Using a router as "dumb" LTE gateway?

Hi There !

Currently I use opnsense as main firewall/router for my xDSL connexion (not very fast).
I would like to add an LTE modem as second gateway on my opnsense router ( backup, load balancing etc...).
In order to avoid running in HW compatibility consideration, I was thinking I could simply use an openwrt device with LTE support
For example, the D-Link DWR-921 seems a pretty simple and quite affordable (on ebay) solution.

But adding a router on a router is not what I want....

Do you think I could just bridge the "wwan" (LTE) interface to an RJ45 (wan or lan port), disable DHCP etc... and just use the openwrt device as an "ethernet LTE modem" ?

I am almost sure you cannot bridge interfaces with different protocols.
Since I haven't tried it myself, get a second opinion.

1 Like

US$75-150 doesn't seem like it's "affordable" to me. Especially seeing that they appear to have been carrier-locked in some markets.

For that much, you can buy a Sierra Wireless card, an external, USB enclosure, two quality pigtails, and two decent antennas. Less if you go with Quectel or a used Sierra Wireless card.

Another option would be to wait for something like the forthcoming GL.iNet E750, which looks like it will have NAND flash. It is replacing an older model that sells at $109/129, depending on EC-25/EP-06 modem in it.

I found some DWR-921 (used) starting around 40€, but this is just an example.
I will check your suggestions.

My main concern is not the hardware... I wonder if I can "bridge" (or whatever solution) to somewhat get the LTE internet ip available on the RJ45 side (like a dsl to ethernet modem).

Route, probably.

Incoming connections, exceptionally unlikely for IPv4 on any cellular connection, potential for IPv6 (depends on carrier).

The "poor man's bridge mode" configuration (aka use DMZ and not care about the routing) would theoretically do the job.

Afaik the main issue is that many LTE providers are firewalling and natting your connection upstream anyway, so even if you open ports on your WAN interface you will still not get any inbound connection and your IP will be shared with hundreds of other users.
So all your effort will be for nothing. Please check this before sinking money in the project.

What I had to do in my home setup where I can only use LTE to have decent internet speed is to pay for a VPN service that allows port forwarding.

1 Like

Just a get a cheap compatible Allwinner based board (H3 or H5 preferably) and a USB modem such as E3372(h) and run your OS of choice, even FreeBSD works (which is what OPNsense runs) at least using NCM. That said, I haven't tried to bridge the modem interface with the ethernet one.

1 Like

@bobafetthotmail, but this IP sharing and port issue... It's a problem only if I want to enter home from LTE? Is this correct?
My main interest in this construction is to increase average speed from home and also have connexion backup if DSL is dead from some reason.

@diizzy Yes, I had also some ideas like this in mind, like using an orange pi with debian or Ubuntu server.
I asked this question here because if it works I would be happy to experiment with openwrt and learn more on this OS.

If you don't care about entering home network from LTE side there is no real reason to get a NAT-less "dumb" LTE gateway, or an OpenWrt device.

If OPNSense had decent support for the "smart" LTE dongles that show up as USB ethernet dongles like Huawei ones with "hilink" in the name, I would recommend that, as you could skip having an additional device doing nothing more than physical interface bridge.
See this thread on how someone tried to deal with that

I'm personally using and recommending a bare-bones LTE "router" with a single ethernet port, the Huawei B310 (I'm linking this site only to show full info about the device and its variants for different locations in the world, which is very important as LTE frequencies that are OK for USA are NOT OK for EU or Asia)
Its web interface allows you to choose about NAT type (cone vs symmetric) and has port forwarding and DMZ settings, so you can do the "poor man bridge mode" if you want to.
It also has external antenna connectors but its internal antennas are good enough for me.

You can get used (branded) ones cheap on ebay for example, just make sure they are the right variant for your location, were unlocked and can be used with any LTE carrier.

That's quite a substantial difference in price compared to a E3372h stick which are available on eBay at around 35 EUR (you need to flash if you want "stick" aka NCM mode however) including sellers within EU. Pretty sure it'll also work fine on 11.2 but I haven't tested it as all my machines are running 12.1 or -CURRENT by now.

