Using a router as "dumb" LTE gateway?

When looking at devices, make sure they support the bands you need from the carrier you intend to use. This can cause disappointments especially with older, inexpensive, or carrier-branded devices.

As a specific example, Band 12 where I am is the only one that is supported by T-Mobile (US) that has the reach I need. It isn't supported by by iPhone 5s or many of the less-expensive LTE modems that I found.

Did you miss the part where I said it can be bought for cheap on ebay?

Because it can be found for less than 50 euros and it is is a fully independent device with a ethernet port, so you don't need to crossflash the modem dongle to "dumb USB modem mode" and/or buy an additional OpenWrt-supported device and set up LTE with it (and deal with any bs and quirks the modem dongle of choice has).

Is there a reason you are using OPNsense on your router/firewall?
OpenWrt has x86 builds too so you can run it on the same hardware you installed OPNsense.

It might be a better idea to see if you can replicate those features in OpenWrt, so you can just install OpenWrt in that system and then you can connect all LTE USB dongles you want and it will work fine.

Ahah good question! I setup opnsense because I was looking for a good firewall.
At that time, it appeared to be a good choice.
I am also enthusiat in learning more about this well known tool.

I do have several tuning now (vpn server, rules for kids, guests...)
Opnsense offers a lot a flexibility .. Openwrt can probably do same(for my use), but it would cost me a lot of time to check, try, reconfigure etc... With family behind wondering why I broke something working :grin: (maybe you heard about those people called teenager yelling if the wifi is turned off 5minutes...).

well, you said your experience with opnsense is limited so I thought you were still experimenting with it.

As for family, I usually keep them on a fully separate network infrastructure anyway (the classic ISP router with wifi), as they don't need mre than that.

OpenWrt and *sense distros are miles apart in terms of functionality and user friendliness so I don't really get why you'd even suggest that with mentioning the details.

Switching from your current setup to OpenWrt would be in the majority of peoples opinion a downgrade and I doubt you want to do that. It's utilizes x86 hardware much better and has a much more featured WebUI etc however while both distros targets the same goal OpenWrt is more aimed for devices with limited processing power and storage.
Anyhow, it seems to support USB modems ootb looking at and so you can either go that route or get a standalone LTE gateway (which will in ~95% of all cases enforce NAT irregardless of provider) .

Regarding opnsense experience, I mean I'm not ready to dive in command line and play around to make the USB modem work.
But the web gui is pretty well done and managing firewall is ok.
Unfortunatly, I cannot manage family network like you did. So far, I have only one connexion (DSL) and my ISP router has to be turned in bridge mode and shared. Also some devices are shared for the whole family (NAS, printer...)

@diizzy "gruser01" is a mis-taping or some reference I don't know? :sweat_smile:
regarding LTE support on opnsense...well I know the page you shared (2nd link). But see the chapter "supported hardware" is a bit short in my opinion :slight_smile:

Ok, as a summary, I can choose either:

  • find a suitable e3372 (for example) plugged in my opnsense device and deal with it.
  • find a suitable B310 (for example) and use the DMZ trick connected to my opnsense by ethernet.

FreeBSD arguably provides a very secure and sophisticated platform on which to build enterprise-quality firewalls and security appliances. Its drawback is that it doesn't support the plethora of consumer-grade devices that Linux-based OSes often do.

1 Like

Because I disagree with that? Imho they are on par at best. You can do most common things with both, with web interface.

EDIT: I should mention I'm using monthly snapshots from master branch, and the user experience with those is different.
Things changed in the last years, VPN got a working web interface on OpenWrt and so on.
Too bad none will see that for another 4-5 months while they keep bikeshedding stuff instead of pushing a release.

FreeBSD isn't inherently better than Linux for firewall and security appliances, btw. Most of the value-added of Pfsense and OPNSense are its web interface and plugin ecosystem, not the underlying OS.

If all you want is internet connection, then DMZ and "poor man bridge mode" is not required. I mentioned because others might care about that.

