Using mobile hotspot for WAN

wgstarks

@gblenn said in Using mobile hotspot for WAN:

perhaps you should look for a more advanced device. Those targeting SME's, like Cradlepoint or Mikrotik will be more expensive but likely also the best performing. Especially if you can use an outdoor unit since you can get away from cable loss (antenna to unit).

Care to recommend one. I’ve been looking but honestly I don't know what I’m looking at so it’s hard to know which to get.

@gblenn said in Using mobile hotspot for WAN:

Optimally you would have Public IP and a router that supports bridging, which means pfSense will get that IP directly on WAN. The next best option is NAT with DMZ which will still allow Plex and any other services to work. If the router allows using an IP that is not from the private IP range, UPnP will work as well should you need it...

I’m going to try for a public IP. What is NAT with DMZ? I understand what the DMZ is but not sure what you’re referring to.

Gblenn

@wgstarks said in Using mobile hotspot for WAN:

Care to recommend one. I’ve been looking but honestly I don't know what I’m looking at so it’s hard to know which to get.

To be honest I have not looked too much beyond the consumer model (TP-Link archer600) I happen to have for my failover. I just know these guys have the equipment for the SME segment. But I guess the Chateau 6-US from Mikrotik looks like a really good fit. For any alternatives, compare the LTE bands it supports as they may be US specific.

It will likely require some work on your part if you are to really get the most out of it. It depends so much on the location of your house vs the cell tower, and any obstacles in between. A more distant cell from a different carrier may provide better performance if it's line of site for example.

A high gain antenna (perhaps directional) and high up is usually the best but with an indoor unit you need to pull the antenna cable through the wall. And the longer the cables the more attenuation you get. With an indoor unit, try finding a spot high up on the wall facing the tower and shortest possible cable (pair) through to the router (wall mounted on the inside).

@wgstarks said in Using mobile hotspot for WAN:

I’m going to try for a public IP. What is NAT with DMZ? I understand what the DMZ is but not sure what you’re referring to.

What I meant was that if the router doesn't support bridging, you are stuck with NAT, even though DMZ basically opens up all ports towards pfSense.

wgstarks

@gblenn said in Using mobile hotspot for WAN:

But I guess the Chateau 6-US from Mikrotik looks like a really good fit.

~~It does look good. Of course I can’t find it for sale anywhere.~~
Emailed Mikrotik. Maybe I’ll get lucky.

Found the last one on Amazon.

@gblenn said in Using mobile hotspot for WAN:

To be honest I have not looked too much beyond the consumer model (TP-Link archer600)

Thought I would take look at this one too but can't find a US version. All the sellers seem to be in the EU so the power adapters are probably wrong.

akuma1x

@nollipfsense said in Using mobile hotspot for WAN:

@wgstarks I had plan on trying this with the iPhone but the seller didn't have possession on eBay so I didn't bother...Ethernet to pfSense.

I have one of those, and an iphone, and pfsense! Want me to give it a try?

I had never considered using it that way, as a wired WAN into pfsense. It does work the other way I intended, getting an iphone onto a wired ethernet network. That works just fine.

wgstarks

@akuma1x said in Using mobile hotspot for WAN:

@nollipfsense said in Using mobile hotspot for WAN:

@wgstarks I had plan on trying this with the iPhone but the seller didn't have possession on eBay so I didn't bother...Ethernet to pfSense.

I have one of those, and an iphone, and pfsense! Want me to give it a try?

I had never considered using it that way, as a wired WAN into pfsense. It does work the other way I intended, getting an iphone onto a wired ethernet network. That works just fine.

No. I only have one iPhone and not gonna tie it to my pfsense 24/7. Cheaper to buy an lte router. Just need to find one. Thanks though

Gblenn

@wgstarks said in Using mobile hotspot for WAN:

Thought I would take look at this one too but can't find a US version. All the sellers seem to be in the EU so the power adapters are probably wrong.

I know, it seems they don't sell them in the US. I suppose besides the power adapter, it may not have the right frequency bands. The Mikrotik Chateau-6 has 'US' added to the name for a reason.

Not sure why but we seem to have more consumer variants to choose from here in the EU.

