MT3000 - first trip, first impressions

I was hoping this was the one, and it may yet get there but boy howdy was this first trip a wreck.

I travelled to Washington DC (Crystal City) to visit family and stayed at a Marriott hotel in the area. We weren’t in the room a lot, but every morning and evening I fought the MT3000 to try to get it working, and never succeeded. As a bit of background, this is not my first rodeo - I’ve travelled with GL.iNet projects for years, going back to the 6416. I do network-related stuff as part of my job, so I’m not somebody who doesn’t understand how this stuff works or how to get it to work.

I started the trip on 4.1.2 with, as is my practice, both an OpenVPN and WireGuard profile available to 2 servers. I was able to connect to the hotel network and hold a steady ping to an outside server, but as soon as I engaged either VPN from the router, things completely fell apart. 50% lost pings. WireGuard was slightly better than OpenVPN, but neither were usable. Disconnect VPN and everything was fine. Connect VPN from my laptop to the same servers (OpenVPN), no issues. Just the MT3000.

Ok, maybe it’s a stock firmware problem. The MT3000 just got support in gl-infra-builder, let me spin a build there. Doesn’t work. At all. Refuses to connect to the hotel network no matter what I tried.

Back to stock, this time 4.2 beta 2. Perhaps I can use Tailscale, if it’s fixed. At first things look good. I’m able to connect to the hotel network, I’m able to get Tailscale up and running, but exit nodes aren’t working. Ok, whatever. At this point I had to leave for the day. Checked in a couple of hours later and it was still connected. Get back to the hotel that evening and it’s disconnected from the hotel network. Now just like the gl-infra build, I am completely unable to connect to the hotel network. Full reset. No change.

Check the next morning, it looks like GL has pushed an update to the infrabuilder. Maybe that’s the fix for the bug I’m encountering. Spin a new gl-infra build, put it on the router. No dice. No connection. Back to 4.2.

Again able to connect to hotel internet. Import an OpenVPN connection. Unable to connect (again, able to connect no problem on my laptop, whether behind the MT3000 or directly connected to hotel wifi). Try to abort the MT3000 OpenVPN connection. Clients lose all connectivity, though the MT3000 can still see all sites.

At that point it was close to time to pack up to go to the airport and I just gave up.

Not a great beginning.

The good news is that these all seem like software problems. The bad news is that there were so many of them on this run that I have zero confidence in taking the MT3000 on my next trip a week from tomorrow. I’m not entirely sure what I’ll choose, and I’ll probably throw the MT3000 in my suitcase, but I certainly won’t be relying on it.

Hoping for better in the future.

My mt3000 ‘wg client’ works

I have 2 router wg server setup at 2 different places

I tried connecting to them via 2 different Telco cellular data

Telco 1 can let me wg to server location 1 and 2

Telco 2 only lets me wg to location 1

So maybe you can try with more locations or ISPs.

Marriot sound like a big chain that will do anything to block wisp/VPN connections

I spend between 50-75 nights a year on the road, and don’t frequently encounter these issues. Occasionally a specific hotel will block WG but not OVPN, or vice versa. But in this case, as I mentioned, the exact same connections to the exact same servers worked from my laptop but not from the MT3000, so it’s not some sort of throttling or traffic shaping on the hotel side.

I will admit I was surprised at this outcome, because all my tests from my house (including to the servers I tried to access at the hotel) worked pretty well.

And respectfully, major chain hotels are more than happy to pass whatever traffic you want, especially when you’re paying them $16/night for internet.

Can you try using a wifi 6 phone to connect to the hotel and then hotspot it to your mt3000 ? See what happens

The wifi6 Android phones nowadays can enable both wifi and hotspot wifi at the same time

As stated in my post, I’m already back home. If I’d had more time to debug, perhaps I would have tried that. If I get time over the next couple of days I may try to see if I can get it to connect to random networks I set up here, but I’ll probably wait for beta 3 (or gl-infra equivalent) since there are known bugs in beta 2.

What was your ‘custom DNS’ settings? I know some places block you if you insist cloudflare or enabled encrypted dns

Look, I know you’re trying to be helpful here. At the same time, I really do know what I’m doing, and the main of issues I had (i.e. getting connected to the network in the first place) don’t have anything to do with DNS. Moreover, all of the VPN configs are to servers I control, and the IP addresses are hard-coded, which also makes DNS a non-issue.

