4G LTE bridged modem + R7000 setup. Issues solved (hope so)

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
raulo1985
DD-WRT Novice


Joined: 21 Jun 2019
Posts: 26

PostPosted: Sun Sep 11, 2022 2:29    Post subject: 4G LTE bridged modem + R7000 setup. Issues solved (hope so) Reply with quote
4G LTE modem in bridge mode + R7000 as main router
(The only setup that has worked for me so far)

Hi there! Don’t know if you remember my posts from some months ago, but I wanted to report back, ask some questions that I haven’t been able to answer by my own research, alongside with sharing a solution that seems to work (in case this info is useful for somebody else).

I created a couple of threads before regarding some aspects of this setup, but here’s a little summary (to make things easier for you guys to correct/help me 😬).

Context:

Parents live in the middle of nowhere (and far away from where I live), only one ISP available there through LTE but refuses to give fixed or dynamic ip (even by paying them), so they are CG-NATed. Fortunately throughput is decent enough for what they need.

My parents have health issues so they stay home most of the time, so I want to make them feel as comfortable and safe as possible. For that purpose, I bought my dad a pretty good smart tv (he loves movies and can’t walk well to go to cinemas or things like that. And he’s old school, he doesn’t like streaming services that much), installed smart light bulbs to mimick human behavior, installed Reolink IP cameras so they can watch them locally (NVR connected to the smart tv through hdmi, and also through Reolink app on their phones) and remotely when they go out, and I built a Linux Mint server at my place (had to learn Linux from scratch, completely new world to me. And, of course, had to actual build the server) that’s up 24/7 for Syncthing (to backup my mom’s notebook content in real time to my own server. She has many family photos there) and also for a nice Plex media library I made for my dad.

Devices (at my parent’s. My router is a AC5300, but I don’t think my own setup is relevant now):

- Their main router: R7000, flashed with DD-WRT r48450, nvram erased, set up from scratch. Local subnet 192.168.2.0/24, Wifi disabled, firewall enabled (at default settings), dhcp disabled, dnsmasq disabled, WAN set to Auto dhcp.
Remote management disabled (since they are CG-NATed, DDNS is of no use, so port forwarding is not possible), scheduled reboot once a week and also watchdog enabled using 8.8.8.8. Other settings at defaults.

- All “fixed” devices (like my dad’s tv and IP cameras) set with static IPs inside the main router’s subnet.

- Three Google Nest Wifi routers, one set as router and two as access points for the mesh system. WAN IP set to static 192.168.2.180 (random address I picked inside the main router’s subnet that doesn’t conflict with other devices), ethernet cable from a LAN port of the R7000 to the WAN of the Google Nest router. Google Nest Wifi subnet 192.168.22.0/24, with auto dhcp. This is the ssid everyone sees and connects to with their smartphones or tablets. Doesn’t matter if it’s double, triple natted or whatever, they only need internet with those devices. No port forwarding needed there.

- Netgear LM1200 4G LTE modem, with a SIM card from the ISP I talked about. I already registered its IMEI (in my country any unregistered IMEI is blocked after three months of use if not registered by an “autonomous” telecommunications cof state cof cof company. And you have to pay to register, just another way of grabbing our money). Sorry, back on topic. Modem configured as bridge, GUI’s IP 192.168.5.1, cable goes from its LAN port to the WAN port of the R7000.

Situation:

Well, I was trying to create a VPN tunnel (Wireguard) to be able to troubleshoot their devices since they don’t have a public IP (in other words, creating a site-to-site setup with my own router as server and their’s as client, since I have a dynamic IP and can use DDNS) and I’m also running into some issues on that front, but I guess that’s something for another topic. Just wanted to mention it so you can have a clear view of the big picture of what I want to achieve.

BTW, I don’t need all the traffic to go through the tunnel, I want their devices to use their router’s WAN for everything, I just want the tunnel so I can troubleshoot as if I were using a device inside their subnet, to be able to access the devices IPs.