Do some testing in your house to find the ideal location, unless you know where the cell tower is. A simple way is to run speedtest in different locations. Otherwise there are apps (perhaps not on iPhone?) which will tell you the signal strength. Some may even provide the direction to or location of the tower, like Network Cell Info on Android (not sure how precise it is though).

After that you set it up and use it for a while and depending on performance you may want to look into external antennas. Cross polarized antennas are suggested... I'm using a Poynting XPOL which you can find on Amazon. They ship with cables but unless you set it up on a long pole, I suggest to change them out for the shortest cables possible.

wgstarks

@gblenn said in Using mobile hotspot for WAN:

@wgstarks said in Using mobile hotspot for WAN:

Thought I would take look at this one too but can't find a US version. All the sellers seem to be in the EU so the power adapters are probably wrong.

I know, it seems they don't sell them in the US. I suppose besides the power adapter, it may not have the right frequency bands. The Mikrotik Chateau-6 has 'US' added to the name for a reason.

Not sure why but we seem to have more consumer variants to choose from here in the EU.

Do some testing in your house to find the ideal location, unless you know where the cell tower is. A simple way is to run speedtest in different locations. Otherwise there are apps (perhaps not on iPhone?) which will tell you the signal strength. Some may even provide the direction to or location of the tower, like Network Cell Info on Android (not sure how precise it is though).

After that you set it up and use it for a while and depending on performance you may want to look into external antennas. Cross polarized antennas are suggested... I'm using a Poynting XPOL which you can find on Amazon. They ship with cables but unless you set it up on a long pole, I suggest to change them out for the shortest cables possible.

Thanks. I managed to find the last one on Amazon.
There were also a couple on eBay for about 10 times there normal price. As soon as I get the new router I’ll hook it to an extension cord and try it in different spots. I have a good idea where the closest towers are in my area so that won’t be too complicated. A timber company has purchased all the local timber and should begin harvesting soon so I expect that will improve line of sight reception.

Once again, thanks for all your help.

NollipfSense

@gblenn said in Using mobile hotspot for WAN:

Chateau 6-US from Mikrotik looks like a really good fit

I agree and just waiting for the price to fall...makes a great fail over for fiber.

imark77

@wgstarks
Most of the Cellular accounts I have been on have used carrier grade NAT they basically give you a NATed IP address.

I briefly had an encounter with frontier and then went to Hughesnet which was even worse surprisingly. All the time running my home built PFSense box as much as I could. I was actually able to sustain VOIP over Hughes net GEN2 with Vonage. The nice thing about routing through PFSense is it would hold the state longer than most of the devices upstream which really helped with connection drop outs.

I started off with AT&T cellular hotspots then went to Sprint then went to T-Mobile. I also have a Verizon MVO SIM with Visible now. Most of what I've seen online encourages the use of a USB modem and supposedly you can connect these hotspots over USB. they usually percent some sort of ethernet connection over USB although I'm trying mine and they're not working with PFSense yet.

The most reliable way I have found is to pick up a TP Link travel router there like 25 bucks at the most you plug that into one of your WAN connections and configure it with a static IP address in the same range as the hotspot and then tell it to act as a client basically a Wi-Fi ethernet bridge. Then you can position your hotspot at a reasonable distance in a good signal location somewhere where you can preferably get an external antenna ( make sure your device supports external antennas some do and are hidden some don't and some are hidden but don't ). This is sort of the best of both worlds, PF sense handles all the routing the hotspot handles the Cellular and the travel router links the two in between. The only downside is your double NAT but you're probably actually gonna be triple NAT unless you work out some sort of deal with a corporate account to get a public IP address and APN.
This also has the benefit of working with any! wireless hotspot.

I do find the Netgear ones to be the nicest as they have a app that lets you monitor them on your phone and that can easily be forwarded through PFSense.
They also make a wireless cellular modem, stick a Sim card in and get ethernet out works really nice if it's compatible with your carrier. although they have a new model now with tri-carrier support.

One thing to be aware of is battery bloat not all of these devices properly handle the charging so it might be worth sticking them on a timer that goes off for a few hours during the night to kind of cycle the battery a little bit since I've been doing that I haven't had too much of an issue.

But a few years ago I also got Comcast Business which came with it's own cradlepoint back up connection.

You're definitely going to be looking at some sort of NAT penetration remote access. The pricing for public IP address space is ridiculous assuming they have it listed on their website and most of what I saw it seems to indicate you would need a business account.

