Using LTE Modem with VyOS double-nat

Maltahl · March 17, 2019, 8:29am

Hello, i recently bought a Huawei E3372 Hi-Link LTE Dongle and got a data simcard from work to provide 4G failover at home.

So far im able to get a Ethernet interface out of the dongle (plug and play no magic) i get my VyOS router to have 192.168.8.2/24 as IP and the dongle has 192.168.8.1/24 as IP, and when i ping the dongle IP it seems to vary a lot in response times ( as if im pinging the 4G cell tower) so that is a good start. Also i have tested the modem on my laptop without configuring it beforehand and it auto connects to the Internet so it is autoconfigured.

My own minor problem is that since the modem is a router in it self and it means it is a double nat configuration which i cant seem to find a reliable source for. This prevents me from pinging 1.1.1.1 and reach the overall outside Internet via the 4G connection.

Config used:
set protocols static route 0.0.0.0/0 next-hop XXXX (Fiber line static route)
set protocols static interface-route 0.0.0.0/0 next-hop-interface eth5 distance ‘255’
set interfaces ethernet eth5 address ‘192.168.8.2/24’
set interfaces ethernet eth5 description ‘4G Failover’
set interfaces ethernet eth5 duplex ‘auto’
set interfaces ethernet eth5 hw-id ‘0c:5b:8f:27:XX:XX’
set interfaces ethernet eth5 smp-affinity ‘auto’
set interfaces ethernet eth5 speed ‘auto’

Commands used:
fma@glos1ce1dk:~$ ping 1.1.1.1 interface eth5
PING 1.1.1.1 (1.1.1.1) from 192.168.8.2 eth5: 56(84) bytes of data.
From 192.168.8.2 icmp_seq=1 Destination Host Unreachable
From 192.168.8.2 icmp_seq=2 Destination Host Unreachable
From 192.168.8.2 icmp_seq=3 Destination Host Unreachable

fma@glos1ce1dk:~$ ping 192.168.8.1 interface eth5
PING 192.168.8.1 (192.168.8.1) from 192.168.8.2 eth5: 56(84) bytes of data.
64 bytes from 192.168.8.1: icmp_seq=1 ttl=64 time=58.1 ms
64 bytes from 192.168.8.1: icmp_seq=2 ttl=64 time=16.7 ms
64 bytes from 192.168.8.1: icmp_seq=3 ttl=64 time=14.7 ms

fma@glos1ce1dk:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued route, r - rejected route

S>* 0.0.0.0/0 [1/0] via XXX.XXX.XXX.XXX, bond0.200, 00:12:54
S 0.0.0.0/0 [255/0] is directly connected, eth5, 00:17:27
S 10.0.0.0/8 [254/0] unreachable (blackhole), 00:22:55
S>* 10.0.0.0/8 [1/0] is directly connected, wg3, 00:22:56
C>* 10.0.1.0/24 is directly connected, bond0.101, 00:23:02
S>* 10.0.90.0/24 [1/0] is directly connected, wg3, 00:22:56
C>* 10.0.100.0/24 is directly connected, wg3, 00:22:57
C>* XXX.XXX.XXX.XXX/XX is directly connected, bond0.200, 00:15:35
S>* 172.16.0.0/12 [254/0] unreachable (blackhole), 00:22:56
S>* 192.168.0.0/16 [254/0] unreachable (blackhole), 00:22:56
C>* 192.168.8.0/24 is directly connected, eth5, 00:23:14
C>* 198.18.0.1/32 is directly connected, dum0, 00:23:17

Can anyone help ?
Currently i have looked at forum posts here and on OpenWRT to get a general idea.

Jim · March 17, 2019, 4:21pm

Just out of interest, have you got a source NAT rule that will masquerade out-bound eth5 ?

I think that might be the issue here.

Matt · March 18, 2019, 6:08pm

As long as you have a proper nat source rule you should be good. also, you mentioned that this particular modem is also a router? This reminds me of Cradle Points which can route using static routes or dynamic routes as well. Make sure that your wireless modem knows how to get to the subnets behind it (The subnets on the other side of your VyOS router).

To simplify, you could attempt to put the wireless modem into bridge mode, and pass the outisde publicly routable address directly to your interface in VyOS.

Maltahl · March 22, 2019, 10:05am

Ye sorry i forgot to add that nat rule above in the first text. Yes just a regular masquerade nat rule with eth5 as outbound.

Maltahl · March 22, 2019, 10:20am

Ye this huawei modem acts as a router on stick. So it assigns 192.168.8.1 to point at the GW for the LTE network so if VyOS pings that it is already NAT but i can access a website on 192.168.8.1 which has the modems web interface so in that case i must assume there is a return route for traffic as i would not have been able to access the web interface.

Sadly the modem web interface does not appear to have a bridge modem setting else i would have done that instead as you also mentions due to KISS (keep it simple stupid).

Maltahl · March 29, 2019, 7:40pm

i had to change to dhcp on the modem and do the following:

set protocols static route 0.0.0.0/0 dhcp-interface eth5

that fixed my problem. Only issue now is that i cannot add distance to the static route so both my WAN and the failover has 1 in distance.