I have the following issue with fwknop client on Android while on 4G network. (all fine while on wifi)

the used IP addresses are different and can't get ssh access:

fwknopd[3183]: (stanza #1) SPA Packet from IP: x.y.145.z received with access source match
fwknopd[3183]: Added FORWARD rule to FWKNOP_FORWARD for x.y.141.z -> 0.0.0.0/0 tcp/22, expires at 1643227905
fwknopd[3183]: Added DNAT rule to FWKNOP_PREROUTING for x.y.141.z -> 0.0.0.0/0 tcp/22, expires at 1643227905

the SPA packet is sent from IP: x.y.145.z and the IP in the packet is x.y.141.z, but the ssh connection comes from x.y.145.z thus not allowed.

also google reports a 3rd ip in the form of x.y.143.z when asked : "what is my ip"
it looks to me like the 4G provider uses proxies and different IPs are reported.

how to deal with such situation ?

thx

If your mobile provider is doing full rewriting of traffic headers using SD-WAN like techniques your only choice is using tunneled encryption to bypass them (VPN/SDN etc of course don't really need port knocking at that point do you)

The second Google testing you're using...keep in mind that's an http test tool (that is frequently proxied) to diagnose a non http technology.