Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Resolved: T-Mobile CellSpot connectivity issues

    Scheduled Pinned Locked Moved Firewalling
    54 Posts 5 Posters 22.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      Looks like good two-way traffic to me.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • A
        asterix
        last edited by

        Orange Internet light means it does not have an internet connection or unable to talk to the internet.

        1 Reply Last reply Reply Quote 0
        • chpalmerC
          chpalmer
          last edited by

          @Asterix:

          Orange Internet light means it does not have an internet connection or unable to talk to the internet.

          They really need to re-write their guide.

          Is the light flashing or solid?

          Triggering snowflakes one by one..
          Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

          1 Reply Last reply Reply Quote 0
          • chpalmerC
            chpalmer
            last edited by

            Have you tried a different Ethernet cable?  Solid light would seem to indicate no connection to your switch..

            Triggering snowflakes one by one..
            Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

            1 Reply Last reply Reply Quote 0
            • A
              asterix
              last edited by

              @chpalmer:

              @Asterix:

              Orange Internet light means it does not have an internet connection or unable to talk to the internet.

              They really need to re-write their guide.

              Is the light flashing or solid?

              Internet light is Flashing orange. When it has good internet connection its solid green.

              If I turn off the cellspot for some time and then turn it back on the GPS light turns steady green as it was previously configured and acquires a signal. So it's blinking green power light and orange Internet light and steady green GPS light.

              If I do a hard reset to factory defaults, just the green power light blinks as its trying to communicate to T-Mobile for a software download.

              1 Reply Last reply Reply Quote 0
              • A
                asterix
                last edited by

                @chpalmer:

                Have you tried a different Ethernet cable?  Solid light would seem to indicate no connection to your switch..

                Yeah ..lol. I can see it acquires an IP address in the DHCP leases table. I can ping it. Moved to LAN subnet and it works the same way. Same cable used to connect directly to the modem and it works.

                1 Reply Last reply Reply Quote 0
                • chpalmerC
                  chpalmer
                  last edited by

                  https://support.t-mobile.com/docs/DOC-24271    I was just reading this doc..

                  Your cellspot is making a VPN connection to the Tmobile servers as proven by your state table.

                  Your cellspot is not making an connection inside the VPN as shown by your blinking orange light.

                  Something is messing up the VPN packets.  Can you try connecting the cellspot direct to your pfsense box without the switch?  Have an extra interface?

                  Just trying to rule things out.

                  Triggering snowflakes one by one..
                  Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                  1 Reply Last reply Reply Quote 0
                  • A
                    asterix
                    last edited by

                    Yep, just tried it. Plugged in the VoIP interface straight… no go :(

                    1 Reply Last reply Reply Quote 0
                    • chpalmerC
                      chpalmer
                      last edited by

                      And to verify-  No static DHCP setting for it is there?

                      Your not blocking DNS in any way?  These devices unless you see different as it starts, tend to use their own DNS so your DNS should not matter

                      Triggering snowflakes one by one..
                      Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        This seems like a 100% problem for t-mobile to solve. Too bad their support is so unhelpful and ignorant.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • A
                          asterix
                          last edited by

                          @chpalmer:

                          And to verify-  No static DHCP setting for it is there?

                          Your not blocking DNS in any way?  These devices unless you see different as it starts, tend to use their own DNS so your DNS should not matter

                          Wide open same as default LAN.

                          IPv4 * VOIP net * * * * none Default allow VoIP to any rule

                          1 Reply Last reply Reply Quote 0
                          • chpalmerC
                            chpalmer
                            last edited by

                            @Derelict:

                            This seems like a 100% problem for t-mobile to solve. Too bad their support is so unhelpful and ignorant.

                            Sounds like the device is not set for NAT operation.

                            Many people here including myself (for my office and two other customers) have these femtocell devices up and running behind our pfsense boxes with no issue. If this was an issue with pfSense there would be tons of posts with complaints of the same. But it just works for me and seemingly everyone else.

                            To test my NAT therory.. do you have a SOHO router hanging around?  Your not double NATted are you?

                            Triggering snowflakes one by one..
                            Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                            1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate
                              last edited by

                              There are generally zero configurable options on these things.

