In firmware 3.212 you can set up ttl.
In firmware 3.215 you can set up mtu.
Here is screenshot of 3.215.
This only applies to modem section.
I have a US ISP that charges $20 for an “unlimited” LTE plan (they say they’ll throttle you after ~50GB but I haven’t really seen that) that’s supposed to be for tablets only. If you put that SIM in a hotspot, any devices connected to the HS have a TTL of > 64, so packets are dropped down to 128KBit/sec.
So I have rules in my “Custom Firewall” that increase the TTL (for TCP only, IIRC) to 65 for both IPv4 an IPv6. So far, so good. I spend a lot of time on the road so it’s invaluable to me.
If standard tethering is working for you, then yeah, you won’t need such workarounds.
So I just go to http://192.168.8.1/cgi-bin/luci/admin/network/firewall/custom and then add the rule:
iptables -t mangle -I POSTROUTING 1 -j TTL --ttl-set 65
At the very end of the file? Then I restart the firewall by going to http://192.168.8.1/cgi-bin/luci/admin/status/iptables and clicking “restart”?
How do I know if this works? And is this appropriate for a Wireguard client at the router level?
Is this only useful for tethering the router through a phone or will this help on hotel networks as well?
Well, you don’t need to restart the firewall, once you hit “Save” it adds the rule(s) automatically.
But to your other questions, I’m not sure you understand what this is for- it’s only for one specific case where your LTE ISP uses your TTL to determine if you’re tethering or not. If you don’t have this particular use-case, this won’t help you at all.
Why 65 rather than 64? This is postrouting, so aren’t most carrier’s expecting 64?
1 Like
The idea is that the carriers are looking for “TTL of 63 (or less?)” vs. any other TTL value; what they’re trying to do is determine if you’re tethering, and most smartphones and hotspots add a hop so you end up presenting a TTL of 63 to the carrier, which then blocks/downgrades you.
So yes, if you’re using a (USB) dongle, then yeah, there’s not another TCP layer in the way most times and you can set it to 64+, but if you’re using a phone/hotspot/etc. then you need to make it 65. Since the carriers only care if you’re sending them a TTL <= “63”, it just covers all use cases to make it “65”.
1 Like
Using TCL phone>Shadow Router
If using the code to remove the speed cap will I still be able to hook up my other hotpsot through T-Mobile?
T-Mobile Hotspot>Shadow Router (Still Using the TTL mod)
I don’t want to try this if I can’t switch over to using my Tmobile hotspot & have issues.
Thanks for any info!
EDIT: Tested & this code doesn’t seem to effect my t-mobile hotspot but more testing needed.
Potential TTL leak?
I had been using GL-INet Puli with T-mobile, TTL modded. i also use the Puli device as VPN client to connect to VPN servers hosted at my house.
Lately, when I turn on VPN on Puli, speed reduces to 500 KB/s. Somehow, when using Puli in VPN client mode, it gets throttled by T-mobile. Without VPN, it reports TTL of 65 and works fine. With VPN on, it reports TTL of 58. Is this a recent bug in Puli/Mudi? TTL override doesn’t seem to apply to VPN traffic.
You can fix this in advanced firewall settings. You need to set the TTL for the VPN interface. A shortcut is just to set the TTL for all interfaces. In Firewall/Custom Rules add:
iptables -t mangle -I POSTROUTING -j TTL --ttl-set 65
iptables -t mangle -I PREROUTING -j TTL --ttl-set 65
ip6tables -t mangle -I POSTROUTING -j HL --hl-set 64
ip6tables -t mangle -I PREROUTING -j HL --hl-set 64
(Change values per your carrier’s requirements). This won’t work on the beta firmwares that have switched from iptables to nft’s.
You should see your ping on all interfaces match this value.
T-Mobile (and AT&T) use IPv6, so the hoplimit on those should be “65” as well.
