Configuring OpenWrt + 3G modem for IP camera RTSP internet access

Hello OpenWRT forums!
I installed OpenWRT on TL-WR902AC and I'm attempting to configure this setup as so that my IP camera connects to Router LAN port -> USB 3G modem connects camera to internet for RTSP stream.

I have setup 3G router as eth1, and lan port as eth0.

I used following configuration:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9d:b168:fb26::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.9.1'
        option gateway '192.168.9.22'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr '3c:84:6a:29:68:50'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '4 6t'

config interface 'lte'
        option ifname 'eth1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.9.11'
        option gateway '192.168.9.22'

Firewall is set to allow all, and all ports from all interfaces are opened.

LAN port has IP ~9.1 and GW ~9.11
ETH1 port has IP ~9.11 and GW ~9.22
3G modem has IP ~9.22 and GW ~9.11

I'm having problems trying to access network with this configuration. Maybe my IP understanding is incorrect.

  1. I cannot connect to network using Windows Laptop connected to LAN port (Windows static IP set to ~9.5, GW: ~9.1)
  2. I cannot reach the 3G USB modem interface from its IP address (~9.22)

That is all wrong. The lan and wan need to have separate IP ranges that don't overlap. Generally make the wan a DHCP client and check that its IP is not inside your lan's netmask. When the modem or phone company issues your DHCP address it will also set up the router default gateway and DNS properly.

Naming the wan side network exactly 'wan' is recommended since the default firewall already defines a zone for that with proper forwarding for Internet access.

The entire plan is unlikely to work though since 3g modems almost never get a unique public IP from the phone company. Phone companies tend to have many more customers than they have IPV4 addresses, so they engage in carrier-grade NAT. This means that a customer is routed through a network that is based on outgoing connections only, and they can't run a conventional server that accepts incoming connections.

1 Like

Thanks Mike for quick reply and advice!

I set it up it as all static IP in order to know which IP addresses will be used when the system is deployed. I want to set it all now and any avoid manual setup in the future. What is the problem with internal static IP addresses, if I fix it to use different IP ranges for WAN and LAN?

check that its IP is not inside your lan's netmask

How is this achieved?

Naming the wan side network exactly 'wan' is recommended since the default firewall already defines a zone for that with proper forwarding for Internet access.

I have assigned firewall setting wan to eth1 interface.

3g modems almost never get a unique public IP from the phone company. Phone companies tend to have many more customers than they have IPV4 addresses, so they engage in carrier-grade NAT

That is not a problem, I have a dedicated SIM card with a public IP address (dynamic IP). It is designed for these types of M2M communications.

I will try your DHCP setup now.

I now used following configuration and still have the same problem.

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6e:e967:bb24::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr '3c:84:6a:29:68:50'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '4 6t'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

I attempt to "ping 8.8.8.8" from windows laptop that is attached to LAN port of the Router, but there is no reply. Windows laptop is configured to use static IP 192.168.1.5 and Gateway 192.168.1.1 (the Router)

I would assume that the router would give internet access via LAN -> WAN -> 3G modem.

ping 8.8.8.8 does work in SSH in the Router OpenWRT linux terminal, so the router is indeed connected to the internet via the 3G modem.

Running ifconfig or ip addr show should show the eth1 interface has your public IP. Running route should show the default route is via the modem.

Since you can ping from the router but not forward from the lan, double check your firewall. With the wan named wan the default option network 'wan' in the wan zone definition should work.

1 Like

I ahve been trying to get this to work 4 hours every day, and cannot get LAN communication to WAN unless they have the same IP ranges. How can I achieve this? Why using same IP ranges is bad, if it is the only way how it works? I have tried to disable firewall, but there is never connection from LAN to WAN unless they are assigned to same IP ranges.

Also it does not seem to make sense to use DHCP address for the dongle, because the dongle must be configured to 1 DMZ address. Static IP seems to be the only way to make it work? Why is static IP bad for the dongle?

The firewall must be enabled for NAT and routing between two IP ranges to work.

In general this should start as a default configuration and modify little by little. First substitute the dongle USB interface for the usual wired Internet connection. This should allow regular outward going Internet access from the LAN. For incoming connections you would next open or forward ports to your cameras.

Mentioning there is a DMZ set up in the dongle means it is running its own router not merely being a bridge direct to the Internet. Your OpenWrt router would be the target of the DMZ. From there you can forward individual ports to cameras or other machines on the LAN.

Internet --> Dongle WAN ~~> (Dongle LAN --> OpenWrt WAN) ~~> (OpenWrt LAN --> LAN device)

Here the dongle LAN and the OpenWrt WAN are in one private IP range-- controlled by the dongle, and the OpenWrt LAN and your LAN devices are in a different private IP range-- controlled by OpenWrt.

The dongle should have a DHCP server integrated thus OpenWrt WAN interface can take a DHCP IP, or it can be statically set once you know what range the dongle LAN uses. The OpenWrt router will be the only thing in the dongle's LAN besides the dongle itself, so it does make sense to set it as .2 for example with the dongle being .1. This would be the easiest way to make sure it is the target of the DMZ. Again though the DMZ isn't needed for basic outgoing Internet access, so have that working first.


If the dongle does allow more sophisticated forwarding of incoming packets you could make it the main router of the LAN and forward directly through. In this case OpenWrt would just be a bridge from the dongle USB to Ethernet or wifi. Basically everything about the LAN would originate from the dongle and need to be configured there. Also you would have to trust the dongle's firewall ability.

The firewall must be enabled for NAT and routing between two IP ranges to work.

Thank you for the info. I did try this with the firewall enabled as well, and this helps to narrow down my guessing options.

