IPhone Tethering to pfSense

YeahBaby

Hello all. I am an extreme newbie here. Yes this question has been asked before, seems like once a year USB tethering of phones into pfSense comes up. Here is some new details I have not seen vetted on this forum regarding iPhones. If they have, please share the link.

One question that comes up is, what does an iPhone show itself as? That answer appears to to be [pseudo] Ethernet with the IP address of 172.20.10.2. See Attached screenshot from a Mac.

Another question that comes up (on various forums) is how it is routed in the iPhone. Whether actually relevant is another issues. However, the iPhone USB tether channel is its own route. A quick test to show this is, run a VPN on the iPhone, then do a USB tether to a computer (which I am doing as I put this post together). Then open your favorite browser on the iPhone and go to your favorite IP address finder site. Note your phone based browser will present the VPN assigned IP Address. Then do the same on the computer. You will find that the computer is not being routed through the iPhone's VPN. But rather presents the IP Address your iPhone's LTE/4/3/2 G that is assigned by your Carrier.

So if you want a tether to a computer AND a VPN serving that computer, both the iPhone and the computer need to run their own copies of the VPN client and connect independently.

All that said, this Ethernet-ish connection is Ethernet route-able as is proven by doing an "Internet Share" of it, from almost any computer's USB to the computer's Ethernet jack. This works on almost every platform in service today, at least Mac, Linux and Windows for sure.

When I plug my iPhone into my pfSense box (old Dell Inspiron 530S) the console sees it and confirms "ugen7.2: <apple inc.="">at usbus7"

Given the above I believe there must be a very straight forward answer to using a USB port with a tethered iPhone as a WAN connection. Does anyone have that answer?

Thanks in advance.

[edit: typo]

thethered-to-Mac.jpg_thumb </apple>

AndrewZ

Please read https://forum.pfsense.org/index.php?topic=106477.msg594536#msg594536
Note the warning at the beginning, skip 1-4 and start from 5.

YeahBaby

Perfect! Thanks.

YeahBaby

So where i hit a "brick wall" is that in (I'm guessing) my installed version there is no "Interfaces - (assign) - add new" option. Nor is there a "System - Gateways" menu option. So are these options in older versions?

AndrewZ

In the current version it looks slightly different:
Interfaces - (assign) - Available network ports: - select ue0 - Add

BTW, do you see ue0 in ifconfig output?

YeahBaby

Okay Gateway is under System - Routing - Gateway

Interface - (assign) - Interface Assignments - Interface/Network port does not show ue0 and I do not see it in the ipconfig output.

AndrewZ

@Yeah:

I do not see it in the ipconfig output.

It should be ifconfig, not ipconfig.
Then we're coming back to my tutorial, step 5.
It seems pfsense was not able to recognize the PID/VID of your USB device and create an interface for it.

YeahBaby

correct "ip" was a typo. It is not in ifconfig.

YeahBaby

So in order for FreeBSD/i386 (and subsequently pfSense) to recognize an iPhone the Ethernet driver for Apple devices has to be installed and loaded. The standard FreeBSD build shipped with pfSense has the default Ethernet driver, cdce for most older USB devices. The RNDIS driver (urndis) is normally used by Android devices. But Apple has it's own "special" driver, ipheth (as in iPhone Ethernet). All three of these drivers has shipped with FreeBSD since 8.2. But is neither not shipped with pfSense or is in other than usual location in their FreeBSD build.

If anyone knows if ipheth is already in pfSense's FreeBSD build, please post the path to it.

For ipheth to work the following work needs to be done.

First either compile the driver into the kernel by adding these lines in your kernel configuration file:

device uhci
device ohci
device usb
device miibus
device uether
device ipheth

Or load a compiled copy of ipheth onto your box and add the line: if_ipheth_load="YES" to /boot/loader.conf

/boot/loader.rc needs to have the following two lines lines in it.

include /boot/loader.4th
start

Conflicting reports say the iPhone has to be plugged in and Personal hotspot on before the machine boots, while other say it doesn't matter. However, once this is all done you can pick up at step 5 in AndrewZ's tutorial and all should be fine. Substitute "urndis" for "ipheth" in the prior for Android phone tethering.

See FreeBSD.org's doc on Advanced networking at: http://www.freebsd.org/doc/handbook/advanced-networking.html for your BSD networking needs.

Can I suggest adding these drivers to pfSense's future builds (or is that out-of-line for the forum's protocol) ?