Also, please note that as I said in the original post I was working both with a freshly-reset stock build (i.e., no custom DNS), and with a gl-infra-build (which doesn’t have encrypted DNS built in).

My bigger point is that this kind of functionality is kind of table stakes for this product. I may have a Ph.D. in Electrical Engineering, but my father can barely spell Mediatek and certainly isn’t going to spend the time to tether the router to the phone. This is the kind of stuff that just has to work (and generally does on GL.i devices).

So your wireguard (and OpenVPN) is seperately installed and not the one built in the usual gl firmware ?

I don’t know what you mean by that. If you’re referring to configurations, yes - I have my own servers and refer to them by IPs in the configs, both on WireGuard and OpenVPN.

If you’re referring to the actual code, since WireGuard was added to the Linux kernel in 5.6, and given that the infra build is using the same 5.4.211 kernel that the betas are that the WG module is functionally identical between the two - and I’m not really sure how you would change that. I assume they are roughly the same OpenWrt vintage of WireGuard code (GL.iNet hard codes specific commits into gl-infra-builder for packages), but I have no way of knowing how closely that matches with what they build in stock firmware.

Oops you are right they are built in now

And also to be clear - I could get both OpenVPN and WireGuard to connect and pass traffic. It’s just that packet loss went from 0% to ~50% when they were connected. I did not experience similar issues with Tailscale (or with OpenVPN to the same server with the same config from a laptop connected behind the MT3000).

OK thanks for replying, I’ll stop shooting random possible causes😅

In fairness, I think there are some unusual circumstances - this was an area with a huge amount of active hotspots - probably 50 or more. It’s basically Washington DC where a hotel might legitimately be a little more careful about things. I didn’t get a chance to fully run things to ground because I wasn’t there as much as I might usually be, etc.

But again, this was not an experience that left me encouraged. Some of the problems are/were on the firmware side (e.g. known WiFi issues that likely contributed to connection problems / resets / ???). Other problems were related to GL.iNet’s own firmware shortcomings (e.g., exit nodes not working in Tailscale). Others were related to the MT3000 not really being ready for building in the gl-infra-builder due to the custom way the Mediatek wireless drivers (were/are) being used.

I think this is all stuff that will be fixed in the long run, but my point in posting here is that I’m worried that there’s a lot more to fix before this thing hits the general public than I thought on Wednesday when I put the MT3000 in my bag to take on this trip. I expected it to more or less “just work” and boy oh boy did it not.

Can you let me know which Marriott hotel exactly?

I am around and may go there and have a check.

Marriott Crystal Gateway

1. I also think this is the core functionality and needs to be sorted.
2. It would be interesting if you could take a second device and do a side by side compare. I was having very similar problems with my MT1300 on the 4.1 beta (3.215 was fine) but it will take a while to recover it from Luggage Limbo so I can do it. My early tests with MT3000 weren’t showing Openvpn/WG difficulties, but I need to drill down more like you did. I am having some connection difficulties though (which may be AIMesh related and not MT3000).
3. One of the advantages of Merlin on the Asus routers is the ability to do a second openvpn server. I have one set up on TCP/443 to call on when I run into issues with my principal openvpn UDP server on a nonstandard/nondynamic port.

Forgot to mention this - had an MT1300 right next to the MT3000 (on a stock OpenWrt build) that worked perfectly.

Well!! You buried the lede!

By chance was it on the 4.1 beta?

MT1300 was on a custom vanilla OpenWrt builds (but back on the 5.10 kernel)

One year later, finally I come to this hotel - Crystal Gateway Mariott.

They have a open SSID - MarriottBonvoy_Guest. As I stayed in another Mariott hotel and I have this SSID stored in my router. The wifi and portal for different Mariott hotels are a little different though.

I am using AXT1800 and everything go smoothly.
Repeater connects fine.
Wireguard and openvpn connect fine. Have good speeds.

But MT3000 with stock firmware 4.5.16 does not connect to the hotel wifi, for some reason. I cloned a mac address that has already been authenticated and it works OK. But the whole process is not good.

I have a new firmware under testing and it works fine. I have one more day to test and will report later.