But I have another set of rules, and these don’t break things like “traceroute” (i.e., you only want to mess with TCP and UDP):
iptables -t mangle -D POSTROUTING -j TTL --ttl-set 65 -o eth1 ! -p icmp ip6tables -t mangle -D POSTROUTING -j HL --hl-set 65 -o eth1 ! -p icmpv6 iptables -t mangle -A POSTROUTING -j TTL --ttl-set 65 -o eth1 ! -p icmp ip6tables -t mangle -A POSTROUTING -j HL --hl-set 65 -o eth1 ! -p icmpv6
(the “! -p ” leaves ICMP alone, and you can make entries for each outgoing WWAN interface, and the “-D” entries up top are in case the network changes, as it re-evaluates the filter rules so starts them fresh).
Thanks. Question: Do these settings go under VPN Server (at home) or VPN Client? Or, both?
Can’t wait to try this.
@ericsmith @kennethrc - none of 2 suggestions worked on Puli to avoid throttling.
Moment I use Puli’s router with VPN on, it’s throttled down to 200kb/s. To avoid this - I’m using Puli for LTE and velcro it to Beryl Router with VPN and TTL mod and everything works - no throttling.
I just can’t seem to be able to use Puli as intended with LTE + Router/VPN and not get throttled. There’s a TTL leak somewhere or some other setting is needed. Please see some of these links and let me know if you have any ideas:
That’s weird. I use those exact iptables entries on my Spitz when using it with T-Mobile on gl-inet 3.2.16. I haven’t tested the Spitz combining LTE and a VPN connection yet. However, I solely use wireguard for VPN and can say that with other OpenWRT-based routers (I have a number of WG1608’s running Rooter) that I have no issues with throttling when combining LTE and a wireguard connection. The T-Mobile TTL of 65 and HL of 64 I posted above are what I use, YMMV.
There is a caveat that those other routers I’ve had LTE+VPN success on are running a newer OpenWRT 22 or 23-based operating system. Those newer versions use nftables as the primary firewall, and controlling TTL is a little different there. If you’re running one of the gl-inet 4.+ betas on your Puli you’re likely running into that issue as they are also based on new OpenWRT versions that deprecate iptables so those entries won’t do the job.
If you’re running a gl-inet 4.0+ beta on your Puli and are can start from scratch on the firewall stuff I can post my nft stuff that I use successfully on OpenWRT 22 or 23-based routers w/ LTE connections and wireguard VPN. I don’t believe that anything is different if you’re using OpenVPN or ipsec or other VPN, but I can’t speak from experience whether it will/does work with any VPN option other than wireguard.
My Puli is on 3.217. I haven’t tried any beta firmwares, but i can to experiment. I think when using VPN installed on Puli device, it’s bypassing some Network\Firewall\Custom rules and getting throttled.
When it comes to firewall stuff it’s easier to stick with the 3.2 series, once you move to 4 you need to start working with nftables instead. Can you post the output from
iptables --table nat --list
and
iptables --table mangle --list
Sanitize if you feel that there’s anything that is private. That should help figure out where you’re getting throttled
Can you append -v to the end of each of those (for verbose)? Thanks!
These are settings I use on the client side (so my router that is logging in to the VPN “server”)
Please find attached. I masked my VPN Server IP. I attached 2 data sets. 1 where Puli is used as modem+VPN tethered to T-mobile device. No throttling in this scenario. 2nd scenario is where Puli is used for LTE+modem+VPN. Heavy throttling in this 2nd scenario that I’m trying to fix.
Thanks for your help.
Puli-datasets.zip (462.5 KB)
When you say Puli is used as modem + VPN tethered which of these are you meaning?
Puli using internal VPN Client ----> Internet or
Puli ------> Separate Device as VPN Client ------>Internet
(Puli using internal VPN client) -------tethered to T-mobile device (phone/hotspot).
That’s core of my issue. If LTE and VPN are on same device (such as Puli), I get throttled. if I use LTE on T-mobile phone and VPN on Puli, I’m fine. I’m also fine if I use LTE on Puli and then VPN on Beryl router.