TL MR6400 running LEDE the DMZ from LTE module won’t work properly and incoming connections are never made

Hello,

I hae a TL MR6400 running LEDE the DMZ from LTE module (inside modem) won’t work properly and incoming connections are never made. They idea port forwarding won't work since i want to port forward from my LTE static IP to the internal lan 192.168.1.0/24.

Internal LAN: 192.168.1.1/24
LTE Modem internal IP: 192.168.0.1/24
Static IP for WAN: 192.168.0.100
Static LTE IP: 10.100.25.140

How i can make it work if i type on the internet 10.100.25.140:8014 it will forward the rule to 192.168.1.60:8014

I know how to create port forwarding. WIll bridge between lan and wan work?

If you're using your router as a WAN facing router (i.e. Cable/DSL modem connected to WAN [internet] port on the router), then LAN and WAN should never be bridged.

If the only WAN connection you have is the LTE modem, and the router's WAN port is not being utilized, you could bridge the CPUs eth0 & eth1 (if dual interface CPU) and configure the vSwitch to place all vLANs under the LAN interface.

  • I've never used cellular modem on my routers, but I don't believe you should be running a DMZ for that type of connection
    • I could very well be wrong about the above, however a DMZ removes all control, and protection, from the router's firewall for the DMZ... for all intents and purposes, traffic within the DMZ has unfettered access to anything within the DMZ.
      • Majority of consumers have nothing in their configuration or environment requiring a DMZ

Why does your LTE modem have a second RFC1918 static IP on the router [192.168.0.1/24]?

  • Again, I could very well be wrong because I've never used a cellular modem on my router, but I'd assume the LTE modem should be configured the same way in OpenWrt as a traditional Cable/DSL modem.
    • I.E. it should be configured as a WAN network without the 192.168.0.0/24 subnet.

Either way, please post the following:

  • /etc/config/dhcp
  • /etc/config/firewall
    • Please mask/change all WAN forwarding ports being used for services such as SSH, VPN, etc. when posting
  • /etc/config/network

Thank You for your reply

Check this link: https://wiki.openwrt.org/inbox/tp-link/tp-link_tl-mr6400_v1.0#lan_interface_rndis_interface_network_collision

Here You are:

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Here you are:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'ACCEPT'
	option network 'wan wan6'
	option input 'ACCEPT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

	option proto 'SNMP SNMPD'

config forwarding
	option dest 'wan'
	option src 'lan'

Here You are:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdbf:2aa8:a685::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1 eth1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'usb0'
	option proto 'static'
	option ipaddr '192.168.0.100'
	option netmask '255.255.255.0'
	option gateway '192.168.0.1'
	option dns '192.168.0.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 0t'

I attached a screen shots for the LTE Modem interface:


Duplicate of: [DUPLICATED] Tl-mr6400 port forwarding

We will use this as main subject

You don't have a public IP. A 10.x.x.x address is a private IP from the phone company. Their router is going to block incoming connections. In other words you're already being NATted on the company's side of the LTE link, and other than getting them to reconfigure their network, there is nothing you can do.

So the service type you have will never allow incoming connections from the Internet. This is common on 3G / LTE.

I have a public IP :slight_smile: I have my own private APN. So the IP is static. Normal router worked. The normal firmware.

This issue has been reported by me here, the MR6400 have an LTE module running android, when you flash LEDE/OpenWrt LTE module still uses its own firmware.
With stock firmware on the router there's no problems with incoming connections, but with LEDE, the incoming connections never reach WAN interface on the router side. (probably because DMZ on LTE firmware not set properly).

As I said in that post, I ran tcpdump on the router side and on LTE module using adb shell (more info). The LTE always receives the incoming connection requests, but they never reach WAN interface on the router side. Conclusion, even if you set port forwards properly on the router side, there will be no incoming connections to forward from WAN to LAN.

Did you tried to change the LTE Module? So installed another one?

What?? You make no sense most of times! Do you mean update LTE module firmware?
Yes, I did that.

Change the LTE MOdel. Replace the lte model device

Can you log into the module's web page? The stock router firmware may have been doing something to configure the module that would need to be done manually with OpenWrt.

As far as the router is concerned the module is merely a USB device-- even though it is plugged into a PCIe slot, the electrical interface is USB. And the modules always have closed firmware. Sometimes the phone company pushes new firmware.

Yes i can access the module web interface but there is no much settings to change. It has her own dhcp 192.168.0.1/24. What if i changed the whole module i plugged another wireless card (another model) to the pci it will work? If yes bow i can configure the new module. Because i have a sierrra wireless module i can test it

Sorry to bother but what did you do to reach the lte modem interface, i can't in anyway...

Well what i do, i removed the wireless module (3g/4g) and replaced it with another one. And open wrt worked fine for me. I spent 3 months of testing and trying.

I also could not access the modem interface at first.
I did two things :

  1. Updated the router firmware with Firmware OpenWrt Upgrade through the upgrad interface in LuCi.
  2. I went to this exact address : http://192.168.0.1/login.html and it worked. as described in here

Not sure part 1) was necessary.
Let me know if it works for you.