Well, while trying to create the tunnel I run into random WAN disconnections (basically, the R7000 lost the IP randomly) that became very frequent with time, to the point of becoming unusable (the internet). Sometimes they could be fixed by manually renewing the WAN IP, sometimes by rebooting the router, and sometimes I had to reboot the entire thing (modem included). I researched a lot before I came here and then I was given some very helpful tips here, but the issue persisted.

This whole thing is important to me, internet is almost my parent’s link to the world in a way, and sadly I can’t go there as often as I’d like. And because of the tips I was given here, I knew the setup I wanted was possible and that the hardware and firmware supported it, so I’m still not giving up on this one.
I was kind of stuck so I decided to spend some bucks and buy another LM1200 (it’s not that expensive and I may have another use case for it after this) and another SIM card from the same ISP, so I can troubleshoot all I want at my place. Luckily, I have a spare R7000, so I flashed the same DD-WRT version (r48450), nvram erased of course.
So now I have the exact same basic setup they have, including same ISP, only difference being the mesh system and devices (which shouldn’t make a… difference).

My findings (after some kind of stressful days, flight almost missed included):

- The randomness of the WAN disconnections lead me to believe it could be related to MTU. So I put the SIM card inside my smartphone, shared internet to my notebook through cable, disabled wifi (so it wouldn’t connect to my own ssid), and did a ping test at DOS with -l and -f commands. I found that packets started to get fragmented at MTU 1422. I did the same test with my own SIM card (other ISP) and the result was the same (1422, idk if that’s kind of a default for LTE or not). So I changed my R7000 WAN MTU to 1420 and after that things improved a lot (I was getting the same type of disconnections as them before that). Not the end of the story, though.

- Internet was a lot more stable, but I kept getting random disconnections (and again, internet didn’t come back until I rebooted something, or renewed the IP), and also after some hours of use the speed was a lot lower. My guess was that the ISP was blocking or throttling hotspots (I refuse to think they block IMEIs btw), so I changed the outgoing WAN ttl of the R7000 to 65:

Rule:

Code:
iptables -t mangle -I POSTROUTING -o $(get_wanface) -j TTL --ttl-set 65


Saved at firewall.

Speed was more consistent and faster. But disconnections, although a lot less, persisted, and I had trouble finding a way for the R7000 to renew the WAN IP when the ISP changed it.

- I set the modem to router mode and things appeared to be solved, but I always try to leave the routing job to DD-WRT flashed devices (or at least not to modems/routers). But letting DD-WRT to get the WAN IP every time the ISP changed it wasn’t working, as soon as the WAN IP (reported at DD-WRT status, as it should be if the modem was in bridge mode) changed, the internet connection dropped and sometimes even DD-WRT reported it as 0.0.0.0. When that happened I checked the modem’s GUI with my notebook (GUI access from devices connected to the network was dropped too) and it reported a valid IP (CG-NAT type of address, but valid). And while plugged directly to the modem I indeed got internet.

Thoughts:

So my conclusion on this matter was that my initial connection problems were due to a MTU value set too high for a LTE connection (and apparently my ISP doesn’t allow fragmented packets, so I had to go with a reasonable MTU, that turned out to be 1420), and that the speed issues apparently were because the ISP seems to have something against hotspots, and setting the WAN outgoing ttl to 65 seems to fix that (for now at least).

But the current situation I believe is due to DD-WRT (not saying it’s a bug, probably I’m not setting something up correctly), since the modem is able to get the CG-NAT IP from the ISP when in bridge mode, and when I connect my notebook with the NIC set to auto dhcp I don’t get disconnections (Windows renews the IP almost instantly).

Note: I saw a script to automatically renew the WAN IP by pinging an outside server at a set interval. Seems like a solution, but not ideal in this case when disconnections sometimes become very frequent (and it wouldn’t be nice if a movie buffers at its plot twist for example, tbh).

Solution?

