Using wireless mobile hotspot device as WAN?
-
I have a "normal" residential pfSense setup, with a DOCSIS modem providing my WAN connection and the pfSense box acting as the gateway for LAN clients (192.168.1.0/24). Typically the modem provides a public IP address from my ISP on that interface.
Currently my DOCSIS internet is down, but I have a 4G connection+mobile hotspot on my phone. I've installed a RUN-type usb adapter on the pfSense box, configured it in infrastructure mode, and it has associated to the hotspot and pulled a DHCP address from the hotspot(192.168.45.85). I can ping the mobile hotspot IP address(192.168.43.1) from inside the LAN. This proves that the wireless link is up and data can move across it. It shows up as a gateway.
However, I can't access the internet from the LAN or the console of the pfSense box. I've configured a gateway group with both interfaces (wan ethernet and hotspot wireless) and the gateway group status, and the status page shows that the WAN gateway is down:
(The DOCSIS modem assumes an IP of 192.168.100.1 when it can't get an IP from the ISP.)
I've tried tweaking tiers and forcing one gateway or the other to be the default, but I can never get an internet ping back from the mobile hotspot. I have the automatic NAT rules turned on, and the LAN rules specify to use the gateway group:
I do see some states from inside my LAN, but if it's working, it's not evident to my browser!
Could it be a NAT issue? The hotspot, assigning 1918 addresses will obviously NAT stuff which might be NATted again by the firewall. This goes above my head. I tried turning on NAT reflection and webpages tried to load, but were giving weird DNS errors ("DNS_PROBE_FINISHED_BAD_CONFIG" and "Fastly error: unknown domain: 151.101.xx.xx. Please check that this domain has been added to a service.")
-
The NAT at both pfSense and your mobile device should be fine. On LAN you will need a rule that matches destination "the internet" and feeds into the gateway group (it sounds like you already have that). You will need at least 1 DNS server specified in System->General that has the mobile gateway selected.
Then try traceroute (tracert) to see where packets are getting to.
-
Thanks for the reply! After letting it sit for about an hour, I got about 50 emails from the firewall, stating that the DOCSIS connection was going up and down:
"MONITOR: WAN_DHCP is available now, adding to routing group DOCSIS_and_WIFI
8.8.8.8|192.168.100.10|WAN_DHCP|0ms|0ms|0.0%|none"and
"MONITOR: WAN_DHCP is down, omitting from routing group DOCSIS_and_WIFI
8.8.8.8|192.168.100.10|WAN_DHCP|0ms|0ms|100%|down"over and over again. So, I think the failover is flapping so fast that it's basically unusable. Is there a tweak I can make to either better determine that the DOCSIS WAN is down, or cause the failover to "stick" for a duration? I have been poking through documentation but haven't found much. I am "monitoring" 8.8.8.8 as the test for determining if the DOCSIS is up or not.
-
On the gateway advanced settings you could try making the Probe Interval and Alert Interval longer. That should make it take more time to get a few responses and decide that the gateway is up.
If it is flapping like that so often, then you really need to get it fixed (I'm sure you know that!). And while waiting for some repair action, you can just take the WAN gateway out of the gateway group. You should still be able to look at gateway status for it, and when you think it seems happier, try putting it back in the gateway group.