Difference between revisions of "Use Cell Phone As LAN Gateway"

From Nearline Storage
Jump to navigation Jump to search
(Created page with "== Use Android Phone As LAN Gateway == I'd like to use my cell phone's data connection to backup my cable modem. In other words, when the cable goes out, I want to be able t...")
 
Line 1: Line 1:
== Use Android Phone As LAN Gateway ==
 
 
 
I'd like to use my cell phone's data connection to backup my cable modem.  In other words, when the cable goes out, I want to be able to switch my main house router over to using my cell phone as its WAN network provider.
 
I'd like to use my cell phone's data connection to backup my cable modem.  In other words, when the cable goes out, I want to be able to switch my main house router over to using my cell phone as its WAN network provider.
  
Line 7: Line 5:
 
No changes are required on the cell phone, other than turning on the USB tethering feature.  No changes are required on my router.  It will pick up its connection details from a DHCP server running on the Pi.  All that's required is to properly configure the Pi.
 
No changes are required on the cell phone, other than turning on the USB tethering feature.  No changes are required on my router.  It will pick up its connection details from a DHCP server running on the Pi.  All that's required is to properly configure the Pi.
  
## Install Raspian
+
== Install Raspian ==
I installed the ["lite"](https://www.raspberrypi.org/software/operating-systems/) version of the Raspian distribution.
+
I installed the [https://www.raspberrypi.org/software/operating-systems/ "Lite"] version of the Raspian distribution.
  
## Set up sshd for remote access
+
== Set up sshd for remote access ==
  
 
Connect the Pi to the existing LAN and access it via ssh.
 
Connect the Pi to the existing LAN and access it via ssh.
Line 18: Line 16:
 
After confirming that access using your public key works, modify <code>/etc/ssh/sshd_config</code> to prohibit logins using passwords by uncommenting <code>PasswordAuthentication no</code>
 
After confirming that access using your public key works, modify <code>/etc/ssh/sshd_config</code> to prohibit logins using passwords by uncommenting <code>PasswordAuthentication no</code>
  
## Upgrade and install additional packages
+
== Upgrade and install additional packages ==
```
+
<pre>
 
sudo apt update
 
sudo apt update
 
sudo apt update
 
sudo apt update
 
sudo apt install isc-dhcp-server dnsmasq vim dnsutils
 
sudo apt install isc-dhcp-server dnsmasq vim dnsutils
```
+
</pre>
  
## Disable unnecessary network ports opened by avahi-daemon
+
== Disable unnecessary network ports opened by avahi-daemon ==
```
+
<pre>
 
sudo systemctl stop avahi-daemon
 
sudo systemctl stop avahi-daemon
 
sudo systemctl disable avahi-daemon.socket
 
sudo systemctl disable avahi-daemon.socket
 
sudo systemctl disable avahi-daemon
 
sudo systemctl disable avahi-daemon
```
+
</pre>
## Configure the ethernet port with a static address
 
  
#### /etc/dhcpcd.conf
+
== Configure the ethernet port with a static address ==
 +
 
 +
'''/etc/dhcpcd.conf'''
  
 
Leave the defaults in this file as is.  Add a static address definition for the eth0 port:
 
Leave the defaults in this file as is.  Add a static address definition for the eth0 port:
```
+
<pre>
 
interface eth0
 
interface eth0
 
static ip_address=10.254.239.1/24
 
static ip_address=10.254.239.1/24
```
+
</pre>
  
## Configure and start the isc-dhcp-server
+
== Configure and start the isc-dhcp-server ==
  
#### /etc/default/isc-dhcp-server
+
'''/etc/default/isc-dhcp-server'''
  
 
Set <code>INTERFACESv4="eth0"</code>
 
Set <code>INTERFACESv4="eth0"</code>
  
#### /etc/dhcp/dhcpd.conf
+
'''/etc/dhcp/dhcpd.conf'''
```
+
<pre>
 
default-lease-time 600;
 
default-lease-time 600;
 
max-lease-time 7200;
 
max-lease-time 7200;
Line 58: Line 57:
 
   option routers 10.254.239.1;
 
   option routers 10.254.239.1;
 
}
 
}
```
+
</pre>
 +
 
 
Enable and start the isc-dhcp-server systemd service.
 
