Exactly. Internal allocate IP's are normally Natt'd and not actuall the IP you show up on the Internet as.
When you connect to your provider for Network (not using WiFi), the provider (most likely T-Mobile) will allocate an IP to you via DHCP. That IP is what your phone uses to talk to the provider. It most likely is NOT what you look like when you hit the Internet though, that will most likely be a different IP because TMobile is most likely not providing you with an Internet routable IP.
So, right now, I turned off WiFi and I got the IP 18.104.22.168. When my phone touches the Internet though, it shows up as 22.214.171.124.
So at that point in time, my phone is using 126.96.36.199 to get to T-Mobile's network and the Internet sees my phone as 188.8.131.52. the outside IP is in TMobiles published block. And why the internal IP is also, it really doesn't matter what it is because that is not what your phone looks like when it gets to the Internet.
It is possible in your area there are different networks available internally that are given to you when you connect depending on where you physically are and what towers you are closest to. At some times you get the 100.x network and you might even get the same IP as before because of a lease of that IP to your device, but then you move to a slightly different area which is handing out 30.x addresses. All perfectly normal. and the internal IP's really don't matter much.
You can use a search of Whats My IP to see what the Internet thinks your IP is when you get there.
With some providers (Verizon for example) if you are using ipv6, you will always get a non-routable IP, meaning that if you figure out your Internet IP, an outside connection may not get back to you unless your device initiated the connection, but if you use ipv4, they gave you a temp IP that would end up with a routable IP back. You could then use that to connect to your phone using something like VNC or other service. Now days, that is much more likely not the case unless you are paying for that special IP service. I don't know if Tmobile offers that type of service, but Verizon did at least a year or two ago.
In anycase, you firewall shouldn't matter unless you don't want to access your providers network.