using T-Mobile 5G as a WAN source
-
My Comcast internet is going up in price after my contract expires in March so I decided to try out T-Mobile Home Internet beforehand. A contract renewal will probably cost more than now.
Initially I plan to give it a light test. If it works OK I will replace the WAN source with T-Mobile. After a respectable trial, if it still holds up I will wait until I see my Comcast renewal rate. Then decide to switch over or not after that.
My Questions:
Sometime in that period I will run dual WAN, mostly just for fun. Will it run smoothly and transparently or will there be connection losses on some sites for some types of traffic? Is the configuration worth the effort for only a trial?
Will there be any other problems or considerations I should know about beforehand concerning T-Mobile Internet as a primary source? I am assuming it will work nicely and transparently as a primary WAN just like with Comcast. pfSense shouldn't care?
Background:
My new T-Mobile Internet costs $35 / month and 5G speeds on my phone are consistently over 1gb at home. I must live near a tower because they are much slower even a couple of miles away from home. I just ordered T-Mobile and will see next week if the speeds remain that high. The offer includes a gift card that should ultimately cover the cost of the trial for several months.
T-Mobile has been my backup home internet as I used my phone as a hot point during outages. I will lose that if I change, along with Free Peacock Premium. I will change my ISP if there is a large difference between prices.
-
@coffeecup25 If you have the ports for it, it will work just fine having two connections and set it up as "failover". It's a good learning experience and you will not notice any connectino issues because of it. As you say, pfsense doesn't care what type of connection you have, fiber, 5G, cable etc.
Simply follow the instructions in the docs and set your TMO connection to the lower tier. https://docs.netgate.com/pfsense/en/latest/multiwan/load-balance-and-failover.html
The one consideration I would make is if you work from home you probably want to set it up so that pfsense doesn't kill states when the primary connection comes back online. If you do you will experience drops both when there is a failure and when it returns back to normal. Keeping the states means that you stay on the failover connection until the meeting is over and any new connections are set up on the primary again.
-
Should work fine. Just need to make sure the modem side subnet doesn't conflict with anything.
Not hard to setup. I would say definitely worth it as a test.
-
Thanks to you both for your replies.
The T-Mobile router will probably be delivered tomorrow. I have read your replies and added some research. I will probably try the Dual WAN setup just for fun and thank you for the warning about dropping a connection.
I am amazed how technology has changed since I set up my original Comcast network. I still have to learn a few things. All while saving a lot of money on internet.
I think T-Mobile overbuilt my locality, which explains the high speeds. It should stay this way for a long time. The T-Mobile router will not provide a bridge mode so I will double NAT. Tailscale free for home use level should give me the VPN I will otherwise lose.
The best place in the house for T-Mobile uses MOCA 2.5 to get a signal from the basement to some devices there. I will use it in reverse instead to tap into the pfSense WAN. An access point now covers the house. I will replace it with a mesh - 1 in access point mode and 1 or 2 as a bridge, or whatever they call it with mesh. The 2nd mesh will replace a powerline device. Done right I should retain wake-on-lan capability.
I'll end up with a better network and bragging rights for the modern upgrade.
I retain pfSense and all it provides. That CGNAT looks secure, too. The Peacock Premium I will have to pay if I switch over will be offset by a T-Mobile offer for a Netflix credit. If it all works out and I change over, I will end up with faster and cheaper home internet and a modern home network.
-
@coffeecup25 Sometimes mesh can be the only solution, but it's never really the optimal way of getting good wifi coverage. If possible, I'd look for a way to run multiple AP's instead, each on their own channel to minimize interference. Any chance you can place your pfsense appliance at the TMO modem, and use the MOCA for LAN?
Alternatively, use managed switches to put the WAN connection on a VLAN so that the MOCA can be used for both WAN and LAN...TMO modem > Untagged VLAN 10 on Switch port - TRUNK port (Tagged ID 10) > MOCA > TRUNK port (Tagged ID 10) - Untagged VLAN 10 connected to pfsense WAN.
pfsense LAN connected to other port at switch set to default (no change).This way you "tunnel" the WAN connection to pfsense and then use the rest of the ports on the switches for your LAN connections and other VLAN's if requred. No need to set anything special in pfsense, as the VLAN is internal to the switches in this case and only a way to "segment the traffic".
