Firewall rules cannot be modified TTL Raspberry Pi + 5G router Cheapest T-Mobile Home Internet

Installing and Using OpenWrt Network and Wireless Configuration
1

The ultimate goal is to set up a cheapest home Internet with a T-Mobile tablet plan. One side of a non-OpenWrt router is connected to a T-Mobile 5G gateway and the other side is connected to a Raspberry Pi for bypassing T-Mobile's data throttling. The non-OpenWrt router is for better wifi broadcasting.
Screen Shot 2023-12-29 at 12.42.41 PM

Tested firmware version: Raspberry Pi 4B 64bit Version 21.02.3. Firewall rules not working. When I ping 8.8.8.8 in terminal, it should have TTL=68, but instead I get a random number. Tried other versions of OpenWrt official firmware but none worked. I guess it's a network parameter setting issue or something missing from the official firmware. At the same time, I tested the customized firmware provided by others and found that I could ping TTL=68. However, the firmware contained a large number of software packages, such as ad blocking, VPN, NAS, etc., which I did not need. My only purpose was to succeed in running the firewall rules and successfully modify the TTL. I really appreciate if you could provide a less bloated firmware or solutions to the original firmware.

Correct reply after ping 8.8.8.8 in the terminal:

Screen Shot 2023-12-31 at 10.44.16 PM
Screen Shot 2023-12-31 at 10.44.16 PM1121×610 84.1 KB

Firewall rules mentioned above:

# iptables rules for mangling ipv4 and ipv6 traffic
# prerouting rules appear to prevent leaks to the ISP
iptables -t mangle -I PREROUTING 1 -j TTL --ttl-set 68
ip6tables -t mangle -I PREROUTING 1 -j HL --hl-set 68
# postrouting rules do the heavy lifting
iptables -t mangle -I POSTROUTING 1 -j TTL --ttl-set 68
ip6tables -t mangle -A POSTROUTING 1 -j HL --hl-set 68
# modem decrements TTL from 65 to 64, which is what the ISP sees :)

Workable Firmware:

  1. Glinet MT3000: OpenWrt 21.02-SNAPSHOT r15812+879-46b6ee7ffc / LuCI openwrt-
    21.02 branch git-22.245.77575-63bfee6
  2. OpenWrt R24.01.18 by Haiibo / LuCI Master (git-24.014.66729-f45ed56)

Unworkable Firmware Version: (downloaded at https://firmware-selector.openwrt.org)

  1. Raspberry Pi 4B 64bit Version 21.02.3. (r16554-1d4dea6d4f) FACTORY (EXT4).

OpenWrt 21.02.3 firmware Network Settings:
vi /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.12.2'
        option gateway '192.168.12.1'
        list dns '192.168.12.1'

vi /etc/config/firewall

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1

vi /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:00
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

vi /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
2

Not the same, exact, situation but I do know T-Mobile totally messed up my Pi travel-router when I used my phone as a hotspot. And throttling was a HUGE issue.
They will send you to a ( one they passsthrough) speedtest site and say "look, no throttling. Must be you"

The only fix I found (and I tried using my pi-hole to force DNS where I wanted it to go) was VPN.

3

Did you use Pi-travel router to change TTL and connect it to your phone to setup a hotspot? Or how can you do that. T-Mobile only offer 10GB hotspot.

4

OpenWrt now uses nftables instead of iptables. So you need to write nftables rules, which was solved in this thread:

The TTL in ping replies has nothing to do with the ttl of outgoing packets. When Google etc answers your ping they choose a new TTL and it gets decremented once for every router it goes through on the way back to you.

Use tcpdump to observe outgoing packets.

02:00:28.663318 IP (tos 0x0, ttl 64, id 37848, offset 0, flags [DF], proto ICMP (1), length 84)
    192.0.0.1 > dns.google: ICMP echo request, id 15171, seq 3, length 64
02:00:28.751198 IP (tos 0x0, ttl 113, id 23704, offset 0, flags [DF], proto ICMP (1), length 84)
    dns.google > 192.0.0.1: ICMP echo reply, id 15171, seq 3, length 64
5

That is a perfect reason to make a pi-hole, reduces traffic from ads. I do not know how AdBlock works, it might drop, it might hide.

No, when you make an OpenWrt travel router you install Travelmate and it just lets you scan for a hotspot , join and remember without having to save a bunch in the wireless config.

6

I noticed OpenWrt removed firewall custom rules since 22.03, however, I used earlier versions 21.02.3 to run iptables, so it should work.

7

Read the other thread. Firewall custom rules still exist, but they have to be nftables now.

There is a way to also load iptables into the kernel of a new version but that is not recommended for performance or forward compatibility.

8

if you do this way, I believe T-Mobile will count all data received by Pi router as a hotspot which is up to 10GB

9

Pi-hole drops the dns request. So it cannot send data it does not know where to fetch it from.

1 Like
10

I would like to have a try to convert to nftable. But why iptable works successfully on the other two firmware, pls refer to the above.

11

I believe the main reason is what packages do I need for the pi if I use it as a main router?
I guess I need to change the LAN port to WAN to be able to do so.

12

If you are not using IPv6 ( and I do not see you are) please do as the config file suggests.
I.E. remove the hash.

Wil it fix everyhing? I dunno but at least it conforms to rules.

13

I don’t think as I said it should be lack of packages because it doesn’t have lots of packages for original firmware, even no iptables, I don’t know what else?

14

Do not do that. The disable_ipv6 option is dangerous since it removes the normal "block incoming" on wan for IPv6 and lets the kernel run bare with no firewall for v6. If your ISP supports IPv6 (and T-Mobile certainly does, they prefer it) this will expose LuCI, ssh, DNS, etc. to the Internet. Also I think it allows IPv6 forwarding wan->lan to your endpoints (which is denied with the default rules) so they are all exposed to the Internet as well.

15

I did not catch it was in the firewall config; my bad.

I'll pay closer attention.