GL-X3000 T-Mobile 5G SA Setup Issues - WireGuard Custom Rules

I’ve been working on setting up my GL-X3000 to run on T-Mobile 5G SA only, and I’ve encountered some challenges. Here’s the situation:

  • I’m getting a valid IPv6 address without any issues.
  • However, on the IPv4 side, I’m assigned the address 192.0.0.2, with a gateway of 192.0.0.1. This differs from my experience with 5G NSA (I get a valid IPv4 on the CGNAT, but I’d prefer to use SA).
  • Some functionalities on the IPv4 stack are not working as expected, such as GlobalProtect, Wi-Fi calling, and certain IP4 address pinging.

To address this, I’ve come up with a workaround using a WireGuard Profile with split access for IPv4. Here’s how I’ve configured it:

  • I’ve utilized the “Customize Routing Rules” setting, as other settings seem to negatively impact my IPv6 connectivity.
  • Initially, I tried a single rule of 0.0.0.0/0 through the WireGuard gateway. Strangely, I kept getting a T-Mobile IPv4 public address, which was unexpected.
  • Currently, I have 3 custom rules enabled: 0.0.0.0/1, 128.0.0.0/2, 192.0.0.0/3. These rules cover all public IPv4 addresses on the internet.
  • When I tested on ipleak.net, I saw my IPv4 ISP as Cloudflare and my IPv6 ISP as T-Mobile, using CloudFlare WARP. This setup has resolved most of my IPv4-related issues, in addition WireGuard with WARP handles network routing more efficiently.

However, I’m facing a challenge with Hulu. Despite the success of WireGuard and WARP for most sites, Hulu doesn’t seem to cooperate. Here’s what I’ve tried:

  • I created an additional custom rule for Hulu’s IPv4 address blocks to the main gateway, but that didn’t work.
  • I raised the metrics of the other target IPv4’s, and entered a lower metric for the HULU IPv4 with the main gateway, that didn’t work.
  • I also attempted custom Luci firewall rules without success.

I’m reaching out to the for assistance. Has anyone encountered a similar situation or found a solution to this problem?

2 Likes

Oh, it’s a bit complicated. Many aspects get involved.
How do you config rules for Hulu? Does Hulu use IPv4 or IPv6?
What is the wireguard service provider?

Great idea to make these functionalities work by using wireguard.

The WireGuard service provider is CloudFlare WARP. https://cloudflarewarp.com.

  • The advantage is that although it is a VPN, the idea is not to mask your location, and allows for hopefully more efficient routing through their network. It has also allowed me to bypass the CGNAT issues by using the IPv4 stack only.
  • I have tried two different ways:

    1. I have created an executable script that I can configure with either hostnames or CIDR blocks, and when “wgclient” is up it can add the routes by resolving the IPv4 using ‘dig’ and loops in the case that a hostname has multiple IPv4’s. I have done the same if a user wants to configure with CIDR blocks. I am still working on optimizing the script, and automating it. But this seems to be the way to go since it just forces the hostnames to resolve, and adds them to the route and does not get overwritten by any other automated scripts.

    2. I have also tried to configure ‘DNSMASQ’ to utilize the default DNS resolution server for the hostnames. In doing so, while connected to the VPN, when the hostnames are requested, it is not resolved by the VPN. However, due to the other configurations and scripts that are ran, I think dnsmasq.conf is being overwritten and restarted each time wgclient is up/down and not utilizing the changes ive made in /etc/dnsmasq.conf

The Hulu issue arises when I am only trying to watch with my RokuTV which does not use IPv6. I do not have these issues with any other device that utilizes IPv6 as most devices favor that with the fallback being IPv4.

Here is the script I have written to add custom hostname’s and IP’s or CIDR Blocks:

#!/bin/sh

# List of host names to add to the routing table
HOSTS="
# ... (custom host names)
"

# List of custom CIDR blocks to add to the routing table
CUSTOM_CIDR_BLOCKS="
# ... (custom CIDR blocks)
"

# Network interface name (change to your actual interface name)
BRIDGE_INTERFACE="rmnet_mhi0"

# Determine the action based on the provided argument
case "$ACTION" in
        ifup)
                if [ "$INTERFACE" = "wgclient" ]; then
                    # Add routes for specified host names
                    if [ -n "$HOSTS" ]; then
                            for host in $HOSTS; do
                                    for ip in $(dig +short $host); do
                                            # Check if the IP address is IPv4
                                            if echo "$ip" | grep -E -q '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'; then
                                                    ip route add $ip dev $BRIDGE_INTERFACE
                                            fi
                                    done
                            done
                    else
                            echo "No hosts specified. Skipping."
                    fi

                    # Add routes for custom CIDR blocks
                    if [ -n "$CUSTOM_CIDR_BLOCKS" ]; then
                            for cidr_block in $CUSTOM_CIDR_BLOCKS; do
                                    ip route add $cidr_block dev $BRIDGE_INTERFACE
                            done
                    else
                            echo "No custom CIDR blocks specified. Skipping."
                    fi
                fi
                ;;
        ifdown)
                # Delete routes for specified host names
                if [ "$INTERFACE" = "wgclient" ]; then
                        if [ -n "$HOSTS" ]; then
                                for host in $HOSTS; do
                                        for ip in $(dig +short $host); do
                                                # Check if the IP address is IPv4
                                                if echo "$ip" | grep -E -q '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'; then
                                                        ip route del $ip dev $BRIDGE_INTERFACE
                                                fi
                                        done
                                done
                        else
                                echo "No hosts specified. Skipping."
                        fi

                        # Delete routes for custom CIDR blocks
                        if [ -n "$CUSTOM_CIDR_BLOCKS" ]; then
                                for cidr_block in $CUSTOM_CIDR_BLOCKS; do
                                        ip route del $cidr_block dev $BRIDGE_INTERFACE
                                done
                        else
                                echo "No custom CIDR blocks specified. Skipping."
                        fi
                fi
                ;;
esac

In the process, I was able to figure out all the host names to get Hulu to work properly while connected to the VPN:

ads-a-darwin.hulustream.com
ariel.hulu.com
assets.huluim.com
assetshuluimcom-a.akamaihd.net
auth.hulu.com
cdn-media.brightline.tv
cws.conviva.com
discover.hulu.com
doppler.hulu.com
emu.hulu.com
guide.hulu.com
home.hulu.com
http-a-darwin.hulustream.com
http-fa-darwin.hulustream.com
hulu.com
hulu.hb-api.omtrdc.net
hulu.playback.edge.bamgrid.com
ib.hulu.com
img.hulu.com
img1.hulu.com
img2.hulu.com
img3.hulu.com
img4.hulu.com
live-mediashield-ava-hulustream-com.akamaized.net
livem-ftc-na.media.hulustream.com
play.hulu.com
t2.hulu.com
vodmanifest.hulustream.com

So this is where I’m at right now, I am running on T-Mobile 5G SA with CloudFlare WARP, all IPv4 traffic is being routed through CloudFlare, and all IPv6 traffic is being routed through T-Mobile. All devices that are restricted to IPv4 are working flawlessly as are the devices that have access to IPv6. I am no longer being impacted by the CGNAT issues from the IPv4 address of 192.0.0.2.

1 Like