[EDIT] And of course that gives you the possibility to have more than one AP in your home. At least one at each end of the MOCA.
-
Mmm, yes I would avoid mesh WiFi if at all possible. But you do then need some other way to backhaul the connection to the APs.
-
Thanks again both of you. I will save the money that would be for mesh and go another route. UPS says the T-Mobile router is coming today. Let's see what it can really do, first.
What's nice is not having to worry about my pfSense router through all of this. Almost plug and play. I only have to think about all of the things hanging off of it.
I will leave the Powerline connected PC alone as it gets good enough throughput - about 125 mbps. The replacement for the MOCA 2.5 will be a new router with a bridge mode. My wireless signal through the house is adequate. I wanted something that looked slick and I could show off, but performance and reliability are more important.
I used bridge mode many years ago when the network was smaller and it worked very well. It would almost be nostalgic to bring it back. Back then I thought I was being clever.
Asus, Netgear and GL.iNet immediately come to mind as routers with bridge mode. My current AP gives over 500mbps with WiFi-6 and it's only a little TP-Link AX-21. I don't know what it can max out at. It does not have a bridge mode so I can't get a 2nd one for this purpose.
-
@coffeecup25 said in using T-Mobile 5G as a WAN source:
The replacement for the MOCA 2.5 will be a new router with a bridge mode
What do you need another router for? Wasn't the idea to use T-Mobile 5G and then have pfsense as the router/firewall??
If you already have the equipment to run Ethernet over your coax in the house, all you need are some switches to connect things at each end.
Like I mentioned, you can have the 5G Router on the top floor, connected to a managed switch. AND you can have the AX-21 connected to that same switch as per below. At the other end of the coax you have another managed switch to which both the WAN and the LAN of pfsense are connected. The only thing is that WAN is on a separate VLAN, communicating only with the port on the T-Mobile router. Basically you split the switches into two sides. One for LAN, and one for the WAN connection.@coffeecup25 said in using T-Mobile 5G as a WAN source:
it's only a little TP-Link AX-21.
It does not have a bridge mode so I can't get a 2nd one for this purpose.Why are you concerned with bridge mode? Any consumer router can be converted into an AP simply by connecting it to the LAN port only, and turning off DHCP. That way you are only using the built in switch functionality (which connects only the LAN ports and WIFI). The firewall in that device sits between WAN and that switch, but you just don't use it in this case. And you can have as many such AP's as you want...
Although if you are thinking of having multiple "AP's" it may be better to go for something like Unifi or TPLink Omada AP's that you can manage centrally.
Anyway, assuming your pfsense has 192.168.1.1 you can set the AX-21 to static IP 192.168.1.2 and if you add another AP, just make that 192.168.1.3 and so on. But the AX-21 will not do anything other than switch your internal traffic... pfsense takes care of the important stuff. And you can still access the AX-21 via it's gui on the LAN if you need to change channel or wifi password etc.
Just make sure to set the channels so that they don't overlap. Remember channel 1 overlaps 2 and 3. Channel 6 overlaps 4, 5, 7 and 8. So you only have 1, 6 and 11 that are truly no interfering with each other on 2.4. On 5Ghz you have more spectrum to play with and less interference from neighbours as well.
-
@Gblenn You misunderstand quite a bit.
T-Mobile 5G Internet is being tested out to replace Comcast WAN. If it works acceptably It will be plugged into pfSense WAN, replacing Comcast. I will save a lot a month and possibly get much better speeds. T-Mobile internet will bring a few problems, but there are acceptable solutions to all of them.
I might try a failover or dual WAN config just for fun before dumping Comcast in March when my contract expires.
pfSense makes this an intellectual problem because I can trust it to only need to sit there and do what it does. No concerns there at all.
If Comcast is replaced, the T-Mobile router will need to be positioned in a place where it gets a good signal and can get to a wall port that can reach the basement where pfSense is. As I said, T-Mobile will replace Comcast in the pfSense WAN port.