Enable and start the isc-dhcp-server systemd service.
  
## Prevent ssh access to the Pi from the internet
+
== Prevent ssh access to the Pi from the internet ==
  
Modify <code>/etc/ssh/sshd_config<.code> and set <code>ListenAddress 10.254.239.1</code>
+
Modify <code>/etc/ssh/sshd_config</code> and set <code>ListenAddress 10.254.239.1</code>
 +
 
 +
== Start the dnsmasq service ==
  
## Start the dnsmasq service
 
 
No configuration changes are required.  Enable and start the dnsmasq systemd service.
 
No configuration changes are required.  Enable and start the dnsmasq systemd service.
  
## Set up forwarding in the kernel
+
== Set up forwarding in the kernel ==
  
#### /etc/sysctl.d/97-dlk-router.conf
+
'''/etc/sysctl.d/97-dlk-router.conf'''
```
+
<pre>
 
net.ipv4.ip_forward=1
 
net.ipv4.ip_forward=1
```
+
</pre>
 
Then do <code>sudo sysctl -p</code>
 
Then do <code>sudo sysctl -p</code>
  
## Create firewall script
+
== Create firewall script ==
  
#### /etc/network/if-pre-up.d/iptables
+
'''/etc/network/if-pre-up.d/iptables'''
```
+
<pre>
 
#!/bin/sh
 
#!/bin/sh
  
Line 114: Line 115:
 
/usr/sbin/iptables -A INPUT -i $IF -p udp --dport 67 -j DROP
 
/usr/sbin/iptables -A INPUT -i $IF -p udp --dport 67 -j DROP
 
/usr/sbin/iptables -A INPUT -i $IF -p udp --dport 68 -j DROP
 
/usr/sbin/iptables -A INPUT -i $IF -p udp --dport 68 -j DROP
```
+
</pre>
 +
 
 
Then do <code>chown 0:0 /etc/network/if-pre-up.d/iptables</code> and <code>chmod a+x /etc/network/if-pre-up.d/iptables</code>.  Run the script.  
 
Then do <code>chown 0:0 /etc/network/if-pre-up.d/iptables</code> and <code>chmod a+x /etc/network/if-pre-up.d/iptables</code>.  Run the script.  
  
## Testing the router
+
== Testing the router ==
  
 
Power on the Pi.
 
Power on the Pi.
Line 129: Line 131:
 
The PC should now be able to use the internet as normal.
 
The PC should now be able to use the internet as normal.
  
## Using the router
+
== Using the router ==
  
 
When the cable modem dies, unplug it from the home router.
 
When the cable modem dies, unplug it from the home router.

Revision as of 16:30, 24 February 2021

I'd like to use my cell phone's data connection to backup my cable modem. In other words, when the cable goes out, I want to be able to switch my main house router over to using my cell phone as its WAN network provider.

Like most, my cell phone has both wifi hotspot and USB tethering capabilities. My house router cannot make use of either of these. My solution, then, is to use a Raspberry Pi computer as an intermediate, "stacked" router in between my cell phone and my house router. The router's WAN port is connected to the Pi's ethernet port and the cell phone is tethered to one of the Pi's USB ports.

No changes are required on the cell phone, other than turning on the USB tethering feature. No changes are required on my router. It will pick up its connection details from a DHCP server running on the Pi. All that's required is to properly configure the Pi.

Install Raspian

I installed the "Lite" version of the Raspian distribution.

Set up sshd for remote access

Connect the Pi to the existing LAN and access it via ssh.

