Spark Smart Modem 2 4G LTE

Forums › Spark New Zealand (including Skinny and BigPipe) › Spark Smart Modem 2 4G LTE - Bridge Mode

AndyT

163 posts

Master Geek

#315287 30-Jun-2024 13:13

Continuing the saga, I've had time over this long weekend to dig into this a bit further...

To recap, my systems is:

Spark 4G LTE rural broadband + SSM2 + additionally paid for static public WAN IP
EdgeRouter 4 as the main routing workhorse
Unifi switches and access points + general ethernet reticulation + some wireless

From my earlier GZ posts you'll seen I'm keen to configure bridge mode on the SMM2 if possible but the Spark SMM2 User Guide is virtually silent on the issue and I'm afraid Spark support on 123 passed me from person non-person and generally didn't know what I was enquiring about. So I've had to do it by trial and error whilst minimising network breakage and downtime from the domestic perspective!

I've reverted to 4G LTE for the time being, but think I was successful yesterday in setting the SMM2 into bridge mode via the SMM2 GUI, Network / WAN page / Ethernet WAN (although not on fibre with ethernet feed from an ONT). The GUI reported a successful config, the SMM2 status LED shows light blue and I lost connectivity to the SMM2 on 192.168.1.254. All indicative of bridge mode.

However the SMM2 LEDs for 4G LTE and Internet did not light, and I can't recall if the SMM2 LAN port 1 feeding the ER4 was solid or blinking green.

So, the questions are:

I'm not sure whether bridge mode was successful on the SMM2 and that no 4G LTE and Internet LEDs is normal when in bridge mode?
Or, placing the SMM2 in bridge mode may have been successful, but Spark don't support 4g LTE in bridge mode and the static public WAN IP isn't getting passed to the ER4 - seems odd for the SMM2 modem / router which Spark sell principally for 4G LTE not fibre, and has the functionality to be put into bridge mode notwithstanding the misleading "Ethernet WAN" option in the WAN config menu, together with the suggestion to use Ethernet WAN not Auto WAN if a static IP or bridged connection is required
If the SMM2 is successfully in bridge mode and the static public WAN IP is being passed to the ER4, am I misconfiguring the ER4 eth0 WAN interface and what should it be? Yesterday I had it set to DHCP rather than a manually assigned IP but perhaps that is incorrect? And perhaps it has something to do with the WAN protocol and VLAN 10?

I really hope someone on GZ can give some solid guidance from experience on this as the lack of Spark "support" and consequent repetitive and speculative trial and error all takes time and so far hasn't achieved "closure". Quite happy to accept I'm at the end of the road if bridged 4G LTE is definitely a no-no for Spark technical / policy reasons, but want to get to a definitive position before closing the book on it!

Thanks,

AndyT

163 posts

Master Geek

#3243915 3-Jun-2024 00:20

Further thought ... would switching LAN DHCP on in the Smart Modem config perhaps resolve this?

Seems a bit strange as it's a LAN DHCP switch whereas I'm trying to configure the WAN interface, but a YouTube video on a ProtectLi 4GLTE modem indicates that doing this was necessary when switching to bridge mode to get things working.

Jonwatso

6 posts

Wannabe Geek

#3244244 4-Jun-2024 09:24

would love to know the answer to this. I can see that the router can do bridge-mode but no idea how to enable it.

AndyT

163 posts

Master Geek

#3244970 5-Jun-2024 21:27

Hi Jonwatso....

As soon as I crack it, I'll post something.

In the meanwhile I have another separate but related problem which I'll post separately.

AndyT

163 posts

Master Geek

#3254655 30-Jun-2024 11:57

Hi Jonwatso, apologies for the delay in getting back to you but had time over the long weekend to dig into this one.

I ran into issues (subject of a future separate post) but managed enable bridge mode on the SSM2 by:

going into Network / WAN settings
selecting Ethernet WAN (although I'm not on fibre / ethernet from an ONT)
selecting bridge mode from option menu
rebooting SMM2
status LED on SMM2 should show light blue
you'll lose connectivity to SMM2 GUI on 192.168.1.254 unless you configure a routing workaround
if it all turns to custard you'll need to carry out a factory reset and reconfigure the SMM2 from scratch

The problem I ran into is whether Spark actually pass the WAN IP for 4G LTE when in bridge mode. I'm on (paid for) static public WAN IP, but couldn't make connection on my main EdgeRouter 4 which may be because Spark don't do it or perhaps my ER4 eth0 WAN interface config is incorrect .... hence the separate post.

If you're on fibre it might be more straightforward for you.

AndyT

Jiriteach

1119 posts

Uber Geek

ID Verified

Lifetime subscriber

#3254680 30-Jun-2024 13:27

Are you wanting to use your ER4 for everything with your SSM2 as just the termination point for the connection?