Currently I use MOCA 2.5 to go from pfSense to some upstairs network equipment. The MOCA 2.5 will be repurposed to get T-Mobile downstairs to pfSense WAN. A router configured as a wireless bridge will replace the MOCA 2.5 device upstairs.
The new router will be configured into a wireless bridge to get WiFi 6 from my more than adequate existing AX-21 access point to the upstairs equipment. Routers can do more than routing. This bridge is to avoid mesh routing, which you said was less than optimal sometimes. Not all routers have a wireless bridge mode.
An access point is a different thing from a wireless bridge. The wireless bridge is more of a switch only.
Network equipment in another distant place uses Powerline to connect to pfSense. I was going to use another mesh device to connect there, replacing the Powerline.
Mesh as access point and 'bridges' was expensive overkill but looked slick. And it didn't cost really that much. I chose against it based on your comments.
Everything I wrote above also says this. Thank you for your mesh cautions. It would cost about 3x over one new wireless bridge. OK for modernization and bragging but not good enough for a maybe.
-
@coffeecup25 said in using T-Mobile 5G as a WAN source:
If Comcast is replaced, the T-Mobile router will need to be positioned in a place where it gets a good signal and can get to a wall port that can reach the basement where pfSense is. As I said, T-Mobile will replace Comcast in the pfSense WAN port.
Currently I use MOCA 2.5 to go from pfSense to some upstairs network equipment. The MOCA 2.5 will be repurposed to get T-Mobile downstairs to pfSense WAN. A router configured as a wireless bridge will replace the MOCA 2.5 device upstairs.
This is the part I don't understand. Are you keeping the MOCA 2.5 or will that go if you drop Comcast?
If you keep it, why use anything else to connet between the upstairs and downstairs positions?Yes it is one physical connection, but using VLAN's you can use it for multiple purposes. 1. to get WAN to pfsense, and 2. to get LAN from downstairs back upstairs again. No need to use wifi as backhaul, which is never a good idea. Mesh is pretty much just that, although "automagic"...
-
@Gblenn Think of MOCA 2.5 as one very elaborate Cat6 wire. MOCA turns RG6 cable into CAT6 internet wires. Like Powerline turns electric wiring into Cat6 wires.
MOCA can't be WAN and LAN at the same time in this instance. The MOCA will carry the T-Mobile WAN to pfSense. This creates a need to get a signal back to what MOCA was previously servicing. A wireless bridge will replace the old MOCA 'Cat6 LAN' wire. Existing Powerline gets left alone.
I can't even imagine how a VLAN would figure into this. If mesh was used, wired backhaul would only exist for the actual access point. 2 mesh devices would be 100% wireless.
-
@coffeecup25 That's the thing, it CAN be both WAN and LAN at the same time. That's what VLAN's can do for you.
Here's how...
If you get two managed switches that can do VLAN, which can be quite cheap. You will need two small (5Port) switches, one at each end of the MOCA.
Let's say we configure port 5 on both switches to be VLAN 10 Untagged (meaning only traffic belonging to VLAN 10 will go in or out this port).
We configure Port 4 to have VLAN 10 added as Tagged, meaning any traffic belonging to VLAN 10 will ALSO be going in/out this port.
Connect the upstairs switch port 5 to the LAN on T-Mobile device, which now belongs to VLAN 10. And then you connect switch port 4 to the MOCA 2.5 which will now carry BOTH VLAN 10 and all the default LAN traffic.Connect the downstairs switch port 4 to MOCA and port 5 to pfsense WAN.
pfsense will now receive only the traffic from the T-Mobile device on it's WAN, since the switches will only forward VLAN 10 traffic on port 5.
Connect pfsense LAN to port 1 on downstairs switch which means that LAN traffic will go into the switch, and up the MOCA to the upstairs switch and be available on ports 1, 2, 3 and 4 (but not port 5).If you have already ordered an new router, you can use that as an AP downstairs for example, but connecting it's LAN (turn of DHCP) to e.g. port 2 on that same switch.
Upstairs you can connect the AX-21 in a similar way to port 1, 2 or 3 on that switch. Now you have a LAN network covering downstairs and upstairs (ports 2 and 3 available on both switches for e.g. PC's or a TV, Printer etc).Assuming the Comcast box is downstairs, all you need to do for failover testing is to connect that to WAN2 on pfsense and set it up as per the documentations.
