Deploy cellular without certification using an Onyx LTE USB Modem Learn more

Simplified Remote Access: Implementing NAT-less Bidirectional Communication with SIM-Based Routing

Written by Naoki MikuniWritten by: Naoki Mikuni Published on January 22, 2026Published: January 22, 2026 Category IoT Advice
Tags: IoT remote access | SIM | soracom canal | soracom door | soracom gate | Soracom VPG
Data Routing

Historically, accessing an IoT device on a subnet behind a cellular router required significant manual effort. Engineers had to configure complex port forwarding, maintain specialized tunnels, or manage intricate router settings.

With the introduction of Soracom’s SIM-based routing, you can now link a specific SIM card to its router’s Local Area Network (LAN) IP range, allowing the SIM itself to serve as the routing destination. When combined with Soracom Gate, this feature enables a seamless L2/L3 environment across your cellular fleet – drastically reducing the time and cost associated with maintaining inter-site connections and IoT gateways.

The Network Configuration

In this guide, we will walk through a robust network architecture that leverages the Soracom suite to achieve direct, NAT-less communication.

Technical Stack

ComponentSpecification
IoT SIMSoracom Air for Cellular (plan01s)
IoT DeviceRaspberry Pi
Cellular RouterTeltonika RUT240
Cloud EnvironmentAmazon VPC
Gate Peer / ServerAmazon EC2 (Ubuntu or Amazon Linux 2)

Key Benefits

  • True Bidirectional Communication: Seamless access between IoT devices behind the router and cloud-based servers.
  • Scalability: Supports many-to-many communication that grows effortlessly with your device fleet.
  • Source IP Preservation: By eliminating NAT, the server sees the actual LAN IP of the IoT device, simplifying logging and security filtering.

While this guide utilizes AWS, the same architecture can be implemented on Azure using Soracom Door to connect to an Azure VPN Gateway.

Teltonika RUT240 4G/LTE cellular IoT router.

Configuration Procedure

Step 1. Configure the Router and IoT Device

Goal: Establish basic connectivity between the IoT device and the Virtual Private Gateway (VPG).

  1. Create a VPG Type-F: (Reference: VPG Type-F Configuration)
    1. Ensure the VPG device subnet (default 10.128.0.0/9) does not overlap with your existing cloud or LAN networks.
  2. Add the Router’s SIM to the VPG:
    1. Add the SIM to a group (Reference: Groups)
    2. Associate the group with the VPG (Reference: VPG Basic Settings)
  3. Configure the Router APN: Set up your RUT240 to connect to Soracom. (Reference: RUT240 Setup Guide)
  4. Connect the Raspberry Pi: Connect the Pi to the router’s LAN.

Verification: Confirm the SIM is active in the Soracom User Console and that the Pi can successfully ping pong.soracom.io.

Step 2. Configure Soracom Canal

Goal: Bridge your AWS VPC with the Soracom VPG.

  1. Deploy Cloud Resources: Create your VPC and EC2 Gate Peer.
    1. Ensure your AWS Routing Tables and Security Groups to allow ICMP traffic for testing.
  2. Establish Peering: Link the VPG and VPC using Soracom Canal. (Reference: VPC Peering with Soracom Canal)

Step 3. Configure Soracom Gate C2D

Goal: Create a virtual L2 bridge between the Cloud and the Router.

  1. Configure A Gate Peer: (Reference: Gate Peer Configuration)
  • Ensure UDP Port 4789 (VXLAN) is open in your AWS Security Group to allow Soracom traffic. 
  1. Confirm Remote Device Access: Confirm that you are able to remotely access the RUT240 attached to your VPG (Reference: Confirm Remote Device Access)
Soracom VPG architecture

Step 4. Configure SIM-Based Routing

Goal: Enable the VPG to recognize the LAN subnet behind your cellular router.

  1. Enable IP Forwarding: Configure the cellular router to forward packets between its WAN and LAN.
  2. Enable SIM-Based Routing: Configure the VPG to route traffic destined for the LAN (e.g., 192.168.1.0/24) through the specific SIM. (Reference: SIM-Based Routing)

Step 5. Configure Soracom Junction Redirection

Goal: Direct outbound device traffic through the Gate Peer for consistent routing.

  1. Set Up Redirection: (Reference: Configure Junction Redirection)
  • Ensure your server’s Security Group allows incoming traffic from the IoT device’s LAN range.

Step 6. Disable NAT on the Router

Goal: Achieve a “transparent” network where source IPs are preserved.

  1. Disable Masquerading: On the RUT240, navigate to Network > Firewall > Zones and turn Masquerading OFF for all zones.

Final Verification:

  • Packet Capture: Run sudo tcpdump -i enX0 -n icmp on your server.
  • The Result: When you ping the server from the Raspberry Pi, the server will now see the source address as 192.168.1.10 (the actual device IP) instead of the router’s cellular IP.

Summary

While NAT has long been a staple of networking, it often introduces unnecessary complexity in IoT architectures. By integrating Soracom Gate, Junction, and SIM-based Routing, organizations can build a transparent, secure, and bidirectional network that functions like a local office LAN, regardless of where the devices are deployed globally.

Got a question about Soracom? Whether you’re an existing customer, interested in learning more about our products and services, or want to learn about our Partner program – we’d love to hear from you!

More free resources for tech innovators

From our blog

eSIM
Use CasesJanuary 13, 2026

Scaling Beyond the Spreadsheet: A Case Study in Automated eSIM Lifecycle Management
Public safety image
Use CasesDecember 30, 2025

The Future of IoT in Public Safety: What the Next Decade Means for Connected Security
Big data technology Data science analysing artificial intelligence generative AI deep learning machine learning algorithm Neural flow network analytics innovation abstract futuristic. 3d rendering.
IoT AdviceDecember 8, 2025

What Soracom Query Means for IoT Engineers

Read our latest ebook

AI eBook Cover

AI and IoT: Solving the 5 Biggest Data Challenges in Connected Systems

Get your free PDF

Latest webinar