[edit: typos]

eiger3970

So, pfSense moderators, does pfSense Version 2.4.4-RELEASE-p2 (amd64) built on Wed Dec 12 07:40:18 EST 2018 FreeBSD 11.2-RELEASE-p6 have software installed for iPhone tethering?

stephenw10

No. Neither does 2.4.4p3 which is the current version.

It's not hard to get working though. Copy the kernel module if_ipheth.ko from a FreeBSD ISO, 11.2 to match pfSense 2.4.4, put it in /boot/modules
Now add the line if_ipheth_load="YES" to the file /boot/loader.conf.local (create that file if necessary).
That will load the driver at boot, alternatively you can load it immediately to test at the command line with kldload if_ipheth.
According to this post you may need to chose a different usb config index for some models.

I don't have a current iphone to test that with. Let us know how you get on.

Steve

stephenw10

For reference this issue is covered by this: https://redmine.pfsense.org/issues/7467

Rico

Here you go: if_ipheth.zip

-Rico

eiger3970

Great Thanks stephenw10 and Rico.
That zip file really saved me headaches downloading some iso file.

Had some trouble copying the if_ipheth.ko file from local computer to pfSense...I had to use root rather than admin.
Will test physical connection tomorrow, now that the software should be ready.

stephenw10

Just be aware that when pfSense 2.4.5 is released that kernel module will probably fail and require a module from 11-stable instead.
If we can get those drivers included as modules that would not happen. I'm not entirely sure what the reasoning was for not including them, I do know it's been discussed before though. I have pinged our devs to see if we can do anything.

Steve

eiger3970

Thanks for the heads up.
Should be where the future is moving, so would be avante garde to include now.
Unless there's a conflict of interest with a networking business in control of the open source pfSense OS?

eiger3970

Not sure if a Proxmox or pfSense issue.
I allocated Proxmox's USB port to the pfSense VM ID.

pfSense dmesg and usbconfig don't show ue0?

stephenw10

Do you see a new device detected at all when it's connected?

I would probably try to get this working on real hardware first but I guess you could tackle it either way.

Steve

eiger3970

I have the USB connected to my local Linux Mint computer.
Moving hardware to the hypervisor is where the issue arises.
Hypervisor shell > $ lsusb > Enter > outputs the USB device.

root@proxmox:~# lsusb
Bus 002 Device 002: ID 8087:8000 Intel Corp. 
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 8087:8008 Intel Corp. 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 002: ID 05ac:12a8 Apple, Inc. 
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

I allocated the USB ID 05ac:12a8 to the pfSense VM ID 145.
From there, I don't see much confirmation of pfSense connected to the USB?

[2.4.4-RELEASE][admin@pfSense.localdomain]/root: ifconfig
vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=c00b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE>
	ether 42:63:7c:e4:6c:e3
	hwaddr 42:63:7c:e4:6c:e3
	inet6 fe80::4063:7cff:fee4:6ce3%vtnet0 prefixlen 64 scopeid 0x1 
	inet 0.0.0.0 netmask 0xff000000 broadcast 255.255.255.255 
	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
	media: Ethernet 10Gbase-T <full-duplex>
	status: active
vtnet1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=c00b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE>
	ether a6:2d:d5:4f:6c:f3
	hwaddr a6:2d:d5:4f:6c:f3
	inet6 fe80::a42d:d5ff:fe4f:6cf3%vtnet1 prefixlen 64 scopeid 0x2 
	inet 192.168.1.170 netmask 0xffffff00 broadcast 192.168.1.255 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet 10Gbase-T <full-duplex>
	status: active
enc0: flags=0<> metric 0 mtu 1536
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	groups: enc 
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	groups: lo 
pflog0: flags=100<PROMISC> metric 0 mtu 33160
	groups: pflog 
pfsync0: flags=0<> metric 0 mtu 1500
	groups: pfsync 
	syncpeer: 224.0.0.240 maxupd: 128 defer: on
	syncok: 1

[2.4.4-RELEASE][admin@pfSense.localdomain]/root: usbconfig
ugen0.1: <Intel UHCI root HUB> at usbus0, cfg=0 md=HOST spd=FULL (12Mbps) pwr=SAVE (0mA)
ugen0.2: <QEMU QEMU USB Tablet> at usbus0, cfg=0 md=HOST spd=FULL (12Mbps) pwr=ON (100mA)

According to https://forum.netgate.com/topic/95174/huawei-k5160-4g-usb-mobile-broadband/6 > post 6 > point 5 > I should see ue0, however I don't see this yet?

eiger3970

I believe this is not a pfSense issue.
I'm working on the hypervisor to pass the USB through.