-
@coffeecup25 Think about VLAN's as multiple separated networks on the same physical interface. The cable, Cat6 or MOCA or fiber doesn't care what's going on inside... But switches do, and will make sure traffic belonging to the different VLAN's never gets mixed up.
You can use VLAN on pfsense as well, to create isolated networks for different purposes. Perhaps one for guest and one for your IoT devices, besides you default network.
You might want to keep wifi separate from the LAN for example. Even with dumb routers (that don't understand VLAN) you can do that in this scenario I described.
Then you define another VLAN, 20 for example and you assign that Untagged to the switch ports that you have the two wifi routers connected. You also assign VLAN 20 TAGGED to the port that connects to LAN pfsense. And then you create a VLAN in pfsense with it's own subnet and DHCP etc.
Then you can define rules that may allow or block wifi from accessing anything or everything within your LAN. -
@Gblenn I know what a VLAN is. The comment was rhetorical.
A VLAN is a ridiculous idea here. It's over-complicating a very simple problem. There's the easy way and the WTF way.
I am only replacing an ISP. Added is an ancillary problem of where to position the T-Mobile router where it gets the best reception. Comcast has no such problem.
Actually, in one spot in my home that might offer good reception, I can work a wall Cat6 outlet backward and leave the MOCA alone as it. I was considering repurposing MOCA because then I don't have to trace wires from place to place. Or put a T-Mobile router in a room where it doesn't belong if alternatives are available.
-
@coffeecup25 said in using T-Mobile 5G as a WAN source:
I know what a VLAN is. The comment was rhetorical.
Ok, great, but that's not what it looks like?
MOCA can't be WAN and LAN at the same time in this instance. The MOCA will carry the T-Mobile WAN to pfSense.
This creates a need to get a signal back to what MOCA was previously servicing.
Which is exactly what VLAN can do for you!
A VLAN is a ridiculous idea here.
I'm trying to help out here... but it's of course up to you to judge.
VLAN however, is a cheaper and much more stable way to accomplish what you write. Mesh is typically the last resort when there is no, and can not be any wiring.
Using basic routers in wireless bridge mode will be like the earliest poorly desinged mesh systems. At least some of the newer and more expensive solutions have a 3rd radio they use for "backhaul". And perhaps they even let you select what channels you use on the different AP's...Using VLAN is simple enough and let's you use the best solutions available, i.e. your existing MOCA run. Which was what you initially mentioned for the location of the TMO device, and some other stuff. And your router's wifi will be used in the way it works best, as an AP.
But if you now say you have Cat6 that is not needed for anything else, then by all means use that if it get's you ok performance on 5G. Then there is no need for anything else, be it VLAN or mesh/wifi-bridging.
-
@Gblenn Thank you for your hard work.
As you get older you will realize that just because something can be done, that does not mean it should be done. Good use of tech requires the entire problem be defined and thought through for the best solution. The 'entire problem' is generally bigger than the single task on the table in front of you. Just because the computer guy has a good idea doesn't make it a great idea that everyone should jump on. Heroic solutions are rarely the best ones. In another instance, your idea might be fun to play with. Look up the term KISS as a problem solving concept for more information.
Just off the top of my head, I see a couple of problems with a VLAN. Complexity, reliability, ability for someone else to understand and work with, and redundancy. I don't think my wife wants to learn VLANs just to fix a critical network issue. On the other hand, a VLAN to set up a guest Wi-Fi is a good idea.
You don't seem to know what a wireless bridge is. I'll repeat some of what I wrote then bring the analogy to a wireless bridge.
MOCA turns RG6 cable into a Cat6 wire equivalent
Powerline turns electric wiring into a Cat6 wire equivalent
A Wireless Bridge, sometimes called a media bridge, turns a Wi-Fi signal into a Cat6 wire between devices. It does not broadcast a wireless signal. It is not a repeater. It turns a distant router into a switch after that. Identical in concept to MOCA and Powerline. I used bridges many years ago in simpler times and they worked very well.