So, before even going into creating a Wireguard tunnel, I first run into serious WAN connection problems that turned out to be due to MTU, then sorted very low and unstable speeds by setting the R7000’s WAN outgoing ttl to 65 (btw, I still don’t know what counts as a hop here. The modem? Shouldn’t a bridged modem be considered a layer 2 device, which I understand doesn’t count as a hop?), but the WAN disconnections persisted unless I used the modem as a router. In other words, whenever I get a public IP at the R7000 because the modem is bridged, is just a matter of time for the ISP to change the IP and DD-WRT doesn’t seem to be able to renew it by itself.

So I did one thing that, to this day, works, and with rock solid connection. The thing is I don’t even understand why it works 😆 (I’ve done it before, but honestly I’m not sure I get it).

I posted all of this because I’ve seen many posts of people with the same issues that I had (and I’m pretty sure many of them didn’t research as much as I did. I’m no expert, so I did research, a lot), but also to understand a little better why this works, if someone could kindly explain me.

Well, what I did was going the static WAN IP route. I set the modem to bridge mode (IP 192.168.5.1 for GUI), cable goes from its LAN port to the WAN port of the R7000, set everything as I mentioned before (IP 192.168.2.1, MTU of 1420, outgoing ttl of 65, local dhcp and dnsmasq disabled, remote management disabled, no ddns, firewall enabled, wifi disabled), but set a WAN static IP inside the modem’s subnet.
In this case, settings were WAN IP 192.168.5.2, dns mask 255.255.255.0, gateway 192.168.5.1, and dns 8.8.8.8, 8.8.4.4 and 1.1.1.1. This, alongside lowering the MTU and setting the WAN outgoing ttl to 65 fixed the connection issues, at least so far (three days of uptime). If I log into the modem’s GUI I can see that the ISP changes my “public” IP quite often, but since the R7000 has an static WAN IP already set, I guess the reason that keeps the connection alive is that the R7000 is not losing (and never renewing) its WAN IP, even though it’s not the “public” one.

Questions:

- Honestly, why does this work? I was under the impression that if a modem is set to bridge mode, all routing functions are disabled, so its IP was only there for GUI purposes. But this kinda sounds like another real subnet, so wouldn’t the traffic require some NAT to go through there? But the modem is set to bridge mode… idk, I may be misunderstanding things at a very basic level.

- The public IP (in this case, CG-NAT type of IP) appears in the modem’s GUI, and when set to bridge and R7000 WAN set to auto dhcp, the same IP shows at the DD-WRT status page. That’s what I understand by a typical setup where the modem is bridged. And if I set a static WAN IP, the status page obviously shows that IP (192.168.5.2). But if the modem is bridged I thought that it wouldn’t work (internet), but it does, so which device is the one that’s really getting the IP from the ISP? The static WAN IP setup works, but the modem is bridged, and I have internet… I don’t get it.

- I’ve found some threads about the WAN auto dhcp not renewing the IP, so apparently I’m not the only one. Is this a real issue? Is there a way to fix it besides the ping script? When I connect my notebook directly to the modem it doesn’t matter how many times the IP changes, the NIC renews it at the moment. Idk if I’m doing something wrong, but in the case of DD-WRT, if the ISP changes the IP it doesn’t get renewed by the firmware (at least for like half an hour, which is the time I waited when I was testing).

- Ultimately, with this setup, DD-WRT is the only device doing the NAT, right? From my initial understanding, this could look like a double natted setup (status page of the R7000 shows a WAN IP of 192.168.5.2), but at the same time it shouldn’t be (the modem is explicitly set up as bridged, with dhcp disabled). This whole 192.168.5.0/24 subnet thing gave me some not so nice headaches.

- Is there a way to check the real ttl that’s going out of the entire network? I know the DD-WRT command, but since I’m not sure if the modem is counting as a hop or not, it doesn’t hurt to ask if there’s an effective way of checking outgoing packets (from a LTE modem 🤷🏻‍♂️) and check their ttl. So far the internet connection is solid, but when I install this setup at my parents I don’t think I would be able to return so soon, so if the ISP is in fact not receiving a ttl of 64 they might lower the speed or drop the connection later on. Just asking if there’s a way to make sure (even with packet sniffers, how do I capture outgoing packets from a LTE modem 🤷🏻‍♂️?).