Install your public key in /home/pi/,ssh/authorized keys

After confirming that access using your public key works, modify /etc/ssh/sshd_config to prohibit logins using passwords by uncommenting PasswordAuthentication no

Upgrade and install additional packages

sudo apt update
sudo apt update
sudo apt install isc-dhcp-server dnsmasq vim dnsutils

Disable unnecessary network ports opened by avahi-daemon

sudo systemctl stop avahi-daemon
sudo systemctl disable avahi-daemon.socket
sudo systemctl disable avahi-daemon

Configure the ethernet port with a static address

/etc/dhcpcd.conf

Leave the defaults in this file as is. Add a static address definition for the eth0 port:

interface eth0
static ip_address=10.254.239.1/24

Configure and start the isc-dhcp-server

/etc/default/isc-dhcp-server

Set INTERFACESv4="eth0"

/etc/dhcp/dhcpd.conf

default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
authoritative;
subnet 10.254.239.0 netmask 255.255.255.0 {
  range 10.254.239.20 10.254.239.254;
  option broadcast-address 10.254.239.255;
  option routers 10.254.239.1;
}

Enable and start the isc-dhcp-server systemd service.

Prevent ssh access to the Pi from the internet

Modify /etc/ssh/sshd_config and set ListenAddress 10.254.239.1

Start the dnsmasq service

No configuration changes are required. Enable and start the dnsmasq systemd service.

Set up forwarding in the kernel

/etc/sysctl.d/97-dlk-router.conf

net.ipv4.ip_forward=1

Then do sudo sysctl -p

Create firewall script

/etc/network/if-pre-up.d/iptables

#!/bin/sh

#  Set up rules for a router that tethers my cell phone
#  and acts as a replacement for the cable modem in my
#  network when the cable goes out.
#
#  There's wide open flow between the cell phone interface
#  and the ethernet interface.  We're only concerned about
#  blocking external access to services on the router itself.

#  usb0: the tethered cell phone
IF=usb0

#  Set up masquerading in the nat table
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -t nat -P PREROUTING ACCEPT
/usr/sbin/iptables -t nat -P INPUT ACCEPT
/usr/sbin/iptables -t nat -P OUTPUT ACCEPT
/usr/sbin/iptables -t nat -P POSTROUTING ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -o $IF -j MASQUERADE

#  Completely open access on all interfaces
/usr/sbin/iptables -F
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT

#  Block inbound ssh, dns, and dhcp traffic from the internet just
#  to be safe (the daemons should already be ignoring these ports)
/usr/sbin/iptables -A INPUT -i $IF -p tcp --dport 22 -j DROP 
/usr/sbin/iptables -A INPUT -i $IF -p tcp --dport 53 -j DROP 
/usr/sbin/iptables -A INPUT -i $IF -p udp --dport 53 -j DROP 
/usr/sbin/iptables -A INPUT -i $IF -p udp --dport 67 -j DROP
/usr/sbin/iptables -A INPUT -i $IF -p udp --dport 68 -j DROP

Then do chown 0:0 /etc/network/if-pre-up.d/iptables and chmod a+x /etc/network/if-pre-up.d/iptables. Run the script.

Testing the router

Power on the Pi.

  • The Pi can be run headless but a monitor and keyboard make it easier to monitor the Pi and fix any problems that occur.

Connect a PC to the Pi's ethernet port. The PC should obtain an address in the 10.254.239.0/24 subnet from DHCP on the Pi. Make sure that this is only active connection on the PC, i.e., turn off any wireless connections the PC may have, etc.

Connect the cell phone to a USB port on the Pi and turn on its tethering function. You should be able to watch the Pi's log using journalctl -f and see the usb0 connection come up on the Pi.

The PC should now be able to use the internet as normal.

Using the router

When the cable modem dies, unplug it from the home router.

Connect the home router to the Pi's ethernet port and power up the Pi.

  • The Pi can be run headless but a monitor and keyboard make it easier to monitor the Pi and fix any problems that occur.

Connect the phone to the Pi's USB port and turn on its tethering feature.

The devices on your LAN should now have network access as usual.

Know that the longer you run this way, the more astronomical will be your data charges on your cell phone bill.