Amazon has a nice looking Wi-Fi 6 Asus model for about $75. Used for less, but that's risky. Or I might get ambitious and trace Cat6 wiring back to the right outlet in the basement and save the $75. Or I might buy a pair of those $75 Asus convertible routers and make 1 a replacement AP and 1 a mesh thing. If it doesn't work well I'll convert it back into a bridge. Really good network hardware costs a lot less today than a few years ago for equivalent or better capabilities. Used equipment is more trustworthy than Amazon returns so that's a consideration.
-
@coffeecup25 It seemed pretty clear that besides testing T-Mobile 5G, you were also looking for better wifi coverage, since you were considering mesh. And you also mention you are looking for performance and reliability.
So that's what I was considering when suggesting VLAN. And that's also what I was thinking of when you mention wifi bridges. Sure, a wifi bridge CAN be what you say, if you turn off the normal wifi on the router. But why select such a setup all of a sudden? It is definitely not obvious to me based on what you actually ask for.
And wrt VLAN I definitely disagree with you on your thougths about reliability vs wifi. Wired will give you lower latency, no interference issues, it's more secure and it doesn't degrade due to distance or environment (in this context). And as far as redundancy goes, I don't see any differences whatsoever. And you will get at least two VLAN capable switches for the price of your Asus or other wifi 6 router.
But I do agree it can be a bit more challenging for someone else in the household to wrap their head around, but is that even needed? And if that is a problem. perhaps a Guest VLAN isn't such a good idea either? -
@Gblenn Thanks. No, I meant what I wrote and was not hinting at anything or issuing a cry for help regarding elementary home networking. I was hoping to save a lot of money per month over Comcast while retaining a reliable home network that provided comparable or better internet speeds. But change in one place requires more changes elsewhere sometimes.
I'm not going to repeat all the other details.
The Dual WAN setups were my only real question and I'm not sure I care about one anymore. Although I would have appreciated reading about any gotchas associated with using T-Mobile as a WAN source.
But, I now have access to a network wire tester. That will make testing the cat6 wire into a 5 minute job if that. I can hide the device in that particular spot so it passes the wife test. No expense or changes needed if the T-Mobile router is a keeper.
-
The T-Mobile device was delivered late Monday and initially configured as standalone yesterday morning. I live about 1/2 mile line of sight from the cell tower. My 5G phone normally gets 1.2gb to sometimes 1.4gb
The T-Mobile internet standalone ran at the mid to high 800s without testing too hard. All sites in the house that would be good as a location for the device tracked about the same. My Comcast internet now is 500mb. So, not too bad so far. T-Mobile is said to put home internet on the 2nd lowest priority. After you hit the data cap you go down to the bottom until the next month.
Thanks to the wire tester, finding the cat6 wire took more time to set up than to select the proper wire. T-Mobile as a pfSense WAN source fired up by the time I cleaned up after myself.
Wired internet speeds dropped to the mid 400s. Pretty big but I was considered downgrading to 300 mb on Comcast if I stay with them. 2025 prices go up a lot. Still pretty good.
Now it's a reliability test. I left the old wire from the cable modem just dangling there so it should take a few seconds to switch back.
OK, as I write this, my T-Mobile wired internet just dropped. It was up for maybe 5 minutes. I wrote the above immediately after hooking it up. I finished using T-Mobile wireless - this pc is normally wired in the area serviced by the controversial MOCA. Far away from the device. T-Mobile delivered a very weak signal. Entirely unacceptable for any form of home network. The AX-21 Access Point always delivers a very strong wireless signal to this room.
Correction - the wireless just dropped too. Back to the basement. Comcast fired back up almost immediately as WAN.
Guess what's going back to T-Mobile later this week. OK Comcast, you win this time. The free 15 day trial came in handy. Back to negotiating a new contract later.
Edit a few hours later: The T-Mobile device has been returned.
I remembered fiber was installed in my neighborhood last year. The company confirmed by chat it is available at my house. One week lead time should work. Symmetrical gigabit for $50 a month for first year and $65 a month thereafter. No data caps. Lower price than Comcast for similar download speed. Free ONT. No install charge. No bad reviews anywhere.