I’ll keep this setup for some weeks without changing the settings and also using it (wifi), to see if everything continues to be stable. At least I can see how the ISP changes the IP many times a day at the modem’s GUI and the internet doesn’t drop for a second, I suppose that’s a good sign that this time things will continue to go well.

To sum up (settings):

So, if using a DD-WRT router alongside a LTE modem, and you are getting random disconnections or are unable to load certain pages, you could try this:

- Lower the WAN MTU to 1420.
- Go to administration, commands, paste:

Code:
iptables -t mangle -I POSTROUTING -o $(get_wanface) -j TTL --ttl-set 65


Press save firewall. Reboot the router.

- Enter to administration, commands again and paste:

Code:
iptables -vnL -t mangle


That’s just to check if the firewall rule was correctly applied. I’ve read some have better results with a ttl of 66, I guess it’s a matter of testing your own connection. But most pages mention 65, so I’ll leave if at that value for now.

- I would try first with auto dhcp at the WAN settings, but if random disconnections come, the only thing that worked for me (at the cost of, I still don’t know if this is true, being double natted. No downside here though, since I’ll build a VPN tunnel for remote access, no port forwarding needed) was changing the WAN settings of the main router to:

WAN IP 192.168.5.2 (assuming the subnet of the modem is that one)
Gateway: 192.168.5.1 (the IP of the modem)
Dns: I use 8.8.8.8, 8.8.4.4 and 1.1.1.1.

I don’t think you can port forward this way, but since the “public” IP I get is useless even for ddns, I see no real downside to being double natted (if I am 🤷🏻‍♂️).

Note: I mentioned earlier that setting the modem to router instead of bridged worked. In my case it does, but it behaves kind of weird. And most of the time I have gotten a disconnection after some hours. Not really a fan of routing mode on those type of devices (or firmwares).

Still, I’m still not sure why auto dhcp in DD-WRT settings doesn’t work when the ISP changes the IP, and I had this kind of setup before many times but with broadband cable modems with dynamic IPs, and DD-WRT never had a problem renewing the IP. Idk if this something related to LTE mixed up with DD-WRT or if there’s something I don’t get (most likely option), but it was either this solution, or using the automatic renew WAN IP script. And I decided to go this route, and so far all is good.

Conclusion

Now everything works, but in the future I’m planning to build a similar setup, and I believe the ISP there does offer dynamic IP, so a true bridged setup would be nice, for port forwarding through ddns. But perhaps in that case I won’t get random disconnections, so one step at a time.

Anyway, for now I’ll test this setup for a couple of weeks, and if everything stays like now, at last this mission could be considered accomplished. Hope it will be, journey wasn’t easy, and most importantly, I will be able to give my parents a decent internet connection, a working wifi and access to their IP cameras and smart light bulbs. Things are not that safe there (what’s wrong with the world now?), they’ll (and I’ll) feel safer with those cameras/NVR working and smart bulbs mimicking human behavior. And since the Plex server is at my server (and I have a good cpu and good upload speeds), I can easily add media to the library if my dad asks me to. And my mom likes to read and browses a lot, so bottom line, that working internet and wifi are a priority.

Things will get a lot easier and pleasant for them if this works. I’m not going to say everything is solved until some time has passed, but it looks good so far (although I don’t even know if I’m double natted or not 🤷🏻‍♂️). Fingers crossed.

So thanks to all the members that helped me on my previous threads, at one point I was really stuck and pointing me in the right direction was the key. Special thanks to egc for his excellent VPN guides (I’ll now start troubleshooting the Wireguard tunnel), to all the community, and obviously to BS and devs, for creating this fine piece of firmware. Being using it for more than 15 years, and will continue to to infinity and beyond.

👍
Sponsor
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum