Difference between revisions of "Use Cell Phone As LAN Gateway"

From Nearline Storage
Jump to navigation Jump to search
Line 31: Line 31:
 
Putting this interface into firewalld's "trusted" zone allows all traffic to flow on all ports.
 
Putting this interface into firewalld's "trusted" zone allows all traffic to flow on all ports.
  
Delete any other connections that may have been defined by the installation process, only this one is needed.
+
If the interface is not brought up and configured during the boot process, put the following lines into <code>/etc/NetworkManager/conf.d/99-ignore-carrier.conf</code>:
 +
<pre>
 +
[device]
 +
match-device=interface-name:enp0s25
 +
ignore-carrier=1
 +
</pre>
  
 
== Configure and start the dhcp-server ==
 
== Configure and start the dhcp-server ==

Revision as of 15:26, 11 March 2021

I'd like to use my cell phone's 5G data connection as a backup for my cable modem. In other words, when the cable goes out, I want to be able to switch my main house router over to using my cell phone as its WAN network provider.

Like most, my cell phone has both wifi hotspot and USB tethering capabilities. My house router cannot make use of either of these. My solution, then, is to use an old laptop I had sitting on the shelf as an intermediate, "stacked" router in between my cell phone and my house router. The router's WAN port is connected to the laptop's ethernet port and the cell phone is tethered to one of the laptop's USB ports.

No changes are required on the cell phone, other than turning off its wifi connection and turning on the USB tethering feature. No changes are required on my router. It will pick up its connection details from a DHCP server running on the laptop. All that's required is to properly configure the laptop. I'm a long-time Fedora Linux user so ...

Install Fedora

I used the network install ISO image on a USB key to install a "minimal" Fedora server. Be sure to create a general userid during the installation process. Check the "Make this user administrator" box to give this user sudoer access.

Set up sshd for remote access

Connect to the existing LAN and install your public key in ~/.ssh/authorized keys of the general userid you created during install.

After confirming that access using your public key works, modify /etc/ssh/sshd_config to prohibit remote logins using passwords by uncommenting PasswordAuthentication no

Install additional packages

sudo dnf -y install net-tools dhcp-server dnsmasq

Configure the ethernet port with a static address

nmcli con mod enp0s25 ipv4.method manual
nmcli con mod enp0s25 ipv4.addresses 10.254.239.1
nmcli con mod enp0s25 ipv4.routes 10.254.239.0/24 0.0.0.0
nmcli con mod enp0s25 connection.zone trusted

Putting this interface into firewalld's "trusted" zone allows all traffic to flow on all ports.

If the interface is not brought up and configured during the boot process, put the following lines into /etc/NetworkManager/conf.d/99-ignore-carrier.conf:

[device]
match-device=interface-name:enp0s25
ignore-carrier=1

Configure and start the dhcp-server

/etc/dhcp/dhcpd.conf

default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
authoritative;
subnet 10.254.239.0 netmask 255.255.255.0 {
  range 10.254.239.20 10.254.239.254;
  option broadcast-address 10.254.239.255;
  option routers 10.254.239.1;
}

Enable and start the dhcpd systemd service.

Prevent ssh access to the laptop from the internet

Modify /etc/ssh/sshd_config and set ListenAddress 10.254.239.1

Start the dnsmasq service

In the /etc/dnsmasq.conf file, change:

interface=lo

to be

interface=enp0s25

Enable and start the dnsmasq systemd service.