It probably works, I mainly run FreeBSD (-CURRENT) on my Allwinner boards but OpenWrt at least boots and runs ffmpeg4 as far as I know. :slight_smile:

1 Like

Thanks for all informations!

This B310 seems interesting too. A few B310-22 can be found around 40€, It's a bit more than e3372, but not extremely.

I also saw it's possible to connect some e3372 directly to opnsense but it's far less documented than openwrt and my own experience is still pretty limited with opnsense.

When looking at devices, make sure they support the bands you need from the carrier you intend to use. This can cause disappointments especially with older, inexpensive, or carrier-branded devices.

As a specific example, Band 12 where I am is the only one that is supported by T-Mobile (US) that has the reach I need. It isn't supported by by iPhone 5s or many of the less-expensive LTE modems that I found.

Did you miss the part where I said it can be bought for cheap on ebay?

Because it can be found for less than 50 euros and it is is a fully independent device with a ethernet port, so you don't need to crossflash the modem dongle to "dumb USB modem mode" and/or buy an additional OpenWrt-supported device and set up LTE with it (and deal with any bs and quirks the modem dongle of choice has).

Is there a reason you are using OPNsense on your router/firewall?
OpenWrt has x86 builds too so you can run it on the same hardware you installed OPNsense.

It might be a better idea to see if you can replicate those features in OpenWrt, so you can just install OpenWrt in that system and then you can connect all LTE USB dongles you want and it will work fine.

Ahah good question! I setup opnsense because I was looking for a good firewall.
At that time, it appeared to be a good choice.
I am also enthusiat in learning more about this well known tool.

I do have several tuning now (vpn server, rules for kids, guests...)
Opnsense offers a lot a flexibility .. Openwrt can probably do same(for my use), but it would cost me a lot of time to check, try, reconfigure etc... With family behind wondering why I broke something working :grin: (maybe you heard about those people called teenager yelling if the wifi is turned off 5minutes...).

well, you said your experience with opnsense is limited so I thought you were still experimenting with it.

As for family, I usually keep them on a fully separate network infrastructure anyway (the classic ISP router with wifi), as they don't need mre than that.

OpenWrt and *sense distros are miles apart in terms of functionality and user friendliness so I don't really get why you'd even suggest that with mentioning the details.

Switching from your current setup to OpenWrt would be in the majority of peoples opinion a downgrade and I doubt you want to do that. It's utilizes x86 hardware much better and has a much more featured WebUI etc however while both distros targets the same goal OpenWrt is more aimed for devices with limited processing power and storage.
Anyhow, it seems to support USB modems ootb looking at and so you can either go that route or get a standalone LTE gateway (which will in ~95% of all cases enforce NAT irregardless of provider) .

Regarding opnsense experience, I mean I'm not ready to dive in command line and play around to make the USB modem work.
But the web gui is pretty well done and managing firewall is ok.
Unfortunatly, I cannot manage family network like you did. So far, I have only one connexion (DSL) and my ISP router has to be turned in bridge mode and shared. Also some devices are shared for the whole family (NAS, printer...)

@diizzy "gruser01" is a mis-taping or some reference I don't know? :sweat_smile:
regarding LTE support on opnsense...well I know the page you shared (2nd link). But see the chapter "supported hardware" is a bit short in my opinion :slight_smile:

Ok, as a summary, I can choose either:

  • find a suitable e3372 (for example) plugged in my opnsense device and deal with it.
  • find a suitable B310 (for example) and use the DMZ trick connected to my opnsense by ethernet.

FreeBSD arguably provides a very secure and sophisticated platform on which to build enterprise-quality firewalls and security appliances. Its drawback is that it doesn't support the plethora of consumer-grade devices that Linux-based OSes often do.

1 Like

Because I disagree with that? Imho they are on par at best. You can do most common things with both, with web interface.

EDIT: I should mention I'm using monthly snapshots from master branch, and the user experience with those is different.
Things changed in the last years, VPN got a working web interface on OpenWrt and so on.
Too bad none will see that for another 4-5 months while they keep bikeshedding stuff instead of pushing a release.

FreeBSD isn't inherently better than Linux for firewall and security appliances, btw. Most of the value-added of Pfsense and OPNSense are its web interface and plugin ecosystem, not the underlying OS.