Jump to content

Official Airave 4 LTE / Casa Pebble / Airave 3 LTE / S1000 Thread


SeanK_

Recommended Posts

Just now, jt25741 said:

Thank you!

Was just about to edit my post. Turns out they're not hardcoded. I just found out that 71.252.0.14 is a Verizon fios DNS server. I forgot that I set my Airave VLAN to not use my local DNS server, but rather just pass along whatever my ISP assigned. So in that case I guess it does just use the DNS server assigned via DHCP. I have no explanation for the other 2 though.

Link to comment
Share on other sites

1 minute ago, ingenium said:

Was just about to edit my post. Turns out they're not hardcoded. I just found out that 71.252.0.14 is a Verizon fios DNS server. I forgot that I set my Airave VLAN to not use my local DNS server, but rather just pass along whatever my ISP assigned. So in that case I guess it does just use the DNS server assigned via DHCP. I have no explanation for the other 2 though.

Actually now I am confused....  As I block all DNS traffic except to OpenDNS...and the Airave 4 doesnt come up..   So it is trying to reach a DNS server that is not DHCP served it seems...I just dont know which one.    It comes up fine when I drop my DNS restrictions.    I can try some ACL logging and see if I can find out but it isnt easy in my setup.

Link to comment
Share on other sites

7 minutes ago, jt25741 said:

Actually now I am confused....  As I block all DNS traffic except to OpenDNS...and the Airave 4 doesnt come up..   So it is trying to reach a DNS server that is not DHCP served it seems...I just dont know which one.    It comes up fine when I drop my DNS restrictions.    I can try some ACL logging and see if I can find out but it isnt easy in my setup.

Since you mention ACL logging, I'm guessing you might have a more advanced switch? If so, you could do port mirroring on the switch and then run Wireshark (in promiscuous mode) on a computer connected to the mirror port. In my case I just ran Wireshark on my router on the vlan that only contains the Airave. 

That being said, you can try whitelisting those IPs. Or another option is to set a NAT rule to force all traffic to go through OpenDNS, while letting clients think they're using their hardcoded servers. I do this on a couple of my vlans. It's a preferable option to just blocking non OpenDNS traffic.

Link to comment
Share on other sites

1 minute ago, ingenium said:

Since you mention ACL logging, I'm guessing you might have a more advanced switch? If so, you could do port mirroring on the switch and then run Wireshark (in promiscuous mode) on a computer connected to the mirror port. In my case I just ran Wireshark on my router on the vlan that only contains the Airave. 

That being said, you can try whitelisting those IPs. Or another option is to set a NAT rule to force all traffic to go through OpenDNS, while letting clients think they're using their hardcoded servers. I do this on a couple of my vlans.

All great ideas...thank you.. Ill report back what I get to work.

Link to comment
Share on other sites

 

41 minutes ago, ingenium said:

Since you mention ACL logging, I'm guessing you might have a more advanced switch? If so, you could do port mirroring on the switch and then run Wireshark (in promiscuous mode) on a computer connected to the mirror port. In my case I just ran Wireshark on my router on the vlan that only contains the Airave. 

That being said, you can try whitelisting those IPs. Or another option is to set a NAT rule to force all traffic to go through OpenDNS, while letting clients think they're using their hardcoded servers. I do this on a couple of my vlans. It's a preferable option to just blocking non OpenDNS traffic.

 

39 minutes ago, jt25741 said:

All great ideas...thank you.. Ill report back what I get to work.

Hey ingenium....just wanted to say,  I put those two other DNS server entries in ACL whitelist and it works like a charm.    I got all green lights.  Thank you for your help.

  • Like 2
Link to comment
Share on other sites

I added a family member to my Sprint account a couple of months ago, and unfortunately she's in a cell dead-zone so Sprint sent an Airave 4 to take care of that. I set up the Airave 4, thew it into a DMZ within her router config so that everything is wide open for it, and there won't be any problems with firewall interference.

