Repro for LTE modem routing bug on MT300A.
Set your IP address manually to 192.168.1.2 and Flash LEDE version 17.01.4
Set username and password for router (do not connect the LTE dongle yet).
Configure with the following commands:
uci set dhcp.@dnsmasq[0].domain='groundhog.org'
uci set system.@system[0].hostname='gopher'
uci set network.lan.ipaddr='172.16.0.1'
uci set network.lan.netmask='255.255.240.0'
uci set wireless.radio0=wifi-device
uci set wireless.radio0.channel='8'
uci set wireless.radio0.disabled='0'
uci set wireless.default_radio0.ssid='gopher'
uci set wireless.default_radio0.encryption='psk2'
uci set wireless.default_radio0.key='iamthegopher'
uci commit
reboot now
Reboot and connect the WAN Ethernet port to an upstream gateway (network configurations should not clash now). Install QMI support packages.
opkg update
opkg install \
usb-modeswitch \
kmod-mii kmod-usb-net kmod-usb-wdm kmod-usb-net-qmi-wwan \
kmod-usb-serial-option kmod-usb-serial kmod-usb-serial-wwan \
uqmi luci-proto-qmi \
libustream-openssl ca-certificates
Stop the modem from attempting to auto-connect, then check that the modem can connect to the target apn (replace with your SIM card's apn setting) and keep that setting between reboots.
uqmi -d /dev/cdc-wdm0 --stop-network 4294967295 --autoconnect
uqmi -d /dev/cdc-wdm0 --start-network simple --autoconnect
Add the wwan interface backed by the wwan0 Linux interface.
uci set network.wwan=interface
uci set network.wwan.ifname='wwan0'
uci set network.wwan.proto='dhcp'
Disable openwrt's firewall
/etc/init.d/firewall stop
/etc/init.d/firewall disable
Install support packages for nftables based routing.
opkg update
opkg install nftables tcpdump
rmmod iptable_nat
Restore nftables to original state
nft flush ruleset
Configure nft to perform nat routing.
# firewall
table ip filter {
# allow all packets sent by the firewall machine itself
chain output {
type filter hook output priority 100; policy accept;
}
# allow LAN to firewall, disallow WAN to firewall
chain input {
type filter hook input priority 0; policy accept;
iifname "br-lan" accept
iifname "wwan0" drop
}
# allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
chain forward {
type filter hook forward priority 0; policy accept;
iifname "br-lan" oifname "wwan0" accept
iifname "wwan0" oifname "br-lan" ct state established accept
iifname "wwan0" oifname "br-lan" ct state related accept
iifname "wwan0" oifname "br-lan" drop
}
}
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
chain input {
type nat hook input priority 0; policy accept;
counter comment "count accepted packets"
}
chain output {
type nat hook output priority 0; policy accept;
counter comment "count accepted packets"
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "wwan0" masquerade
}
}
Configure nftables logging.
nft add rule filter output log
nft add rule filter input log
nft add rule filter forward log
nft add rule nat prerouting log
nft add rule nat postrouting log
At this point, the router itself maintains connectivity to the internet via the LTE modem, but any incoming packets from the br-lan interface do not get properly masqueraded, and the lan side of the router cannot access the Internet since all packets from the lan side still hold the lan's source IP address, and are thus not externally routable.
ping www.google.com
PING www.google.com (172.217.9.4): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Syslog output
kern.warn kernel: [ 685.079875] IN= OUT=wwan0 SRC=172.16.0.237 DST=172.217.9.4 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=45659 PROTO=ICMP TYPE=8 CODE=0 ID=24842 SEQ=0