4G Connectivity With Static IP - Should We Use This?

they are going to be paying  at least 600$ a year (likely more) for the rest of their (4g usage) lives, tell them to eat the $500(at least its a one time cost...)

Thats my personal opinion, one less thing to fail. 

it IS possible to use VPN with a DDNS service. ive used cradlepoint 4g stuff and heres the first thing i googled: http://usatcorp.com/faqs/series-3-can-find-vpn-setup-example-dynamic-ip-address-connections/

thats for a site to site vpn but any of the other legit 4g router vendors probably have something out there or are willing to answer your question (sierra etc)

Thanks Richard. Agreed that a fixed line connection is preferred. If there is one already available, our problems are usually already solved. 

Some of these systems are in remote areas where a fixed line isn't available or feasible. The ongoing data cost comes in around $10/GB/mo. Depending on setup and settings, it can go a long way.

I have a customer using a ComNet CNFE3TX2CXMS 4G modem to monitor a remote video site.

Depending on your application, you may need ports open. I could not get them open any way that I tried using a DDNS service that would work reliably and consistently.

That being said, after the dance with AT&T getting a business class SIM/UICC card (they do not give out residential static IP assigned cards), the system works great. Yes, the start-up cost with AT&T was $500, but the customer took care of that as well as opened up the business account.

Basically 4G for security should only be used as a last, more expensive alternative if no other options are available but it can be done.

I agree, a static, public IP is the most straightforward way.  There are some vendors who resell verizon/att and do not charge the static IP fee.  We have used one.  Although the first "sim" card we received for our 4g router was not setup with a static IP, we had to get them to reconfigure our service as they agreed.

The problem with most cell service data plans is the IP addresses are all NAT'ed. Same as you do with your home router, if you wanted to access your camera at IP 192.168.0.11 you would need to access your public IP and set a port forward in your router.  While dynamic dns services can take care of your changing IP, the main issue is that cell carriers IP's are not public, regardless what they are they are "private" (NAT) on their network and not publicly routable.  And they will not set up forwards for you. A 4g device can only initiate a connection outbound, once established, then data (internet) can be received.  No one can ping or access your phone/router etc from the internet over its private IP.

From a carrier standpoint, it allows them to provide service without using more IPv4 addresses, and there are security benefits. From a customer view, for us, it is a major issue.

There IS a workaround, though, it is a lot of work but we have played with this.  If you have a small PC (Intel NUC, RPi, etc) on the customer's end, you can set up a reverse SSH tunnel using autossh, once the tunnel is created (you will also need a relay server which is accessible on the internet) you can create a SSH connection into the relay server from your remote location and port map from your local PC to the camera behind the cell carrier NAT router and access/look at your camera.  Autossh will monitor the tunnel and restart it if the connection is dropped, or the carrier changes the IP address.  A VPN can work similarly but the reverse SSH tunnel is, in effect the same as a VPN without the overhead.

The static, public IP is **much** easier and reliable, if you can get one.

So you're looking at Verizon's M2M setup.  Is your plan to get one account for you to resell to your customers or have all your customers sign up for an M2M account? 

We always recommend static IP addresses as that is one less thing to go wrong. 

What type of VPN are you looking for? Site to Site or SSL?

If you need to use 4G for surveillance (streaming and\or health monitoring), VSaaS can be an option (not p2p). With it you don't need static IP, port forwarding, etc... 

I'm from Ivideon VSaaS, we have a lot of customers - SOHO, Ent , using service with cellular Internet connection. Even for surveillance at transport.

I use Verizon static IPs with Cradlepoint, yes the initial is 500 however you can segment easily using DYN for client access needs.

I can build accounts on this for customer needed (RMR) access to those accounts for basic administrative operations.

However for the down low maintenance I would suggest using ZEROTIER as a low end admin, remote config tool for integrator administrative/monitoring need to limit valuable truck rolls to the site.

Good Luck!