She's been driving me nuts lately because the GPS light goes red at random, taking CDMA/voice out with it. LTE stays solid green, no problems there. I've checked the GPS antenna over and over again - it runs out to a window, when the Airave 4 first powers on, after a few minutes all LED's go green, and the network lights remain green 24x7. Just the GPS...it might go red after a few hours, or a few days, in some cases a week or longer (it's remained green with no problems for 7 days). I've suggested she relocate the entire Airave to a different part of her house, because something is obviously interfering with the GPS signal. I have also factory reset the device (twice). It works great when all the LED's are green, but once that GPS light goes red, it might as well be a paperweight (because she relies on it for voice). I have suggested wifi calling but tbh the Airave should be doing the job and it just isn't.

What else could I try to solve the GPS-gone-red issue? Thanks.

Edited by ChrisWNY
Link to comment
Share on other sites

The only light that DOES NOT turn green is the connection to Sprint Core Network.  All else are green with the exception of the CDMA which doesn't light at all.    Just got this new Airave 4 lte and will be sending my old airave 2..5+ back because it was just old and starting to have issues.   Seems like with everything green, the C-NET LED should connect.  

Any thoughts? Thanks in advance.

Miles
 

Link to comment
Share on other sites

The only light that DOES NOT turn green is the connection to Sprint Core Network.  All else are green with the exception of the CDMA which doesn't light at all.    Just got this new Airave 4 lte and will be sending my old airave 2..5+ back because it was just old and starting to have issues.   Seems like with everything green, the C-NET LED should connect.  

Any thoughts? Thanks in advance.
Miles
 
It's possible that your router is blocking it for some reason. Are there any restrictions on your internet? Any filtering? Forced DNS? Network wide VPN? Network wide Tor? Anything out of the ordinary?

Sent from my Pixel 3 XL using Tapatalk

Link to comment
Share on other sites

6 hours ago, Bob Newhart said:

No DMZ is needed for any Airave device.
Mine works great mostly, sometimes need to reboot, which is something I should never have to do.

Depends on the router.  if it has DMZ then that is often the easiest method.

Link to comment
Share on other sites

19 hours ago, dkyeager said:

Depends on the router.  if it has DMZ then that is often the easiest method.

The Airave4 creates connections FROM the Airave TO Sprint's servers, no incoming connections need to go directly to the device via DMZ.

Link to comment
Share on other sites

5 hours ago, Bob Newhart said:

The Airave4 creates connections FROM the Airave TO Sprint's servers, no incoming connections need to go directly to the device via DMZ.

Looks like the same usual port requirements to me, which has required adjustments for some routers.  https://www.sprint.com/content/dam/sprint/us/en/support/airave/Airave4UserGuide.pdf page 9:

 4. Connect one end of the Ethernet cable to an available LAN port on your broadband connection modem,or to a LAN port on your network.  If on network: Open UDP ports 53, 67, 500 and 4500 bi-directionallyContact your IT administrator for assistance.

Great that it works for you without adjustments, which likely applies for many others, but if it does not work, putting it on the DMZ may be the easiest way for others to fix it. 

Besides, often IOT devices are untrustworthy as they are typically spying on other parts of the network or open unknown holes and other security risks, thus using a DMZ for such devices is a best practice.

Link to comment
Share on other sites

6 hours ago, Bob Newhart said:

The Airave4 creates connections FROM the Airave TO Sprint's servers, no incoming connections need to go directly to the device via DMZ.

 

38 minutes ago, dkyeager said:

Looks like the same usual port requirements to me, which has required adjustments for some routers.  https://www.sprint.com/content/dam/sprint/us/en/support/airave/Airave4UserGuide.pdf page 9:

 4. Connect one end of the Ethernet cable to an available LAN port on your broadband connection modem,or to a LAN port on your network.  If on network: Open UDP ports 53, 67, 500 and 4500 bi-directionallyContact your IT administrator for assistance.

Great that it works for you without adjustments, which likely applies for many others, but if it does not work, putting it on the DMZ may be the easiest way for others to fix it. 

Besides, often IOT devices are untrustworthy as they are typically spying on other parts of the network or open unknown holes and other security risks, thus using a DMZ for such devices is a best practice.

I did a packet capture on the Airave 4 (and 3). There are no inbound connection period, only outbound which will work fine with NAT. I can post a copy if anyone is actually interested and wants to dig through it on Wireshark. 

