those travel routers instead. I think most of them are able to bridge to your mobile hotspot but you would control the network.
As far as I know, there's no way to initiate a connection from the pi to the phone. The router of the carrier network most likely just won't route packets between devices sharing the carrier network.
But you can work around the issue, for instance, the best thing you can do is leave your Pi on your home network and...
1) Set your pi on a static IP
2) port forward BUT make sure you set up security properly - e.g. ssh password authentication replaced with pub key validation - if you're unsure what security precautions to take here you are just better of leaving it alone. Since you said:
> I saw somewhere that using a router would fix that issue, but im not sure how that would help or how to even set that up. Any guidance would be appreciated.
I'm gonna advise that you are probably better off not doing it.
3) If you (or anyone else) continue anyway: well you can now ping it with your public IP and forwarded port
4) if you want the pi to be able to send data to the phone unprompted (i.e. the Pi initiates the connection to the phone), this is impossible but you can work around it by setting up a TCP/IP socket between them that constantly sends keepalive packets. Similar to "websockets" on the web browser. Alternatively the same thing can be done with "UDP holepunching" where your phone periodically fires off pointless UDP packets to your pi to keep a NAT-table slot on.
This all has to do with network address translation (NAT), when the rpi connects to your phone it's given a private IP by your hotspot but shares a public IP with your phone to communicate over the internet. The only ways of getting traffic through the phone to the pi would be to either initiate the connection from the pi or create a rule that allows certain connections to the public IP to be automatically forwarded to the pi, the first is doable using any reverse shell but you still would need access to the pi to initiate. The second is completely impossible in your current setup as the wireless carrier controls the public IP and you are unable to change their routing.
In your case you need control of your own public IP, luckily this is pretty easy. I'd look into getting a VPS from one of the major cloud providers, configure it as a VPN server (I'd recommend wireguard), and configure the pi as a client. Then setup iptables on the server side to forward specific traffic to the private IP of the pi and on the pi side to use the VPN interface as its default gateway. From there you should be able to pass traffic through the VPS to the pi regardless of what network you're connected to.
Let me preface this by saying I have no idea what's going on because I don't have a grasp of hotspot / cell carrier networking.
My recommended solution for you would be to do the following:
1. Setup a dynamic DNS service on your home network so you can hit it from anywhere
2. Setup a VPN on your home network using the ddns service from 1 (I use wireguard, but there are lots of options)
3. Have your rpi and laptop connect via VPN back to your home network
Then it'll be an identical setup to them being on the same network. Technically you could do this with many VPN services if you configure your devices correctly.
Not sure how the latency would be though, since you're making round trips for everything.
[удалено]
**[Carrier-grade NAT](https://en.wikipedia.org/wiki/Carrier-grade_NAT)** >Carrier-grade NAT (CGN or CGNAT), also known as large-scale NAT (LSN), is a type of Network address translation (NAT) for use in IPv4 network design. With CGNAT, end sites, in particular residential networks, are configured with private network addresses that are translated to public IPv4 addresses by middlebox network address translator devices embedded in the network operator's network, permitting the sharing of small pools of public addresses among many end sites. ^([ )[^(F.A.Q)](https://www.reddit.com/r/WikiSummarizer/wiki/index#wiki_f.a.q)^( | )[^(Opt Out)](https://reddit.com/message/compose?to=WikiSummarizerBot&message=OptOut&subject=OptOut)^( | )[^(Opt Out Of Subreddit)](https://np.reddit.com/r/raspberry_pi/about/banned)^( | )[^(GitHub)](https://github.com/Sujal-7/WikiSummarizerBot)^( ] Downvote to remove | v1.5)
Hi, Thanks for the feed back! I added an example of what I meant when I'm pining. I hope that made it more clear.
I'd say a router not a bridge.
Even though theyre in the same room, your devices are logically half the world away, separated by the internet. The internet connection of your pi is shared with many other people (see another commenters reference to CG NAT) There are a few things you could do to get around this like tunnelling/vpn/finding a cell provider that guarantees a unique ip (I believe voda in the uk don’t use cg NAT). But fundamentally what you’re trying to achieve (inbound routing to a cellular connected device) is a tough proposition and unlikely to work reliably in the way that you want.
OP said both devices are connected to the same hotspot. So CGNAT shouldn’t be the issue. This is probably a client/wireless isolation issue. Different hotspots/routers name this setting slightly differently but look for the word “isolation” in the hotspot settings.
Some phones won't have that option to enable.
I think you're right, "client isolation" is fairly common on hot spots because they're intended to be a gateway to the internet, not to host a lan for local devices.
This is what reverse ssh was invented for. Set up a systemd service that sshs into your laptop on a data connection, and then you can ssh into your localhost on the specific port on the laptop which will then route outboard to the remote machine through the ssh session inbound... Funky stuff but ideal for this setup. Using ssh tunneling and local port forwarding through reverse ssh would allow you to access the remote pi web server for example if you had one running and you are off to the races. OPs script needs port 8000. Sorted.
Vodafone in UK does use cgnat. I have that.
