A hotspot behind NAT, on Wi-Fi and on the road: do you need port forwarding and LTE

Category: HotspotsDifficulty: ★★☆~8 minutes

"I set up a hotspot — do I need to forward something on the router? My ISP gives me a private IP after all…" — this is probably the single most common beginner's question. The good news: in the vast majority of cases you don't need to forward anything. An MMDVM hotspot calls the master server itself — it opens an outbound connection rather than waiting for an inbound one. That's why it happily works behind home NAT, on mobile internet, on hotel Wi-Fi and from a car over an LTE modem. In this article we'll cover why it works this way, when problems do crop up after all (CGNAT, blocking, firewalls), how to power a hotspot on the road, and what to do if it "won't connect".

In shortA hotspot is a client, not a server. It is the one that reaches out to the master over UDP first, and the router's NAT automatically lets the replies back in via its connection table. Inbound port forwarding is needed only in rare, exotic scenarios — not for normal operation.

Why port forwarding is usually unnecessary

To grasp the logic, you need to know who calls whom. A hotspot running Pi-Star/MMDVMHost firmware connects to the network (BrandMeister, our DMRhub master, an XLX reflector) using the Homebrew/MMDVM protocol over UDP. The hotspot is always the initiator: it sends a login packet (RPTL) out to the master's address and port, authenticates, and from then on the "channel" is kept alive by periodic keep-alives — a ping/pong exchange in both directions.

When your hotspot sends a UDP packet out to the internet, the router records this in its address translation table (NAT/conntrack) and automatically returns the replies that come back from the same address. This is the same mechanism that opens websites in your browser without any forwarding. Therefore:

A private/"home" IP behind NAT — that's fine. An outbound connection doesn't need a public address.
Guest Wi-Fi at a friend's place, at work, in a hotel — usually works, as long as UDP is allowed outbound.
Mobile internet (LTE/4G/5G) — works, even though cellular carriers almost always use CGNAT (more on that below).

Which ports are involved

These are outbound ports on the hotspot's side — that is, the "from home to the internet" direction. You don't need to open them manually; NAT passes them through anyway. It's useful to know them for diagnostics and in case of a strict corporate firewall:

Purpose	Port	Where
Homebrew/MMDVM (DMR) to the BrandMeister master	UDP 62031	outbound, to the server
Connecting to an XLX/reflector	UDP 62030	outbound, to the server
Time synchronization (NTP)	UDP 123	outbound
Names/DNS (resolving the master's address)	UDP/TCP 53	outbound
Pi-Star updates, HTTPS	TCP 443/80	outbound

Where to get the exact portThe master's address and port are set in the hotspot's settings when you choose the network. For DMRhub the right server and port are filled in automatically in our ready-made image — you won't have to dig into the config by hand.

CGNAT and "symmetric" NAT: when theory meets your carrier

The most common scare story is CGNAT (Carrier-Grade NAT). That's when the carrier hides thousands of subscribers behind a single public IP — typical of mobile internet and some home ISPs. CGNAT adds yet another layer of translation between you and the network and breaks inbound port forwarding (you physically can't open a port "to yourself").

But our hotspot doesn't need inbound forwarding at all! For outbound UDP, CGNAT is almost never an obstacle: the packet leaves, the carrier holds the translation, the replies come back. So a hotspot behind CGNAT usually connects to the master just fine. There are still a few subtle spots:

Short translation time-outs. Some carriers quickly "forget" a UDP session with no traffic. Because of this the link may occasionally drop and reconnect. It's cured by the fact that Pi-Star sends keep-alives anyway — the session usually survives.
Symmetric NAT. For a simple "client → server" it's no obstacle: the master replies from the same address and port the login arrived at. Symmetric NAT problems concern P2P/STUN scenarios, not our client-server scheme.
Double NAT at home. If a router sits behind a router (for example, your Wi-Fi router behind the ISP's router) — for outbound UDP that's no problem either. But if you did need inbound forwarding, double NAT would kill it.

What can actually get in the wayNot NAT, but filtering: a corporate/guest firewall that only lets out TCP 80/443 and blocks everything else (including UDP and non-standard ports), or an ISP/country that blocks ports or hosts. On such networks the hotspot can't reach the master precisely because of blocking, not because of NAT. It's easy to check: connect the hotspot to a different network (for example, to a phone in tethering mode) — if it works, the problem is filtering on the original network.

A hotspot on mobile internet: LTE modem and smartphone

Since inbound forwarding isn't needed, a hotspot easily gets on the air wherever there's only cellular coverage — at the cottage, on a trip, in the car. There are two working options.

A smartphone as an access point (the simplest)

Turn on "Wi-Fi hotspot" (tethering mode) on your phone.
Enter the network name (SSID) and password of that hotspot in the hotspot's Wi-Fi settings.
Boot the hotspot — it connects to the phone and reaches the master through it.

Gotcha with the network nameIn Pi-Star the Wi-Fi name and password must not contain spaces or special characters, and the WPA network must be on 2.4 GHz (the Wi-Fi chip in the Pi Zero W/2W can't see the 5 GHz band). If the hotspot "won't latch onto" the phone's hotspot — first rename the access point without emoji and spaces, and switch it to 2.4 GHz.

A USB LTE modem or 4G HAT (more permanent)

For a permanent "mobile" node it's more convenient to plug a USB dongle or a 4G expansion board straight into the single-board computer. The downside is that setting up the modem interface under Linux is a bit harder than just entering a Wi-Fi password. The upside is that your phone stays free and the node is self-contained.