In general this should start as a default configuration and modify little by little. First substitute the dongle USB interface for the usual wired Internet connection. This should allow regular outward going Internet access from the LAN. For incoming connections you would next open or forward ports to your cameras.

Dongle connects to internet fine, but the problem is in connecting LAN -> WAN. (I try to open the dongle Web interface UI from LAN to test this).
Bridging is the only way I can manage to get it working (due to my limited skills and knowledge), otherwise I get no answer from the dongle if I try to use separate IP ranges and link them.

Mentioning there is a DMZ set up in the dongle means it is running its own router not merely being a bridge direct to the Internet. Your OpenWrt router would be the target of the DMZ. From there you can forward individual ports to cameras or other machines on the LAN.

Seems to be the case. It is Huawei E3372, using usb-modeswitch & kmod-usb-net-cdc-ether, sorry I forgot to mention that.

If the dongle does allow more sophisticated forwarding of incoming packets you could make it the main router of the LAN and forward directly through. In this case OpenWrt would just be a bridge from the dongle USB to Ethernet or wifi. Basically everything about the LAN would originate from the dongle and need to be configured there. Also you would have to trust the dongle's firewall ability.

The dongle seems to have very limited settings, no port forwarding or firewall settings available. It has the DHCP server, with assignable range and IP address.

Huge thank you for explaining this! I still have 2 questions as I want to understand why:

  1. Why separate IP ranges between LAN and WAN are better, than bridging them under same IP range?
  2. Why is DHCP server better in the dongle, over static IP (which would have 100% predictable address for the DMZ setting, unlike DHCP). Static address seems simpler configuration, no?

I will continue to attempt connecting these in proper manner and hopefully get outgoing connection without bridging LAN-WAN.

  1. Separate IP ranges are necessary for your router to do actual routing, such as directing different incoming ports to different cameras. If you put your LAN in the same IP range as the dongle's LAN, the dongle will be doing all the routing and it is limited in what it can do.

  2. I like it because it's more automatic and there is a single point of control (the DHCP server) to configure all the network addresses. But you can of course set a static IP as long as it is in the proper range which you need to know beforehand.

1 Like

Thanks for the explanation.

  1. I will have only one camera per gateway (connected to LAN), and with the only purpose of connecting that single camera's RTSP stream to the internet. Would a bridge be suitable for this use case? The camera has some firewall options as well. I cannot seem to get those separate IP ranges to work.

  2. DHCP seems more risky to me, because of the static DMZ IP address, so I probably use static IP due to that reason.

I don't see why this is causing so much trouble.

Make your wan network named 'wan' (not 'lte', since the name 'wan' is already defined in the firewall), at least temporarily set it as a DHCP client, to see what IP address and gateway the dongle issues.

If that IP address is outside the LAN IP range you should immediately have Internet access from the LAN and can proceed from there to set up incoming connections. If the dongle is running in 192.168.1.0 then you need to change the LAN to something else.


Making the router a bridge means that the camera needs to be the target of the DMZ, and you really have to trust the software in the camera since all of its ports will be open to the Internet. It's a bad idea to do that.

1 Like

Me neither. I just resetted the system, configurations are as follows:

Does not open the router web-ui from the dhcp client IP address.

Interfaces:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda0:10ee:4eeb::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr '3c:84:6a:29:68:50'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '4 6t'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

Firewall:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

By default the firewall blocks http and ssh from the wan side.

If connecting the WAN breaks your LAN, that is probably an IP conflict so change the LAN IP to 192.168.X.1 where X is not 1 and try again.

1 Like

I changed LAN IP from 192.168.1.1 to 192.168.4.1, no luck.
WAN IP is 192.168.6.100, from DHCP client.

I'm trying to connect from PC to internet via LAN or to dongle web-ui (192.168.6.100), still does not work... I'm out of ideas.

I just want to raise something that was mentioned earlier...

@thomas2 - this is super critical. You're not going to be able to access your camera via standard methods if your connection doesn't have a public IP address on your WAN. You need to know what the actual IP address that is on the WAN of the LTE modem and then you need to compare it against the IP that appears when you google "what's my IP". If they are not the same, it will not work. If the WAN is anything in the RFC1918 (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) networks, or in the CG-NAT range (100.64.0.0/10), there will be no easy way to achieve your goals.

192.168.6.100 is the IP of the OpenWrt router WAN interface. The dongle itself is likely 192.168.6.1. You can check that by examining the routing table that DHCP installed. Run the route command and look for the default line which would look like this:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.6.1    0.0.0.0         UG    0      0        0 wan

If it is something other than 6.1 use that IP instead. You should be able to ping it from OpenWrt and from a LAN computer.

1 Like

Thanks for concern, but as previously mentioned, I am using dedicated mobile network operator plan with public IP address (no NAT). It is specialized IoT plan, these costs 5-9€/month in Finland, the public IP is activated by setting the APN.

Ok cool. Sorry, I must have skimmed over that. Glad you have a public ip option to work with.

Darn, you are right!

Nevertheless, ping 192.168.6.1, or web-ui still does not respond... Hmm.
(I tested that ping works when dongle is plugged into PC USB, so it has the ping server).

Route displays following:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.6.1     0.0.0.0         UG    0      0        0 eth1
192.168.4.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.6.0     *               255.255.255.0   U     0      0        0 eth1

My PC Ethernet port is configured to Obtain IP address automatically (DHCP client)

Your PC should have a 192.168.4.X IP, being part of OpenWrt's LAN. The PC's default gateway and DNS server should both be 192.168.4.1.

Logged in to the router so you are running commands on the OpenWrt CLI, can you ping the dongle at 192.168.6.1?

1 Like