I have this setup as this as a backup link except using a UDM-Pro with no problems.

SSM2
-- base configuration
-- setup a static IP on the SSM2 for the ER4
-- turn off the firewall
-- set the DMZ to the static IP for the ER4

ER4
-- setup a WAN connection with a static IP and specific the IP, DNS and gw settings for the SSM2
-- add an additional IP which would be your external static IP from Spark

Route everything throught the ER4 which also does DHCP for your network.

-- opinions expressed by me are solely my own. ie - personal

Jonwatso

6 posts

Wannabe Geek

#3254694 30-Jun-2024 13:58

Love your work! Will give this a try

Thanks for doing all the hard work haha

AndyT

163 posts

Master Geek

#3254778 30-Jun-2024 16:00

Thank you Jiritech.

Yep, I'm aiming for the ER4 to do everything and the SSM2 to be a modem only.

I currently run essentially the config you have, utilising the DMZ zone with a static IP on the SSM2 and pointing the ER4 WAN eth0 to that same static IP. And all is fine.

But it's not true bridge mode and still double NATs (SSM2 + ER4 ... but not now triple NAT with CGNAT as I have the additionally paid for static public WAN IP). I could (I think?) disable NAT on the ER4 and let the SSM2 NAT (as it does by default in DMZ mode anyway) although I'd rather it was the other way around with the ER4 doing it all.

Let's see what anyone else's experience has been.

Thanks,

AndyT

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

BarTender

3606 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#3254814 30-Jun-2024 17:20

It can't be done. The two options you have are:

DMZ mode where all external traffic is routed to a particular internal IP on the LAN subnet of the router.
Find a 4G device that allows for the IMEI to be changed and clone the IMEI from your current 4G router use that as your edge device.

Be aware that with a Static IP, that is in Spark retail broadbands Static IP address range. I know this as I was instrumental in Spark delivering Static IPs on Wireless Broadband as I hassled the product owner and mobile architects when I was working in the broadband design space it was a vital offering. Since it's a public IP you can get DDoSed so it's quite important to keep an eye on the inbound data consumption.

freitasm

BDFL - Memuneh
79270 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3254862 30-Jun-2024 17:21

I've merged two discussions. @AndyT please do not create multiple threads for the same thing.

AndyT

163 posts

Master Geek

#3254888 30-Jun-2024 18:02

Apologies & noted.

AndyT

163 posts

Master Geek

#3254939 30-Jun-2024 23:11

Thanks BarTender, and an interesting point about the risk of DDoS attacks. Two points:

I think I have a static WAN IP on the Spark fibre connection at another property, so is it any different and more risky here with a static WAN IP on the Spark 4G LTE connection in terms of getting DDoS'd?
Should the firewall be switched "on" on the SSM2 as well as the standard IPV4 WAN firewall provisions on the ER-4 to mitigate the DDoS risk, or could / would that potentially create conflicts?

Thanks,

AndyT

BarTender

3606 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#3255338 1-Jul-2024 20:50

AndyT: Thanks BarTender, and an interesting point about the risk of DDoS attacks. Two points:

I think I have a static WAN IP on the Spark fibre connection at another property, so is it any different and more risky here with a static WAN IP on the Spark 4G LTE connection in terms of getting DDoS'd?
Should the firewall be switched "on" on the SSM2 as well as the standard IPV4 WAN firewall provisions on the ER-4 to mitigate the DDoS risk, or could / would that potentially create conflicts?

Fibre connections don't have a data cap on them these days and typically rate limit or slow down the connection. WBB connections either you get rate limited down to a far slower speed or get charged for over-usage, both situations can be problematic and one can end up with a nasty bill. So while there is no technical difference in the IP addresses being used for WBB/Fibre standard broadband the background noise / possibility of getting DDoSed doesn't have the possibility of resulting in a nasty bill at the end of the month.

The firewall will do nothing to stop a DDoS these days as it's mostly UDP and you are billed for the traffic once it "goes over the air" so all you are doing is dropping that packet on the floor after you have been billed for it. Hence why I just say "it's worth keeping an eye on the packet byte count on the WAN interface and perhaps have alerting if you can configure that"

It is exactly the same issue I tell folks who want to run the "direct" APN on mobile. Just like having a Static IP you are on the direct un-filtered internet with all the background noise rather than being behind the (CG) NAT which filters out the noise.

WBB might have changed as I know when I was chatting with one of the mobile architects about 6 months ago and I have been out of Spark for over 6 years now there were plans to re-architect where the session was terminated but end customers would notice no difference. But I doubt much of it functionally would have changed in the 8 years it has been in place.