The law comes before convenienceA hotspot's mobility doesn't override the rules of the air. You may transmit (TX) only on the bands and at the power you are authorized for, according to your license class/permit. "I'm on the road" is no excuse for operating outside your allotted frequencies. The hotspot itself is low-power, but the antenna and frequency must be legal. Details — in the article on frequencies and the law.

Power on the road: how much a hotspot draws

The main travel advantage of a hotspot is its tiny power draw. A Raspberry Pi Zero (W/2 W) single-board computer with an MMDVM board draws roughly ~100–250 mA at 5 V in operation (on the order of 0.5–1 W on average; peaks during transmit and startup are higher). This means an ordinary power bank keeps the node running for a very long time.

Power bank capacity	Average ~150 mA draw	With margin (~250 mA, peaks)
5000 mAh	about a day+	around 12–16 h
10000 mAh	two days and more	around a day+
20000 mAh	several days	a couple of days

The figures are approximate: a power bank's real output is below its rated capacity (conversion efficiency, self-discharge, voltage sag toward the end), plus Wi-Fi and an LTE modem add to the consumption. But the order of magnitude is clear — this is not a power-hungry device at all.

Power and Li-ion: no tricksFeed the single-board computer a stable 5 V from a quality source. A bad cable and voltage sag are a frequent cause of "glitches" (the lightning-bolt icon on the Pi = insufficient power, hence freezes and dropped network). In the car, take power from a proper automotive USB adapter, not from a "sock" charger. Don't let a Li-ion power bank bake in the sun under the windshield, and don't use a swollen/overheated one — lithium leaks and burns, and you can't put it out with water. More in the articles on powering a hotspot and batteries.

"The hotspot won't connect": step-by-step diagnostics

If on the Pi-Star dashboard the master is "red" / Disconnected, work through it in order — from simple to complex. In 90% of cases one of four causes is to blame: internet, time/DNS, the master address, power.

Is there any internet at all. Open the hotspot's dashboard and check whether it sees the network. The quickest test is to connect the hotspot to a phone in tethering mode: if it works → the problem is in the original network (filtering/blocking), not in the hotspot.
Time and DNS. This is a classic trap. A Raspberry Pi has no built-in battery-backed clock (RTC), so after a long stretch offline its time "drifts". And with the wrong time DNSSEC signature validation breaks — the resolver starts treating DNS answers as "stale" and won't hand out an IP. You get a vicious circle: "no time because no DNS, and no DNS because the time is wrong". It's broken by a reboot with internet, a manual NTP sync, or a one-off manual date set.
The master's address and code. Check the settings: is the right server (Master) selected, is the correct password/security code entered, along with your callsign and DMR ID. A typo in the code or an old master address = "login rejected".
Power. The lightning-bolt icon, spontaneous reboots, loss of Wi-Fi — almost always under-powering (see the block above). Swap the cable and the source for ones you know are good.

# Manually sync the time on Pi-Star (over SSH)
sudo systemctl stop ntp.service
sudo ntpdate pool.ntp.org      # pull in the exact time
sudo systemctl start ntp.service

# If ntpdate isn't in the system (it's been removed on newer builds) —
# set the date manually, then ntp will pull in the exact time itself:
sudo date -s "10 JUN 2026 12:00:00"

# Check connectivity and DNS
ping -c3 dmrhub.ru             # does the master resolve and ping
date                          # is the time correct

Pin the IP if it "wanders"Sometimes drops are cured by assigning the hotspot a fixed local IP on the router (DHCP reservation by MAC). For a number of users, changing the hotspot's address on the LAN unexpectedly "fixed" both the time sync and the connection — a side effect of address conflicts on the network.

When port forwarding is needed after all

To close the topic honestly: inbound forwarding may be needed in rare cases, and they don't concern a hotspot's normal operation:

Access to the Pi-Star dashboard from outside. If you want to open the hotspot's web UI from the internet (not from the home network) — then you need forwarding/a tunnel. But exposing the admin panel to the outside is insecure; a VPN is better.
Your own master server. If you're running the network server itself (not a client hotspot) — that one does need a public IP and an open inbound port, because hotspots reach out to it. That's a different role.

Don't open more than you needDon't forward ports "just in case". Every open inbound port is an attack surface. For remote access to your own hotspot use a VPN, not a bare admin panel exposed to the internet.

Get a hotspot up in 15 minutes — and on the air

Our single-board-computer image already knows the address and port of the DMRhub master: insert the card, enter your Wi-Fi (or your phone's tethering) — and the hotspot reaches out on its own, no forwarding required. It works at home, at the cottage and on the road. Sign up — and enjoy private calls by DMR ID, SMS and talkgroups.

📦 Build a hotspot image About our image → Powering the node

Hotspot imageReady-made DMRhub firmware MMDVM hotspotWhat it is and how to build it Powering a hotspot5 V, power bank, car

Sources

Network Ports — the Homebrew/MMDVM (UDP 62031) and XLX (62030) ports for connecting a hotspot — wiki.brandmeister.network
Ports for DSTAR and DMR — discussion: outbound ports, no forwarding required — forum.pistar.uk
Incorrect time and date — the "no time → no DNS" trap, NTP synchronization — forum.pistar.uk
Review: Pi-Zero MMDVM Hotspot — power draw of a Pi Zero with an MMDVM board — n5txl.com