GL-X750 Bridge Mode

I’m considering using a Spritz as a 4G modem connecting to my existing router (replacing a poor FTTC connection). Is the function provided ?

Also can I do this with the Spritz acting as a OVPN/Wireguard server at the same time?

Many thanks.

It certainly is something that can be configured, though you should consider a few things in making your decision.

Many LTE providers don’t allow for incoming connections. Just having what looks like a public IP address doesn’t mean that it accepts incoming connections!

If this is the case and you need to, for example, be able to SSH into your router or connect via VPN to your router from the outside, it may not be possible. This is not a hardware limitation, but one of the LTE provider. This can be worked around with a remote/public server “running in the cloud” as a rendezvous point that your router connects out to (with, for example WireGuard), then you connect to from the outside.

Single-core, MIPS-based routers (the GL-X750 is one) cap out around 50 Mbps for WireGuard without SQM, and around 25 Mbps with SQM, not running anything else. If you’re managing an LTE modem and/or wireless, the limits are probably less. OpenVPN is comparatively “compute heavy”, so the limits are around 10 Mbps or less. This is a hardware class limitation, not something specific to the GL.iNet units.

That said, the GL-X750 is a solid unit with great firmware support and usability.

If you need higher-rate VPN, then you might want to consider a “dedicated” device in addition to the GL-X750. Multi-core, ARM-based devices are capable of around 200-250 Mbps for WireGuard without SQM, around 150 Mbps with SQM. OpenVPN is somewhere around 20 Mbps on this class of device. Getting significantly above that requires x86_64 hardware with AES-NI.

Dear Jeffsf,

I hadn’t realised that - I had assumed that you would just get a dynamic IP address and you could then use a DDNS service to find out the IP to connect to. I’ll do some more research on how the networks in the UK do addressing.

It appears that Vodafone in the UK do what you eloquently explained.

“The router is given a 10.x.x.x IP address which is part of the Vodafone NAT pool behind a 212.x.x.x gateway. You can’t therefore communicate with the router as it is hidden behind the gateway”

If anyone has any more experience of running a VPN with a 4G connection particularly in the UK I would be very interested to learn more.

It looksl ike I’m going to have to continue complaining to my ISP to get them to fix my upstream on my FTTC install !!

Many thanks,

Psesudonoise

As you’re thinking of using Vodafone UK, I’ll chip in here. I have a couple of of X750s I’m very pleased with, which I use in place of wired xDSL connections, one at home and one at another site. (On the basis of this positive experience, I plan to deploy a bunch of the X1200s elsewhere once support is properly upstreamed as it already is for the X750.)

I’m running an image built from a local openwrt tree I use across all my installs — nothing exciting, just master with a handful of bug fix and cleanup patches that I’ve not got round to posting upstream yet. However, you don’t need to do this as the factory openwrt firmware works absolutely fine out of the box with a Vodafone uSIM.

The X750 also has a u-boot web-interface that lets you reflash using a standard openwrt squashfs-sysupgrade.bin file if you’re hacking around and manage to build and install an image that won’t boot. This makes it particularly convenient and forgiving for working on custom images.

Jeff is absolutely right about mobile operators and their fetish for carrier-grade nat; there’s also no IPv6 connectivity at all on Vodafone. More generally, you’ll be disappointed if you expect any technical proficiency from them as ISPs — I’ve had more convincing technical discussions with my cattle than with mobile network staff.

That said, they do provide a surprisingly reliable ‘dumb pipe’ which you can use to connect to greener pastures. For example, at the farm I use a Vodafone ‘unlimited max’ SIM (£27/month) and set up an (unencrypted) L2TP session to Andrews and Arnold (£10/month, highly recommended) who provide proper static IPv4 and IPv6 connectivity.

Even paying extra for the L2TP service, this works out cheaper than the slow 2Mbps ADSL available here. Our 4G/LTE coverage is good enough to give 60/30 Mbps down/up with roughly 35ms latency. (Amusingly, the latency to most sites is lower over the L2TP than without it, presumably because aa.net make the effort to peer properly.)

I don’t do any kind of crypto on the X750 and I completely agree that a 650MHz MIPS would be way underpowered if you tried to use it as an encrypted VPN endpoint. I’ve no performance complaints as a straightforward router though.

Edit: I don’t have any queue management running on those routers either, and SQM would push the cpu a bit harder, albeit nowhere near as much as doing software AES or similar. Queue management might be quite tricky to get right, in any case, as the link bandwidth in both directions can vary by as much as a factor of 1.5 during a typical day.

Thanks Chris that is a really interesting and informative post. Hadn’t realised A&A provided L2TP.

Out of interest do you know if all the UK Mobile operators use carrier-grade NAT ?

As far as I know they’re all cgNAT for IPv4 connectivity, except for some small, specialist MVNOs — and those are probably a non-starter for broadband replacement because they have to pass on massive data charges compared to the c. £30/month for unlimited services on Vodafone and EE.

Vodafone has no v6 connectivity at all yet: heads planted firmly in the sand. Three were in the same boat, but apparently there’s some sign of v4+v6 addresses appearing for some customers, so possibly full roll-out is imminent?

I gather on EE you can request v4 and get cgNAT, or v6 and get a globally routable address. Mixed v4+v6 apparently doesn’t work, falling back to pure-v6. v6 users are supposed to use their NAT64 range instead, and they provide DNS64 recursive resolvers to make that reasonably transparent to mobile devices.

I strongly suspect those Three and EE v6 addresses will be firewalled to block inbound connections even though they’re publicly routable, but if anyone has working v6 on Three or EE, I would be interested to know for certain.

Hi Chris,

Just been reading about Nebula

It would “appear” to allow a VPN to be set-up between nodes (one or more) behind CGNAT. It requires a node “lighthouse” with a publicly accessible IP address - but that could just be a cheap VM at a cloud provider.

Might work out a lot cheaper than L2TP.

Perhaps you might like to try it out with your kit and share the results ? :wink:

Regards,

Pseudonoise

Hi. I don’t think elaborate mesh VPNs buy you anything interesting here; you’re just adding unused complexity unless you also want the cryptographic encapsulation they provide.

To get public v4 and v6 addresses, you’ll definitely need to route them to an internet-connected host somewhere, which you connect to yourself over the cgNAT link. You’re quite right that this can be address space and a host you manage yourself if you prefer, instead of a paid transit provider like he.net or aa.net.uk.

But once you have that public gateway, I’d suggest using the simplest, lightest encapsulation you can. Unencrypted l2tp isn’t a crazy choice for that.

[I’m using aa.net.uk because they have no connection to any infrastructure or hosts I manage - so they’re less likely to break at the same time as I need to fix an outage elsewhere! I should say that I’m not doing any kind of VPN between networks either, which might change your priorities; I’m only interested in internet-facing connectivity.]

how can it be configured? my provider is giving me a public IP directly and i would like to get it directly

I’m not seeing the answer here. I have an Orbi mesh router and would like to use the GL-X750 just as the modem. I don’t have the modem yet, it arrives Thursday replacing a Netgear LB1120.