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • chpalmerC
                                chpalmer
                                last edited by

                                @Derelict:

                                There are generally zero configurable options on these things.

                                Yea-  has to be done by the carrier.

                                Triggering snowflakes one by one..
                                Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                                1 Reply Last reply Reply Quote 0
                                • A
                                  asterix
                                  last edited by

                                  No double NAT. Just different subnets for LAN, VoIP and Video. I used a simple Asus SOHO router and it connected in matter of mins. Right now I have plugged it in directly behind the modem and that works as well. Just the moment I move it behind pfSense it hits a block. Firewall logs (when logging enabled for VoIP subnet rules) show a green check for the CellSpot IP.. means it passed through.

                                  What I have not tried yet is force opening port 53 for the CellSpot even though the VoIP subnet (like the LAN) is wide open. I have even tried keeping on default LAN on a fresh plain install.. same issue.

                                  What baffles me is that, nothing changed on my network except moving to v2.3.2. I may have to go back to v2.2 if this issue is not resolved.

                                  1 Reply Last reply Reply Quote 0
                                  • chpalmerC
                                    chpalmer
                                    last edited by

                                    @Asterix:

                                    What I have not tried yet is force opening port 53 for the CellSpot even though the VoIP subnet (like the LAN) is wide open. I have even tried keeping on default LAN on a fresh plain install.. same issue.

                                    Your interface the cellspot is on needs full access to the internet.  Basically it needs to be able to surf to anything it wants to. Rule=  Voipnet  any port  any destination any port. Block nothing if you have not already.  You really need nothing on WAN for it at all.

                                    Other thing-  Go to  System/Advanced/Firewall&NAT  TFTP Proxy.  Enable that for your VOIP interface.

                                    Another thing you could try is to make your devices port 4500 static in the outbound NAT page.

                                    Im off to work in the field today so good luck!

                                    Triggering snowflakes one by one..
                                    Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                                    1 Reply Last reply Reply Quote 0
                                    • A
                                      asterix
                                      last edited by

                                      Tried everything except for the TFTP Proxy. Will see if it does anything.

                                      My VoIP Rule is like LAN.. [ IPv4 *  VOIP net  *  *  *  *  none      Default allow VoIP to any rule ]

                                      No change in data counters with port forwards for 4500, 500 and 123 directing to the CellSpot.

                                      1 Reply Last reply Reply Quote 0
                                      • DerelictD
                                        Derelict LAYER 8 Netgate
                                        last edited by

                                        As I said before. Those port forwards might be screwing things up. They are 1000% not required for outbound connections.

                                        I would get rid of all of that, get good two-way traffic on the IPsec session (500 and 4500 - whether it keeps increasing or not - look at all states on all interfaces filtering on whatever public IP you're connecting to) and call T-mobile and see whether they can see your unit connecting.

                                        Chattanooga, Tennessee, USA
                                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                        1 Reply Last reply Reply Quote 0
                                        • A
                                          asterix
                                          last edited by

                                          @Derelict:

                                          As I said before. Those port forwards might be screwing things up. They are 1000% not required for outbound connections.

                                          I would get rid of all of that, get good two-way traffic on the IPsec session (500 and 4500 - whether it keeps increasing or not - look at all states on all interfaces filtering on whatever public IP you're connecting to) and call T-mobile and see whether they can see your unit connecting.

                                          What I meant was port forwards didn't help. The system is on the default build state with no user changes.

                                          Had called T-Mobile, but they said the CellSpot is not visible once behind the router and no connection requests are seen. Data counters are not showing any improvements. The CellSpot leaves the old connections and then tries with a new server every few mins.

                                          1 Reply Last reply Reply Quote 0
                                          • DerelictD
                                            Derelict LAYER 8 Netgate
                                            last edited by

                                            If you have states to them and two-way traffic to them and no connection requests are seen by them, not sure what to tell you really.

                                            You could packet capture but all you will be able to see is probably some DNS then the outside of an IKE/IPsec tunnel. You might do it and see if things seem to break down when packet sizes increase past about 1400 or something.

                                            Chattanooga, Tennessee, USA
                                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.