I live alone from fiber/super connectivity/etc, so I definitively switch over the home data connection from ADSL/etc to mobile 4G one.
My need is a method to use "mobile quota" from main home connection rather than trough various cellular/mobile family ones.
I built my home network with two SOHO devices: an ASUS and a MikroTik routers.
The MikroTik SXT LTE kit (https://mikrotik.com/product/sxt_lte_kit) is a PoE powered (via a power injector) 4G router, it should be mounted trough a roof pole (but in a such a moment I'm able to use inner into home with sufficient s/n level).
The LTE kit does not FDD band aggregation, so you're limited to 150/50 Mbit up/down link (actually there should be a FDD variant); my 4G provider furtherly limit me to a symmetrical 30/30 line, so definitively correctly sized. To overcome the limitation change MikroTik model or switch to Huawei (B525S-23A if you prefer an indoor model with SMA antennas, and to drill a wall for a maximum displaceable distance of 5 mt/15 ft).
The 30/30 nominal bandwidth is sufficient to surf and stream net video.
The ASUS router RT-N66U (https://www.asus.com/Networking/RTN66U/) mainly act as a Wi-Fi access point, it's a forwarding only machine (no source dynamic NAT, a.k.a. masquerading).
Internal net is an unique subnet formed by both wired and wireless client, the external net stay between two routers (it's like a backbone, but no one client is present at all).
My architectural design is based on these requirements:
- [mandatory] dual WAN technology: the secondary WAN via ethernet cable (back to back) to MikroTik router, and primary one for an USB connected modem (tethering Android phone
- [mandatory] web filtering to disallow bad traffic (malware, adult, gambling, advertisements, etc)
- [optionally] some specific source NAT rules to allow "free and unfiltered" web traffic for master admins (i.e. parents)
- [optionally] Quality of Service (i.e. shaping) to limit the TV streaming transfers (I would reduce excessive video resolution quality)
The foundamentals points are:
1) each wifi DHCP client is served by ASUS router, and receive an OpenDNS server (a.k.a. Cisco Umbrella) to filtering web traffic
2) normally ASUS router use secondary WAN and forward traffic to MikroTik 4G router
 |
| ASUS dual WAN config |
4) install OpenDNS updater client into each phone, both to update the actually assigned dynamic IP, and to protect (URL filter) the mobile phone when outside home
5) to warranty master admins (parents) unfiltered traffic, you must allow queries to non OpenDNS server; this ASUS script NAT the DNS queries
#! /bin/sh
iptables -t nat -I PREROUTING 1 -p udp --dport 53 -s x.x.x.x -d y.y.y.y -j DNAT --to 8.8.8.8
iptables -t nat -I PREROUTING 1 -p tcp --dport 53 -s x.x.x.x -d y.y.y.y. -j DNAT --to 8.8.8.8
exit 0
#
where x.x.x.x is the source IP address of parent terminal (phone, PC, etc), and the y.y.y.y is the ASUS LAN address; ASUS act as a forwarder DNS server toward to OpenDNS.Actually I'm unable to automatically schedule the script (I manually run it over the time, mainly una tantum after router reboot).
Then you need to allow all DNS traffic with MikroTik firewall rules; the traffic shall be present when the "secondary WAN" shall be active:
these allow my phone to 8.8.8.8 and others to OpenDNS, deny any other DNS query.
ASUS detect the active line by the configured probe method: use only ping (as in figure), but -- both -- allow DNS UDP queries and ping to specific 8.8.4.4 host from WAN ASUS address.
regards,
gino
No comments:
Post a Comment