You don't need bridging on a normal DSL modem/router either. If all you want is Internet, you don't care about daisy-chaining routers.

You don't need bridging on a normal DSL modem/router either. If all you want is Internet, you don't care about daisy-chaining routers.

I still want to keep a VPN access to my house (sometime I want to connect to my home network from my phone), maybe it's possible, but more complex with daisy chain...but probably worse: I have a playstation :sweat: (PS & NAT is a long long story...).
I can try stuff for the LTE 'addon', but the DSL should be 1 NAT only.

Doing IDS/IPS on OpenWrt is quite a different experience, that also includes caching proxy and stuff on your OpenWrt install. Pretty much anything that requires a somewhat resonable sized storage or processing power isn't available on OpenWrt at all or very crude at best and that includes logging. They're in general trying to cater different target devices in general. That said, you might as well look at a Linux based distro in that regard.

Whether it's a good or bad measurement is up for you to decide but looking at CVEs... might be of interest in general

I still disagree on the general idea. It was true 3 years ago, but nowadays much less.
I'm not super into IDS/IPS but I've used Squid caching proxy and it has an interface.
In master/Snapshot there is also a working Docker package.

There are still some killer features on one side or the other but it's not as black and white.

Yeah the same old argument, here the canned answer.
CVE number is just a factor of how much someone is actually pentesting the platform.

Bridging should work, I've tried this setup like a year ago - modem interface was bridged to a VLAN on the LAN port, then this VLAN was switched through the network to another router. Don't recall which modem I tested with, but most likely that was Huawei or Sierra.


Neither qmi_wwan nor cdc_mbim supports bridging due to the way they (don't) use mac addresses/L2 headers. You're much better off creating a half-bridge. There is no way around that anyway, given that the mobile connection is an IP only point-to-point tunnel. Hiding this fact in modem firmware or drivers does not make it go away.

As for the completely off-topic FreeBSD discussion: I don't think FreeBSD has MBIM or QMI support. There is a CDC ECM/NCM driver which might be usable with some modems. But FreeBSD doesn't look like a good choice for any modern LTE modem, IMHO.

OpenBSD has an MBIM driver: So that's probably a good alternative if one wants to avoid Linux for some reason. But then this is the wrong place to ask OpenWrt is a Linux distro.


Why wouldn't it be? The CDC ECM/NCM driver works just as good as the one on Linux, at least on my Allwinner H5 board (Orange Pi PC).
Load u3g and cdce driver or compile into the kernel and run
echo 'AT^NDISDUP= 1,1,"<APN>"' > /dev/cuaU0 + dhclient ue0.
This can of course be automated.

You're right as usual, so that probably was Huawei E3372 (NCM). My target router was pfSense and I share your observations regarding FreeBSD and modems.

I'm sure it does, but most modems don't support any of these protocols. And even for those that do, you may end up with a routing modem firmware.

Well for one thing, I know pfSense will sit at the console asking for user input, blocking boot, if a network device has gone missing. OpenWRT on the other hand as its aimed primarily at residential users and ease of use, gracefully ignores any missing devices.

Its why when I was testing LTE myself (with a mobile router) I had the device bridged plugged into an OpenWRT device (used as a WiFi AP) so the physical NIC could not disappear during a reboot. Although that problem may not be an issue if its a device without a built-in battery so would always boot once power is applied.

I ditched the idea completely in the end as I found my cell tower just couldn't work reliably with pfSense. On a bad day if I used the connection the latency would spike to 2000ms, pfSense would reload the firewall marking the connection as down, the latency would then drop, so it would reload the firewall marking it up, and this would just happen constantly blocking ALL traffic. If I raised the latency where pfSense would treat a connection as down, it would use the LTE connection when it was overloaded and cause issues.

So it "might" be okay if you only use it as a backup, not load-balanced, but I'm not convinced. I figured in the end it was more reliable to just tether to my phone if my connection goes down.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.