Using a router as "dumb" LTE gateway?

If all you want is internet connection, then DMZ and "poor man bridge mode" is not required. I mentioned because others might care about that.

You don't need bridging on a normal DSL modem/router either. If all you want is Internet, you don't care about daisy-chaining routers.

You don't need bridging on a normal DSL modem/router either. If all you want is Internet, you don't care about daisy-chaining routers.

I still want to keep a VPN access to my house (sometime I want to connect to my home network from my phone), maybe it's possible, but more complex with daisy chain...but probably worse: I have a playstation :sweat: (PS & NAT is a long long story...).
I can try stuff for the LTE 'addon', but the DSL should be 1 NAT only.

Doing IDS/IPS on OpenWrt is quite a different experience, that also includes caching proxy and stuff on your OpenWrt install. Pretty much anything that requires a somewhat resonable sized storage or processing power isn't available on OpenWrt at all or very crude at best and that includes logging. They're in general trying to cater different target devices in general. That said, you might as well look at a Linux based distro in that regard.

@bobafetthotmail
Whether it's a good or bad measurement is up for you to decide but looking at CVEs...
https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html
https://www.cvedetails.com/vendor/6/Freebsd.html
https://www.youtube.com/watch?v=AvSPqo3_3vM might be of interest in general

I still disagree on the general idea. It was true 3 years ago, but nowadays much less.
I'm not super into IDS/IPS but I've used Squid caching proxy and it has an interface.
In master/Snapshot there is also a working Docker package.

There are still some killer features on one side or the other but it's not as black and white.

Yeah the same old argument, here the canned answer.
CVE number is just a factor of how much someone is actually pentesting the platform.

Bridging should work, I've tried this setup like a year ago - modem interface was bridged to a VLAN on the LAN port, then this VLAN was switched through the network to another router. Don't recall which modem I tested with, but most likely that was Huawei or Sierra.

2 Likes

Neither qmi_wwan nor cdc_mbim supports bridging due to the way they (don't) use mac addresses/L2 headers. You're much better off creating a half-bridge. There is no way around that anyway, given that the mobile connection is an IP only point-to-point tunnel. Hiding this fact in modem firmware or drivers does not make it go away.

As for the completely off-topic FreeBSD discussion: I don't think FreeBSD has MBIM or QMI support. There is a CDC ECM/NCM driver which might be usable with some modems. But FreeBSD doesn't look like a good choice for any modern LTE modem, IMHO.

OpenBSD has an MBIM driver: https://man.openbsd.org/umb.4 So that's probably a good alternative if one wants to avoid Linux for some reason. But then this is the wrong place to ask OpenWrt is a Linux distro.

3 Likes

Why wouldn't it be? The CDC ECM/NCM driver works just as good as the one on Linux, at least on my Allwinner H5 board (Orange Pi PC).
Load u3g and cdce driver or compile into the kernel and run
echo 'AT^NDISDUP= 1,1,"<APN>"' > /dev/cuaU0 + dhclient ue0.
This can of course be automated.

You're right as usual, so that probably was Huawei E3372 (NCM). My target router was pfSense and I share your observations regarding FreeBSD and modems.

I'm sure it does, but most modems don't support any of these protocols. And even for those that do, you may end up with a routing modem firmware.

Well for one thing, I know pfSense will sit at the console asking for user input, blocking boot, if a network device has gone missing. OpenWRT on the other hand as its aimed primarily at residential users and ease of use, gracefully ignores any missing devices.

Its why when I was testing LTE myself (with a mobile router) I had the device bridged plugged into an OpenWRT device (used as a WiFi AP) so the physical NIC could not disappear during a reboot. Although that problem may not be an issue if its a device without a built-in battery so would always boot once power is applied.

I ditched the idea completely in the end as I found my cell tower just couldn't work reliably with pfSense. On a bad day if I used the connection the latency would spike to 2000ms, pfSense would reload the firewall marking the connection as down, the latency would then drop, so it would reload the firewall marking it up, and this would just happen constantly blocking ALL traffic. If I raised the latency where pfSense would treat a connection as down, it would use the LTE connection when it was overloaded and cause issues.

So it "might" be okay if you only use it as a backup, not load-balanced, but I'm not convinced. I figured in the end it was more reliable to just tether to my phone if my connection goes down.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.