I've also heard that some android devices will let you tether over a USB ethernet adapter, although well they might have better modem support you are now running a full-fledged phone.

There's also a lot of corporate grade stuff out there but prices go up quick.
Sounds like you might've worked out some thing already hope it's working well.
Thought I would add my two cents in here for anybody else who might run across this post.

JKnott

@imark77 said in Using mobile hotspot for WAN:

Most of the Cellular accounts I have been on have used carrier grade NAT they basically give you a NATed IP address.

Yesterday, I watched a video about how bad CGNAT is.

As they point out, the only solution to this nonsense is to move to IPv6.

NollipfSense

@JKnott said in Using mobile hotspot for WAN:

the only solution to this nonsense is to move to IPv6.

I know T-Mobile home Internet box doesn't pass-through IPv6 router advertising...

JKnott

@NollipfSense

They should still know how to reach your prefix. Are you saying the prefix changes? I haven't check on my cell phone, but I've had the same prefix on my home network for 5 years.

NollipfSense

@JKnott said in Using mobile hotspot for WAN:

They should still know how to reach your prefix

T-Mobile treats it as a single IP; so, anything behind pfSense won't get an IP...that was my disappointment and reason to return the box.

madbrain

I'm interested in this as well. My Comcast cable goes down fairly frequently late at night for "scheduled maintenance" that they never notify about, despite my requests over many years. I'm tired of calling them to request bill credits each time. And that doesn't solve the problem of interrupted streaming. I need a cheap backup ISP for about 4-10 hours a month worth of Comcast downtime.

I have been testing Verizon 5G Home Internet since Saturday, because they upgraded their towers in my area, and offer the service at my address. The other carriers (AT&T, T-Mobile) will not sell it to me, for good reason - weak signal. I setup the Verizon ARC-XCI55AX gateway in IP passthrough mode. It is a perfectly adequate backup. The basic service, which I'm testing, costs $50/month, however. $600/year is a bit much to pay to cover the 4-10 hours worth of Comcast downtime that they shouldn't have in the first place.

It just so happens that my cellular provider, US Mobile, is an MVNO for both T-Mobile or Verizon. They offer a shared data plan, which would be perfect for our 2 smartphones, and a 3rd line for the home ISP backup. However, I need an unlocked 5G modem that will accept either an eSIM or a physical SIM. And it needs to preferably connect to pfSense via Ethernet. So far, I have not been able to locate such a device. Is there one ? One device was mentioned upthread, but it is only 4G LTE, not 5G, and the manufacturer does not have a 5G version.

The other possibility would be to use a smartphone for the backup WAN. I have not tried to enable USB tethering on my phone and connecting it to pfSense. Right now, the phone is still on the T-Mobile network, which provides speeds of 0.07 Mbps up and 0.04 Mbps down. Definitely not suitable as a backup WAN.
If USB tethering doesn't work, the other option would be to use the phone as Wifi hotspot, and add a Wifi NIC to pfSense for the WAN connection. It seems that this should work per https://docs.netgate.com/pfsense/en/latest/wireless/configuration-wan.html, although it does not mention how to input the Wifi password. Presumably this is part of the encryption settings.

I would much prefer to use a 5G modem with an Ethernet connection if one exists, than use a smartphone, though. Phones are subject to getting updates and rebooting themselves at the most inopportune times, possibly requiring user interaction to restart, which is not always possible if I'm traveling and need to access the home VPN. Phones also depend on a battery with limited lifespan.

madbrain

@NollipfSense FYI, Verizon 5G Home Internet is providing me with a public, routable IPv4 address over DHCP.
DHCP6 also works, but I haven't messed with it .

AT&T and T-Mobile don't have a usable data signal in my area.

JKnott

@madbrain said in Using mobile hotspot for WAN:

DHCP6 also works, but I haven't messed with it .

I think you'll find most, if not all, cell networks have moved entirely to IPv6. However, I haven't heard of any of them providing DHCPv6-PD to the clients. You can get IPv6 addresses to devices connected to the phone or router, but not beyond that.