For the typical home user, there is no reason that it needs to be in a DMZ. The ports listed are just the ports that it uses (outbound), and they must be set to allow outbound traffic on. Interestingly they leave off UDP port 123 (NTP), so it's possible that it's not actually required and it will just synchronize time over the IPsec tunnel once it's established. NTP is one of the first things it does though.

I'm guessing the DMZ suggestion may be for corporate networks or other networks that may block outbound IPsec or are overly aggressive or restrictive. It's a catch-all, basically a way to guarantee that it will work. Port 53 is DNS (incoming not required, it just needs to be able to lookup hostnames and get responses), 67 is DHCP, and 500/4500 is UDP encapsulated IPsec IKEv2. IPsec helper on the firewall isn't needed, since I don't think it even attempts to use ESP and just goes straight to UDP.

I see no reason why it wouldn't work even with double NAT. The only potential issue would be if the UDP NAT timeout is set too low and the NAT entries are removed before a keepalive packet is sent, but it would have to be a pretty low timeout (less than 30 seconds probably). So it will be fine just sticking it behind the router for almost any home user, and if not, then whoever setup the network will be competent enough to be able to fix it and relax the firewall rules.

  • Like 2
Link to comment
Share on other sites

As ingenium says, the Airave4 makes two VPN tunnels to the Sprint servers, all traffic goes via these two tunnels. One tunnel for CDMA 1x Voice/data and one for LTE data.

No ports needs to opened/forwarded/No DMZ.

Do NOT use DMZ, unless you really enjoy opening up your network to attacks.

Link to comment
Share on other sites

22 hours ago, ingenium said:

 

I did a packet capture on the Airave 4 (and 3). There are no inbound connection period, only outbound which will work fine with NAT. I can post a copy if anyone is actually interested and wants to dig through it on Wireshark. 

For the typical home user, there is no reason that it needs to be in a DMZ. The ports listed are just the ports that it uses (outbound), and they must be set to allow outbound traffic on. Interestingly they leave off UDP port 123 (NTP), so it's possible that it's not actually required and it will just synchronize time over the IPsec tunnel once it's established. NTP is one of the first things it does though.

I'm guessing the DMZ suggestion may be for corporate networks or other networks that may block outbound IPsec or are overly aggressive or restrictive. It's a catch-all, basically a way to guarantee that it will work. Port 53 is DNS (incoming not required, it just needs to be able to lookup hostnames and get responses), 67 is DHCP, and 500/4500 is UDP encapsulated IPsec IKEv2. IPsec helper on the firewall isn't needed, since I don't think it even attempts to use ESP and just goes straight to UDP.

I see no reason why it wouldn't work even with double NAT. The only potential issue would be if the UDP NAT timeout is set too low and the NAT entries are removed before a keepalive packet is sent, but it would have to be a pretty low timeout (less than 30 seconds probably). So it will be fine just sticking it behind the router for almost any home user, and if not, then whoever setup the network will be competent enough to be able to fix it and relax the firewall rules.

I was wondering if you tested scenarios where the communication link was broken.  That is where Sprint may attempt to reestablish a ipsec tunnel. 

Link to comment
Share on other sites

4 hours ago, Bob Newhart said:

Do NOT use DMZ, unless you really enjoy opening up your network to attacks.

In what way does using a DMZ for an Airave threaten the rest of the network?

Link to comment
Share on other sites

I was wondering if you tested scenarios where the communication link was broken.  That is where Sprint may attempt to reestablish a ipsec tunnel. 
Partially. On the 3, because it had broken IMS on LTE after the final software update (broke calls and texts on eCSFB devices), I blocked the LTE ipsec tunnel at the firewall. This resulted in LTE being disabled and it regularly tried to re-establish the tunnel. If I removed the firewall rule, LTE would come back up in a few minutes.

I tried the same on the 4 (I forget the reason why), which was easier since the CDMA and LTE sides are assigned separate IP addresses. On the 3 I had to block by destination IP address (the LTE tunnel used a hard coded IP address. This isn't the case on the 4).

If communication is interrupted, the Airave will repeatedly try to re-establish the tunnel. I'm not sure if Sprint's side tries to do anything. I'm sure if the NAT entries are still there, Sprint's side would be able to bring the tunnel back up (or at least trigger the Airave to re-establish it), but since the Airave tries regularly anyway I'm not sure if this would have much benefit other than making it reconnect a few minutes faster.

