Use Cell Phone As LAN Gateway

From Nearline Storage
Jump to navigation Jump to search

I'd like to use my cell phone's data connection to backup my cable modem. In other words, when the cable goes out, I want to be able to switch my main house router over to using my cell phone as its WAN network provider.

Like most, my cell phone has both wifi hotspot and USB tethering capabilities. My house router cannot make use of either of these. My solution, then, is to use a Raspberry Pi computer as an intermediate, "stacked" router in between my cell phone and my house router. The router's WAN port is connected to the Pi's ethernet port and the cell phone is tethered to one of the Pi's USB ports.

No changes are required on the cell phone, other than turning off its wifi connection and turning on the USB tethering feature. No changes are required on my router. It will pick up its connection details from a DHCP server running on the Pi. All that's required is to properly configure the Pi.

Install Raspian

I installed the "Lite" version of the Raspian distribution.

Set up sshd for remote access

Connect the Pi to the existing LAN and access it via ssh.

Install your public key in /home/pi/.ssh/authorized keys

After confirming that access using your public key works, modify /etc/ssh/sshd_config to prohibit logins using passwords by uncommenting PasswordAuthentication no

Upgrade and install additional packages

sudo apt update
sudo apt update
sudo apt install isc-dhcp-server dnsmasq vim dnsutils

Disable unnecessary network ports opened by avahi-daemon

sudo systemctl stop avahi-daemon
sudo systemctl disable avahi-daemon.socket
sudo systemctl disable avahi-daemon

Configure the ethernet port with a static address

/etc/dhcpcd.conf

Leave the defaults in this file as is. Add a static address definition for the eth0 port:

interface eth0
static ip_address=10.254.239.1/24

There's no need to configure broadcast address, routers, or nameservers. All of those things will be taken care of in other parts of the system configuration.

Configure and start the isc-dhcp-server

/etc/default/isc-dhcp-server

Set INTERFACESv4="eth0"

/etc/dhcp/dhcpd.conf

default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
authoritative;
subnet 10.254.239.0 netmask 255.255.255.0 {
  range 10.254.239.20 10.254.239.254;
  option broadcast-address 10.254.239.255;
  option routers 10.254.239.1;
}

Enable and start the isc-dhcp-server systemd service.

Prevent ssh access to the Pi from the internet

Modify /etc/ssh/sshd_config and set ListenAddress 10.254.239.1

Start the dnsmasq service

No configuration changes are required. Enable and start the dnsmasq systemd service.

Enable forwarding in the kernel

/etc/sysctl.d/97-dlk-router.conf

net.ipv4.ip_forward=1

Then do sudo sysctl -p

Create firewall script

/etc/network/if-pre-up.d/iptables

#!/bin/sh

#  Set up rules for a router that tethers my cell phone
#  and acts as a replacement for the cable modem in my
#  network when the cable goes out.
#
#  There's wide open flow between the cell phone interface
#  and the ethernet interface.  We're only concerned about
#  blocking external access to services on the router itself.

#  usb0: the tethered cell phone
IF=usb0

#  Set up masquerading in the nat table
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -t nat -P PREROUTING ACCEPT
/usr/sbin/iptables -t nat -P INPUT ACCEPT
/usr/sbin/iptables -t nat -P OUTPUT ACCEPT
/usr/sbin/iptables -t nat -P POSTROUTING ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -o $IF -j MASQUERADE

#  Completely open access on all interfaces
/usr/sbin/iptables -F
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT

#  Block inbound ssh, dns, and dhcp traffic from the internet just
#  to be safe (the daemons should already be ignoring these ports)
/usr/sbin/iptables -A INPUT -i $IF -p tcp --dport 22 -j DROP 
/usr/sbin/iptables -A INPUT -i $IF -p tcp --dport 53 -j DROP 
/usr/sbin/iptables -A INPUT -i $IF -p udp --dport 53 -j DROP 
/usr/sbin/iptables -A INPUT -i $IF -p udp --dport 67 -j DROP
/usr/sbin/iptables -A INPUT -i $IF -p udp --dport 68 -j DROP

Then do chown 0:0 /etc/network/if-pre-up.d/iptables and chmod a+x /etc/network/if-pre-up.d/iptables. Run the script.

Testing the router

Power on the Pi.

  • The Pi can be run headless but a monitor and keyboard make it easier to monitor the Pi and fix any problems that occur.

Connect a PC to the Pi's ethernet port. The PC should obtain an address in the 10.254.239.0/24 subnet from DHCP on the Pi. Make sure that this is only active connection on the PC, i.e., turn off any wireless connections the PC may have, etc.

Connect the cell phone to a USB port on the Pi and turn off its wifi connection and turn on its tethering function. You should be able to watch the Pi's log using journalctl -f and see the usb0 connection come up on the Pi.

The PC should now be able to use the internet as normal.

Login to the Pi and check the ports it is exposing. Disable services or adjust the firewall rules script as necessary.

pi@raspberrypi:~ $ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      478/dnsmasq         
tcp        0      0 10.254.239.1:22         0.0.0.0:*               LISTEN      482/sshd            
tcp6       0      0 :::53                   :::*                    LISTEN      478/dnsmasq         
udp        0      0 0.0.0.0:53              0.0.0.0:*                           478/dnsmasq         
udp        0      0 0.0.0.0:67              0.0.0.0:*                           542/dhcpd           
udp        0      0 0.0.0.0:68              0.0.0.0:*                           463/dhcpcd          
udp6       0      0 :::53                   :::*                                478/dnsmasq

Check the iptables configuration:

pi@raspberrypi:~ $ sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 41552 packets, 3577K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 5945 packets, 482K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
23677 2174K MASQUERADE  all  --  *      usb0    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 597 packets, 42913 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTINGING (0 references)
 pkts bytes target     prot opt in     out     source               destination 
pi@raspberrypi:~ $ sudo iptables -L -v -n
Chain INPUT (policy ACCEPT 19754 packets, 1515K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  usb0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 DROP       tcp  --  usb0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 DROP       udp  --  usb0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 DROP       udp  --  usb0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
  145 50750 DROP       udp  --  usb0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:68

Chain FORWARD (policy ACCEPT 298K packets, 172M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 20143 packets, 2172K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Using the router

When the cable modem dies, unplug it from the home router.

Connect the home router to the Pi's ethernet port and power up the Pi.

  • The Pi can be run headless but a monitor and keyboard make it easier to monitor the Pi and fix any problems that occur.

Connect the phone to the Pi's USB port and turn off its wifi connection and turn on its tethering feature.

The devices on your LAN should now have network access as usual.

Know that the longer you run this way, the more astronomical will be the data charges on your cell phone bill.