Take a look at your phone's IPv4 address. If it's something like 192.0.0.2, your phone is using 464XLAT to provide access to IPv4 only sites over an IPv6 only network.

madbrain

@JKnott I would take a look, but my phone, currently on a T-Mobile MVNO, isn't getting any data signal over cellular at the moment. Just 2 bars worth of signal. That's not usually the case. I have waited several minutes and don't see a change. Maybe the T-mobile cell towers lost power. From what I have read, T-mobile uses CG-NAT for their home internet service. Signal just came back, and the phone has a 192.x.y.z local IPv4 address.

The Verizon Home Internet 5G service, on the other hand, works fine even with IPv6 completely turned off on the router for the corresponding WAN interface. I have 3 ISPs connected to my pfSense box right now, and all of them are getting public IPv4 routable addresses. One of them doesn't support IPv6 at all.
Everything behaves even if IPv6 is disabled on all WAN and LAN links. I have tested VPN from the outside with all 3 WANs using dynamic DNS, but not at the same time, as I would need 3 separate VPN configurations and 3 dynamic DNS names.

imark77

@JKnott I can confirm on my T-Mobile I am getting 192.0.0.2
Interesting thread. I know somebody with T-Mobile home Internet I wish I checked their IP now. With my T-Mobile hotspot I've had occasions where it will connect up and have signal but no data will pass from my travel router and I have suspected that this is due to the hotspot only getting an IPv6 address (can't remember if I've confirmed this I vaguely remember not seeing a IPV4 address listed in its status) and not having translation or the translation not working. Usually a reboot or 2 solves that although the hotspot doesn't give me high confidence either since it'll be 95°f out and it tells me it's shutting down due to "low temperature"?

From what I understand most networks have switched to IPV6 internally which is what they should've done instead of carrier grade NAT in the first place. There's an entire address block for IPV4 within IPV6 it makes no sense to me why they're not just using that on the backend to route IPV4 into IPV6 and then back to IPV4.

sarrasine

@wgstarks
I am using one right now and everything (except IPv6, but this is due to my carrier) is working excellently.

I recommend buying an unlocked hotspot, so you can be more flexible with swapping SIMs/carriers. This is what I use:

https://www.netgear.com/home/mobile-wifi/hotspots/mr6550/

This one is cheaper and you only lose 5G mmWave and potentially Wi-Fi 6E if you use the hotspot as a Wi-Fi router (I don't and you can't, if you you want to incorporate pfSense in the setup):

https://www.netgear.com/home/mobile-wifi/hotspots/mr6150/

Where I live I get up to 450 Mbps, usually around 200.

Both devices can connect to your pfSense box either through Ethernet or USB and offer passthrough mode.

I can also point you towards an unlimited (with some caveats) BYOD plan, if you are interested.

Hope that helps.

imark77

@madbrain " speeds of 0.07 Mbps up and 0.04 Mbps down"
That's either some really bad signal or maybe you're roaming? Was just up in upstate New York and whenever we hit an area outside of T-Mobile we roamed onto AT&T and they throttle the connection. My research sent me down to the info on AT&T emergency coverage just enough for calls and texts but it looks like they just agreed to leave it on all the time. Which is really annoying when you're trying to live stream something and the location you end up in is roaming but half a mile away isn't.
During this adventure I discovered that the data on the phone and the data to the hotspot with my Visible plan was different, I was using an iPhone. I was also reminded that the iPhone if it can connect to Wi-Fi like say a travel router won't forward data even though it's connected over USB tethering.... to the same travel router.

Ouch $600 a month for 4 to 10 hours. Might be worth looking into Comcast Business (which guarantees me speed +10% or something like that ) but part of the package was a AT&T+Verizon cradle point back up gateway ( that's unfortunately completely locked down) instructions say to loop through it but then you have no control so I have it hanging off one of my extra WANs. approximately $250/m for 300mb and they text me when there's an outage. As much as I don't like normal Comcast.

If you do go to the Wi-Fi off the phone route. I have found rather than adding the complexity of Wi-Fi into PFsense (although supposedly it works just not with the cards I have). TP Link has a 20 something dollar travel router 2x2 cube that has a client mode and then just spits that out as ethernet fairlee transparently. I set it to a static IP 192.168.111.2 within the same NET IP of my hotspot 192.168.111.1 but this also works for cell phone hotspots. PFsense can be either dynamic or static doesn't matter I've done it both ways.
That's how I did it for years before getting Comcast only issue was AT&T policies, routing and billing and then we switch to Sprint>T-Mobile.