GL sft1200 opal on MSC cruise

SFT1200 in repeater-extender mode. This would not (just never) work on my wifi installations.

There is more than the TTL as potential blocking factor.
When using repeater mode as extender (not as router) then you have potentially multiple DHCP IP addresses for one MAC address. My DHCP server will never lease more than one IP address on one MAC address. I could even (flag that MAC)/(trigger a script) when a second IP address is requested.

So the SFT1200 takes the first DHCP IP address , and the client device when in extender mode (pseudo bridge mode) will request a second IP address for the same MAC address. This will be refused, dropping the first assigned IP DHCP lease. Trying to connect without DHCP lease will not work either, as the host router bridge will use "reply-only ARP" mode, not willing to fill the IP-ARP table by ARP requests/responses to/from clients, but only has the ARP table filled by the DHCP server with the "add ARP for Leases" option when a lease is handed out. Without IP-ARP entry in the table there are no responses to be expected.

The repeater-router mode is the only one that will work. (aka WISP mode) as the host AP only sees one MAC and one DHCP request. Checking the TTL could be a problem, if the TTL check was implemented, like 4G and 5G mobile networks do, to prevent hotspot/thetering with mobile phones. 4G/5G subscriptions are cheaper if their use is limited to the phone only.

Thank you all for getting this to work! Are there any special options or configurations I need to do in order to connect to the MSC wifi or just connect to it like normal? (e.g.,

  1. Set router DNS to Automatic
  2. Connect router to wifi by repeater (will still have no internet)
  3. Open neverssl.com on a client device connected to the routers wifi
  4. Complete the captive portal page login/steps)?

Just like what you said, according to the experience we used to debug, there are no special, similar to the common captive portal.

Great, thank you!

I have the Beryl AX and just updated to the latest firmware.

Another question - if I have the Beryl clone my phone MAC address (after disabling privacy mode on the phone so it uses the true phone MAC), would I be able to use my phone connected directly to the MSC WiFi when I'm not using the Beryl for my other devices?

If the MT3000 occurs this issue, please upgrade the firmware to 4.7.0-op24 and repeats the 2.4G WiFi (MSC portal).

Please try these commands in the SSH of router to temporary use:

mkdir -p /usr/share/nftables.d/chain-pre/mangle_prerouting
echo 'iifname sta0 counter ip ttl set 64' > /usr/share/nftables.d/chain-pre/mangle_prerouting/01-set-ttl-portal.nft
/etc/init.d/firewall reload

If the above operation still doesn't work, please execute the following command after repeater connected.

iptables -t mangle -A PREROUTING -i sta0 -j TTL --ttl-set 64

I'm sorry guys, but the steps are just for troubleshooting?
It's still not clear what the solution is.
i tried upgrade to 4.7.0-op24 but it doesn't seem to work for GL-SFT1200?
@bruce can you please help to clarify?
many thanks!

Hi,

Is your GL model SFT1200?

The repair of this issue in v4.7.2 firmware, it has improved, and not need to config these commands.

Thank you Bruce. Yes I am using SFT1200
This is what I understood too, however when i tried to update the software thru the web interface it says i already have the latest version which is 4.3.x. And i even tried to manually download 4.7.2 and upgrade it but it just wouldn't let me :frowning:

1 Like

A post was split to a new topic: SFT1200 VPN DNS issue on the v4.7.2

What issue about the router wouldn't upgrade?

Beta v4.7.2 firmware required to manually download and upload to the 'local upgrade'.

https://dl.gl-inet.com/router/sft1200/beta

I'm not a GL customer currently, but am going on a MSC cruise in a couple weeks, and will buy something from GL (to replace my existing travel router) before that specifically because you've worked to get around this issue.

It sounds like the GL-SFT1200 on 4.7.2 is good to go.

Ideally I would like better VPN performance than the Opal. It looks like the GL-A1300 also has 4.7.2 available. Would this work on MSC as well or should I stick with the GL-SFT1200?

Thanks for all that worked on getting around this.

Looking at the type of fix required, this would transfer to any other GL-iNet devices. Looking at the fix, the captive portal was sending its data with a Time-to-live of 1. Therefore the GL-iNet router would receive it, decrease the counter by 1. Then it would have a time-to-live of 0 and be dropped. This is normal behaviour to prevent traffic from infinitely looping around somehow. In this case this was done by MSC to prevent the usage of travel routers. (Rarely done though!)

The fix was simply to set the time-to-live to 64 again on inbound traffic from MSC to the GL-iNet router, so the router would continue to forward it to the connected device.

The data from the device connected to the GL-iNet router was already set up, so the router would be undetectable using the TTL. The connected device would send with TTY of 64, router would decrease by 1 (so it would be 63). On the last possible moment before the router is sending it to MSC, it puts it back to 64 as if the router itself was sending that. Therefore MSC sees a TTY of 64, which it expect. Any lower and it is blocked to prevent travel routers.

These type of things are a bit of cat and mouse games, but once you know what the systems are doing to prevent it, you can easily work around it.

3 Likes

All GL router model firmware have been synced this improvement, just choose which one you like.

Thanks.

2 Likes

Great, thanks for confirming. I'll report back my results in Feb.

Edit: As long as firmware is greater than 4.7.2? So Beryl AX on 4.7.4 would be ok?

≥ v4.7.1 and all latest firmware.

Yes!