11-04-2010 7:38 AM
Ive had this challenge for a while and am just getting around to the post that I have wanted to write for months.
I have two homes and two microcells. At residence A, the microcell sits behind a PFsense BSD router (open source, powerfully configurable router) and connects to the internet and ATT just fine.
At residence B, my 2nd microcell sits behind another PFsense router which is itself behind a cisco router before a private tunnel to an edge router. Its a complex setup and I've included an image to try and help illustrate the setup. The reason for the complex setup is a long one. At that residence there is no single option for a traditional ISP. Not wi-max, no cable, no dsl...I guess satellite was an option, but its marginally preferable to dialup. The solution was offered through an employer who was willing to extend their private T1 infrastructure all the way out to our rural location. The T1 is a direct connection to the edge router on the other end with a public IP. There is NAT, but it is set to an any/any interface - meaning no blocked ports. At the house, there is a cisco router with 6 internal 126.96.36.199/29 addresses (each one gets a public IP, again no port blocking). Behind the cisco router at the house, there is the afore mentioned PFsense route. Again, long reason - basically the cisco gear is out of our control, and is essentially no different than any normal ISP - unfettered internet access. The PFsense box acts as the main firewall controlling what goes in and out. The only difference is that on the WAN side of that PFsense box, it gets a172. address rather than a public IP (which happens further upstream).
Confused yet? I am!
So the microcell at residence B is sitting behind this PFsense box which is behind another router and then goes out to the web.
As I understand it, the microcell is essentially an IPsec VPN device. It makes a secure tunnel back to ATT.
If that is the case, being behind a series of routers with bogon addresses should not cause a problem. As a test, we have no challenges using IPsec clients on laptops on that same network. In fact, there is a OpenVPN tunnel between the two residences (not IPsec per se, but a tunnel nonetheless).
Now, the last bit of complication is that Residence B is on the outside of a 3g area. I understand you do not need to be in a 3g service area to use a microcell. That said, I'm not convinced, despite what ATT says, that location isn't a factor. The house sits back about 1/4 mile from the road - I would not be surprised if its reporting a different location.That said, the device is showing the blinking network light, not the GPS lock light.
Anyone have any ideas?
11-04-2010 8:53 AM - edited 11-04-2010 8:53 AM
Do you have a DHCP server on the 188.8.131.52 network? If so, can you try putting the Microcell upstream of the PFSense firewall? You don't really need to have the Microcell behind a firewall. Ours is directly connected to the Internet and has a public address and no firewall.
If that helps, then the problem is the PFSense firewall/NAT layer.
I do get that at residence A the same router is not giving you any trouble. Still, this test has some validity.
11-04-2010 2:06 PM
Great question nsayer - I did try putting the microcell upstream of the PFsense box, on the 172 network. Honestly, I'm not sure if there is a DHCP server on that network or not - that may be why that setup did not work for me. I'll check that option again.
To you point, considering the mcells are the same and the routers are the same, I'd think it would work behind one PFsense box if it works behind the other.
11-04-2010 3:00 PM
I rather suspect that if the Microcell can't get a DHCP lease that it will make the network light (the Saturn looking one) blink as you described.
11-07-2010 6:55 AM
Well... I had high hopes that it was as simple as a DHCP issue.
It turns out that 172 network has a DHCP server and clients are passing traffic successfully.
Still have solid GPS and network - blinking 3g.
would a GPS lock issue prevent a solid 3G light? The house sits back int the woods about 1/4 mile from the street and as the crow flies, we're closer to another (albeit rural) street behind us. I find it entirely likely that the device is reporting a location that is different from our actual street address.
The ATT support tech says there is no way to issue an offset or override for the GPS coordinates...that the FCC would fine them heavily. I'm skeptical of that answer - any anyone confirm its validity?
11-07-2010 7:49 AM
You might check out this thread and the solution here:
What happens if you put your mailing address in Google maps?
It also might be worth experimenting. Try putting an address on that closer rural street and see if that gets you a GPS lock (assuming, btw, that the MicroCell in question is located where it gets a good enough view of the sky).
11-15-2010 8:23 AM
Just a quick update...
I've had some moment of unexplainable success. After putting the MC upstream of my PFsense router, it sprung to live about 4 hours after acquiring GPS lock. Then lost 3g again about 2 hours later.
I power cycled everything, it came back up shortly and is again blinking on the 3g.
Its down in the basement in a house that is in a hole - although its sitting next to a walk out door... GPS light has stayed steady - could it still be a GPS issue?
I can (and will) move it to the 3rd floor if I can get issues sorted out, however thats not particularly easy with the current cat5 cable configuration - I'd like to ensure that I can get it to work consistently before I run new cables.
11-15-2010 8:51 AM
06-17-2011 5:11 AM
I know this is a dead post but I just finished beating my head against the wall trying to get a MicroCell to work with pFsense as well.
From what I can see in you diagram I suspect you are being double NAT'ed. In other words, one or both of the upstream routers are likely running NAT, in addition to your pfsense box. If that is the case, even though the Microcell does NAT-T it most likely will not be able to reliably figure out how to setup the IPSEC tunnel.
I presume based on your earlier posts that these routers are customer premise equipment and you have no access to the configuration interfaces, even read-only?