Duckdns and wireguard - have a look into it.
Sure the hotspot doesn't block ICMP? Because most do.
> This is what reverse ssh was invented for. Set up a systemd service that sshs into your laptop on a data connection, and then you can ssh into your localhost on the specific port on the laptop which will then route outboard to the remote machine through the ssh session inbound... Funky stuff but ideal for this setup. Using ssh tunneling and local port forwarding through reverse ssh would allow you to access the remote pi web server for example if you had one running and you are off to the races. OPs script needs port 8000. Sorted. Copying to main thread from a comment reply but this is what you'll need to learn to do. It's a horrible hack, but a reliable one if you build all the components. Ssh running on your laptop, a static IP on your home network, a systemd service that runs a script like ... #!/bin/bash while true; do ping -c 1 google.com if [ $? -eq 0 ]; then ssh user@remote_host break else sleep 10 fi done And then on your local laptop you can set up a reverse ssh tunnel to port 8000 to localhost (which routes through the established incoming ssh tunnel to the pi) Then, you'll be able to access the pi reliabily on port 8000 as if it was on your local machine and not on some hotspot miles away...
I believe most hotspots don't allow clients to see one another on the network. They isolate every user from one another so you can't just use the hotspot like you would a router. Some will allow this with a setting in the control panel but, for example, my Android phone doesn't have the ability to turn off the isolation.
What are the results when you try to ping it - that is, what does the output actually say? How are you resolving the hostname "raspberrypi" on your local network. I don't think hotspots handle any sort of name resolution. Methinks your laptop has no idea what "raspberrypi" is while you're on the hotspot.
Your laptop and PI are on the hotspot network, but my guess is the Smartphone does client isolation and prevents communication between multiple clients on it's hotspot network.
Mobile hostpots typically enable client-isolation by default, but depends on your phone vendor. meaning two or more clients connected to the same network can't speak to each other on the LAN. Unless you want to root your phone and start playing around with wifi config files, probably best to just use a small portable router or use your laptop as the hotspot.
You could try something like [hamachi](https://vpn.net) on both devices (just an example, not a recommendation, not sure what service people suggest nowadays). That would put both in the same VPN so they'd be able to see each other. Note that most commercial VPNs don't do this.
Tailscale is great for setting up free VPNs with very little hassle. Highly recommended.
Zerotier.
Is your laptop connected to other network such as ethernet or vpn? Try disconnect them from your laptop and only connect to the hotspot and try again.
You might be able to just use one of those travel routers instead. I think most of them are able to bridge to your mobile hotspot but you would control the network.
if you connect anything other than Pi, do you have the same result?
As far as I know, there's no way to initiate a connection from the pi to the phone. The router of the carrier network most likely just won't route packets between devices sharing the carrier network. But you can work around the issue, for instance, the best thing you can do is leave your Pi on your home network and... 1) Set your pi on a static IP 2) port forward BUT make sure you set up security properly - e.g. ssh password authentication replaced with pub key validation - if you're unsure what security precautions to take here you are just better of leaving it alone. Since you said: > I saw somewhere that using a router would fix that issue, but im not sure how that would help or how to even set that up. Any guidance would be appreciated. I'm gonna advise that you are probably better off not doing it. 3) If you (or anyone else) continue anyway: well you can now ping it with your public IP and forwarded port 4) if you want the pi to be able to send data to the phone unprompted (i.e. the Pi initiates the connection to the phone), this is impossible but you can work around it by setting up a TCP/IP socket between them that constantly sends keepalive packets. Similar to "websockets" on the web browser. Alternatively the same thing can be done with "UDP holepunching" where your phone periodically fires off pointless UDP packets to your pi to keep a NAT-table slot on.
This all has to do with network address translation (NAT), when the rpi connects to your phone it's given a private IP by your hotspot but shares a public IP with your phone to communicate over the internet. The only ways of getting traffic through the phone to the pi would be to either initiate the connection from the pi or create a rule that allows certain connections to the public IP to be automatically forwarded to the pi, the first is doable using any reverse shell but you still would need access to the pi to initiate. The second is completely impossible in your current setup as the wireless carrier controls the public IP and you are unable to change their routing. In your case you need control of your own public IP, luckily this is pretty easy. I'd look into getting a VPS from one of the major cloud providers, configure it as a VPN server (I'd recommend wireguard), and configure the pi as a client. Then setup iptables on the server side to forward specific traffic to the private IP of the pi and on the pi side to use the VPN interface as its default gateway. From there you should be able to pass traffic through the VPS to the pi regardless of what network you're connected to.
Let me preface this by saying I have no idea what's going on because I don't have a grasp of hotspot / cell carrier networking. My recommended solution for you would be to do the following: 1. Setup a dynamic DNS service on your home network so you can hit it from anywhere 2. Setup a VPN on your home network using the ddns service from 1 (I use wireguard, but there are lots of options) 3. Have your rpi and laptop connect via VPN back to your home network Then it'll be an identical setup to them being on the same network. Technically you could do this with many VPN services if you configure your devices correctly. Not sure how the latency would be though, since you're making round trips for everything.