Difference between revisions of "Use Cell Phone As LAN Gateway"
Line 12: | Line 12: | ||
Connect the Pi to the existing LAN and access it via ssh. | Connect the Pi to the existing LAN and access it via ssh. | ||
− | Install your public key in <code>/home/pi/ | + | Install your public key in <code>/home/pi/.ssh/authorized keys</code> |
After confirming that access using your public key works, modify <code>/etc/ssh/sshd_config</code> to prohibit logins using passwords by uncommenting <code>PasswordAuthentication no</code> | After confirming that access using your public key works, modify <code>/etc/ssh/sshd_config</code> to prohibit logins using passwords by uncommenting <code>PasswordAuthentication no</code> |
Revision as of 16:31, 24 February 2021
I'd like to use my cell phone's data connection to backup my cable modem. In other words, when the cable goes out, I want to be able to switch my main house router over to using my cell phone as its WAN network provider.
Like most, my cell phone has both wifi hotspot and USB tethering capabilities. My house router cannot make use of either of these. My solution, then, is to use a Raspberry Pi computer as an intermediate, "stacked" router in between my cell phone and my house router. The router's WAN port is connected to the Pi's ethernet port and the cell phone is tethered to one of the Pi's USB ports.
No changes are required on the cell phone, other than turning on the USB tethering feature. No changes are required on my router. It will pick up its connection details from a DHCP server running on the Pi. All that's required is to properly configure the Pi.
Contents
- 1 Install Raspian
- 2 Set up sshd for remote access
- 3 Upgrade and install additional packages
- 4 Disable unnecessary network ports opened by avahi-daemon
- 5 Configure the ethernet port with a static address
- 6 Configure and start the isc-dhcp-server
- 7 Prevent ssh access to the Pi from the internet
- 8 Start the dnsmasq service
- 9 Set up forwarding in the kernel
- 10 Create firewall script
- 11 Testing the router
- 12 Using the router
Install Raspian
I installed the "Lite" version of the Raspian distribution.
Set up sshd for remote access
Connect the Pi to the existing LAN and access it via ssh.
Install your public key in /home/pi/.ssh/authorized keys
After confirming that access using your public key works, modify /etc/ssh/sshd_config
to prohibit logins using passwords by uncommenting PasswordAuthentication no
Upgrade and install additional packages
sudo apt update sudo apt update sudo apt install isc-dhcp-server dnsmasq vim dnsutils
Disable unnecessary network ports opened by avahi-daemon
sudo systemctl stop avahi-daemon sudo systemctl disable avahi-daemon.socket sudo systemctl disable avahi-daemon
Configure the ethernet port with a static address
/etc/dhcpcd.conf
Leave the defaults in this file as is. Add a static address definition for the eth0 port:
interface eth0 static ip_address=10.254.239.1/24
Configure and start the isc-dhcp-server
/etc/default/isc-dhcp-server
Set INTERFACESv4="eth0"
/etc/dhcp/dhcpd.conf
default-lease-time 600; max-lease-time 7200; ddns-update-style none; authoritative; subnet 10.254.239.0 netmask 255.255.255.0 { range 10.254.239.20 10.254.239.254; option broadcast-address 10.254.239.255; option routers 10.254.239.1; }
Enable and start the isc-dhcp-server systemd service.
Prevent ssh access to the Pi from the internet
Modify /etc/ssh/sshd_config
and set ListenAddress 10.254.239.1
Start the dnsmasq service
No configuration changes are required. Enable and start the dnsmasq systemd service.
Set up forwarding in the kernel
/etc/sysctl.d/97-dlk-router.conf
net.ipv4.ip_forward=1
Then do sudo sysctl -p
Create firewall script
/etc/network/if-pre-up.d/iptables
#!/bin/sh # Set up rules for a router that tethers my cell phone # and acts as a replacement for the cable modem in my # network when the cable goes out. # # There's wide open flow between the cell phone interface # and the ethernet interface. We're only concerned about # blocking external access to services on the router itself. # usb0: the tethered cell phone IF=usb0 # Set up masquerading in the nat table /usr/sbin/iptables -t nat -F /usr/sbin/iptables -t nat -P PREROUTING ACCEPT /usr/sbin/iptables -t nat -P INPUT ACCEPT /usr/sbin/iptables -t nat -P OUTPUT ACCEPT /usr/sbin/iptables -t nat -P POSTROUTING ACCEPT /usr/sbin/iptables -t nat -A POSTROUTING -o $IF -j MASQUERADE # Completely open access on all interfaces /usr/sbin/iptables -F /usr/sbin/iptables -P INPUT ACCEPT /usr/sbin/iptables -P FORWARD ACCEPT /usr/sbin/iptables -P OUTPUT ACCEPT # Block inbound ssh, dns, and dhcp traffic from the internet just # to be safe (the daemons should already be ignoring these ports) /usr/sbin/iptables -A INPUT -i $IF -p tcp --dport 22 -j DROP /usr/sbin/iptables -A INPUT -i $IF -p tcp --dport 53 -j DROP /usr/sbin/iptables -A INPUT -i $IF -p udp --dport 53 -j DROP /usr/sbin/iptables -A INPUT -i $IF -p udp --dport 67 -j DROP /usr/sbin/iptables -A INPUT -i $IF -p udp --dport 68 -j DROP
Then do chown 0:0 /etc/network/if-pre-up.d/iptables
and chmod a+x /etc/network/if-pre-up.d/iptables
. Run the script.
Testing the router
Power on the Pi.
- The Pi can be run headless but a monitor and keyboard make it easier to monitor the Pi and fix any problems that occur.
Connect a PC to the Pi's ethernet port. The PC should obtain an address in the 10.254.239.0/24 subnet from DHCP on the Pi. Make sure that this is only active connection on the PC, i.e., turn off any wireless connections the PC may have, etc.
Connect the cell phone to a USB port on the Pi and turn on its tethering function. You should be able to watch the Pi's log using journalctl -f
and see the usb0 connection come up on the Pi.
The PC should now be able to use the internet as normal.
Using the router
When the cable modem dies, unplug it from the home router.
Connect the home router to the Pi's ethernet port and power up the Pi.
- The Pi can be run headless but a monitor and keyboard make it easier to monitor the Pi and fix any problems that occur.
Connect the phone to the Pi's USB port and turn on its tethering feature.
The devices on your LAN should now have network access as usual.
Know that the longer you run this way, the more astronomical will be your data charges on your cell phone bill.