EC25 in ECM mode: DMZ or NAT port forwarding, resetting configuration of QCMAP web auth

I am using Quectel EC25-E miniPCIe module in the data-only mode, inside third-party router based on OpenWRT firmware (Turris Omnia).

So far everything works fine in PPP mode, but I like to upgrade to ECM mode for better network throughput.

As a part of this PPP to ECM migration effort, I would like to configure DMZ or NAT port forwarding in ECM mode (which was enabled via AT+QCFG="usbnet",1 command).

Quectel EC25-E in ECM mode seems to support web-based configuration for NAT, firewall, UPnP and DMZ.

My problem is that after changing default password from “admin” my unit to longer allows me to log in.

Resetting unit to factory default settings via AT+QPRTPARA=3 doesn’t seem to affect configuration of QCMAP web auth.

So, my questions are:

  1. Regarding implementation of DMZ or NAT port forwarding in ECM mode: is it functional as of now?
  2. Is there any way to reset QCMAP web auth settings to factory defaults? Maybe some AT command?
  3. Alternatively, is it possible to configure DMZ or NAT port forwarding in ECM mode via AT commands?

The ECM mode obtains the LAN IIP and cannot perform NAT.


Obviously it performs NAT in ECM mode and has two distinct IP addresses on both sides (LAN and WAN). This can be confirmed via traceroute command, for example.

Did you resolved this?

I have EG25-G in ECM mode (it works on latest firmware) and there is NAT.

If I check IP from operator it’s

+CGCONTRDP: 1,5,,,,

Interface has IP

enxe6abfdb8afda: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet netmask broadcast
inet6 fe80::b126:3d92:f948:81a8 prefixlen 64 scopeid 0x20
ether e6:ab:fd:b8:af:da txqueuelen 1000 (Ethernet)
RX packets 647 bytes 77933 (77.9 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1081 bytes 132264 (132.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

If i traceroute to google’s, firsts hops shows that there is NAT

traceroute to (, 30 hops max, 60 byte packets
1 _gateway ( 3.199 ms 3.250 ms 3.290 ms
2 ( 72.020 ms 90.933 ms 90.899 ms
3 ( 90.863 ms 90.943 ms 94.981 ms

Is there way to define DMZ IP or port forward to LAN IP (all ports)?

There are related settings in the configuration file mentioned here.
Personally I would avoid ECM and use MBIM or QMI.

Thanks. ECM works nicely if you only need internet connection, but if you need access from internet or m2m network to device then it’s more complicated and may not work.

I think I stay in QMI :slight_smile:

No, I couldn’t resolve this issue and so, I ultimately settled on the PPP mode of EC25 module.

QMI mode didn’t work for me because EC25 and host router (Turris Omnia) start to disagree about external IP address on the LTE interface after each reconnection to the carrier (i.e. on session expiry). EC25 reconnects successfully, gets a different IP address, and then host router doesn’t have a way to get notified about that and continues to send packets in the vain, to an old IP address. Probably I could hack up a script which polls uqmi -d /dev/cdc-wdm0 --get-current-settings in a loop (and updates host-side settings accordingly) or whatever, but I decided that setting up PPP is just easier.

In ECM mode, I couldn’t enable port forwarding through EC25’s builtin NAT. It looks like implementation of this feature in EC25 firmware is incomplete, or at least not properly documented. No way to reset unit to the factory settings etc. I hope to see this feature implemented some time later in the future.

MBIM mode didn’t work under TurrisOS/OpenWRT at all (lack of drivers or whatever).

Same issue with EM12-G in QMI, after session expire need to reset modem for obtain new configuration. In ECM mode did not need to do this.

Regarding original question about port passthrough via NAT on EC25 in ECM mode, CVE-2021-31698 vulnerability (shell injection in AT command handler) may be of help.

On older firmware revisions (before April 2021) AT+QFUMOCFG command argument was passed to the system() call without prior sanitization/cleaning. Quick check looks like this:


If your unit is vulnerable, then it may be possible to invoke iptables command on EC25 this way, and so rewrite firewall rules to enable port forwarding via NAT in ECM mode.

iptables -t nat -A PREROUTING -i <wan_interface_on_ec25> -p tcp --dport <tcp_port_number> -j DNAT --to-destination <ip_address_in_lan>

I haven’t done it myself, but I’d love to know if anyone else could.