Enable routing in the kernel

/etc/sysctl.d/97-dlk-router.conf

net.ipv4.ip_forward=1

Then do sudo sysctl -p

Configure firewalld

I created a "router" zone in firewalld which will allow all traffic to flow like the "trusted" zone does and will do masquerading like the "external" zone does. This will be set to be the default zone so that any adapters added to the laptop, like our cell phone's tether, will be put into this zone by NetworkManager.

firewall-cmd --new-zone=router --permanent
firewall-cmd --zone=router --set-description="Wide open zone with masquerading.  Used for externally facing router interfaces." --permanent
firewall-cmd --zone=router --set-target=ACCEPT --permanent
firewall-cmd --zone=router --add-masquerade --permanent
firewall-cmd --zone=router --add-rich-rule="rule port port=22 protocol=tcp drop" --permanent
firewall-cmd --zone=router --add-rich-rule="rule port port=53 protocol=tcp drop" --permanent
firewall-cmd --zone=router --add-rich-rule="rule port port=53 protocol=udp drop" --permanent
firewall-cmd --zone=router --add-rich-rule="rule port port=67 protocol=tcp drop" --permanent
firewall-cmd --zone=router --add-rich-rule="rule port port=67 protocol=udp drop" --permanent
firewall-cmd --zone=router --add-rich-rule="rule port port=323 protocol=udp drop" --permanent
firewall-cmd --zone=router --add-rich-rule="rule port port=5353 protocol=udp drop" --permanent
firewall-cmd --reload
firewall-cmd --set-default-zone=router

Testing the router

Power on the laptop and connect a PC to the laptop's ethernet port. The PC should obtain an address in the 10.254.239.0/24 subnet from DHCP on the laptop. If the PC doesn't immediately get an address, it may be necessary to restart the dhcpd service on the laptop. NetworkManager does not bring up the ethernet port until it is physically connected to the PC.

Turn off any other network connections the PC may have.

Connect the cell phone to a USB port on the laptop and turn off its wifi connection and turn on its tethering function. You should be able to watch the laptop's log using journalctl -f and see the new connection come up on the laptop.

The PC should now be able to use the internet as normal.

Login to the laptop and check the ports it is exposing. Disable services or adjust firewalld's rich rules as necessary.

[root@router ~]# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      542/systemd-resolve 
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      574/dnsmasq         
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      542/systemd-resolve 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      575/sshd: /usr/sbin 
tcp6       0      0 :::5355                 :::*                    LISTEN      542/systemd-resolve 
tcp6       0      0 ::1:53                  :::*                    LISTEN      574/dnsmasq         
tcp6       0      0 :::22                   :::*                    LISTEN      575/sshd: /usr/sbin 
udp        0      0 0.0.0.0:5355            0.0.0.0:*                           542/systemd-resolve 
udp        0      0 127.0.0.1:53            0.0.0.0:*                           574/dnsmasq         
udp        0      0 127.0.0.53:53           0.0.0.0:*                           542/systemd-resolve 
udp        0      0 0.0.0.0:67              0.0.0.0:*                           612/dhcpd           
udp        0      0 127.0.0.1:323           0.0.0.0:*                           566/chronyd         
udp6       0      0 :::5355                 :::*                                542/systemd-resolve 
udp6       0      0 ::1:53                  :::*                                574/dnsmasq         
udp6       0      0 ::1:323                 :::*                                566/chronyd

Check the firewalld configuration:

[root@router ~]# firewall-cmd --list-all-zones
FedoraServer
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

FedoraWorkstation
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client samba-client ssh
  ports: 1025-65535/udp 1025-65535/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

nm-shared
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcp dns ssh
  ports: 
  protocols: icmp ipv6-icmp
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule priority="32767" reject

public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

router (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: enp14s0u2
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule port port="22" protocol="tcp" drop
	rule port port="53" protocol="tcp" drop
	rule port port="53" protocol="udp" drop
	rule port port="67" protocol="udp" drop
	rule port port="67" protocol="tcp" drop
	rule port port="323" protocol="udp" drop
	rule port port="5353" protocol="udp" drop

trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: enp0s25
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Using the router

When the cable modem dies, unplug it from the home router.

Connect the home router to the laptop's ethernet port and power up the laptop.

Connect the phone to the laptop's USB port and turn off its wifi connection and turn on its tethering feature.

The devices on your LAN should now have network access as usual.

Know that the longer you run this way, the more astronomical will be the data charges on your cell phone bill.