Sent from my Pixel 3 XL using Tapatalk

Link to comment
Share on other sites

21 hours ago, Bob Newhart said:

The firmware in the Airaves is 'buggy' on its very best day, it opens up a hole where it can access the rest of your network.

One of the main uses of a DMZ is to isolate questionable hardware from all other devices on your network, many of which almost never receive security updates.  That way an IOT device can only see itself.  Of course restricting a device to only what it needs from where it needs it is even better, but requires more vigilance than most people have.  I see this type of DMZ use as a much better alternative to putting the Airave first for cases of where the Airave won't function without network adjustments.

Link to comment
Share on other sites

One of the main uses of a DMZ is to isolate questionable hardware from all other devices on your network, many of which almost never receive security updates.  That way an IOT device can only see itself.  Of course restricting a device to only what it needs from where it needs it is even better, but requires more vigilance than most people have.  I see this type of DMZ use as a much better alternative to putting the Airave first for cases of where the Airave won't function without network adjustments.
I guess it comes down to what the default behavior is on most consumer hardware. I'm not sure if the DMZ there is isolated from the main network? My understanding on consumer hardware is that it's assigned a LAN IP, but all non forwarded ports on the WAN IP go to the DMZ device. It's a hack to avoid port forwarding or when you don't know which ports to forward, and is a security issue. Or at least that's the way I've seen it behave on a lot of residential routers.

On more enterprise hardware, I know DMZ behaves as you said, offering an isolated place to put untrusted equipment away from your primary network. Basically acting as a separate vlan. But I'm guessing for the average user, their DMZ won't behave this way unfortunately.

For anyone with capable hardware, I would recommend putting the Airave on its own vlan, with access to your other vlans blocked. That's the way I run mine.

Sent from my Pixel 3 XL using Tapatalk

  • Like 3
Link to comment
Share on other sites

@SeanK_, @ingenium or anyone else that can help a basic user. I attached a picture of my setup (can't see the TiVo), I have RCN internet. The only time the Airave seems to almost work, is when the wifi is down, the eero and airave are not working together. What can I do to get this to work? About ready to give up. Thank you all.

IMG_20190902_172321094_4274.jpg

Link to comment
Share on other sites



[mention=14486]SeanK_[/mention], [mention=21091]ingenium[/mention] or anyone else that can help a basic user. I attached a picture of my setup (can't see the TiVo), I have RCN internet. The only time the Airave seems to almost work, is when the wifi is down, the eero and airave are not working together. What can I do to get this to work? About ready to give up. Thank you all.
IMG_20190902_172321094_4274.thumb.jpg.9c9b971560db63b38d0ff55c868a5d32.jpg


Plug the airave 4 into the switch behind That is connected to the eero.

It's very likely your RCN cable modem router is in bridge mode and passing the single public IP address to the Eero which is doing NAT+DHCP+ routing.

What's likely happening is there is an ip conflict as you likely only have one IP address given to you as part of your residential account hence why when Eero is off then the A4 works.

TLDR: connect the A4 behind the eero so it gets a private ip assignment and not fight over it for the single public ip.

Sent from my Pixel 3 using Tapatalk

Link to comment
Share on other sites

IMG_20190902_175438802_7202.thumb.jpg.826fda3bfd089449d33bf4562af8d0b0.jpg

23 minutes ago, SeanK_ said:

Could you take a picture of the back of the modem?

What is the modem model again?

I've attached a picture.

23 minutes ago, lilotimz said:


 

 


Plug the airave 4 into the switch behind That is connected to the eero.

It's very likely your RCN cable modem router is in bridge mode and passing the single public IP address to the Eero which is doing NAT+DHCP+ routing.

What's likely happening is there is an ip conflict as you likely only have one IP address given to you as part of your residential account hence why when Eero is off then the A4 works.

TLDR: connect the A4 behind the eero so it gets a private ip assignment and not fight over it for the single public ip.

Sent from my Pixel 3 using Tapatalk
 

 

The modem does not have wireless routing capabilities. I rearranged the switch. Now the order goes Airave, Eero, TV and TiVo. It looks like a promising setup as both Eero and TiVo are working along with the MoCA connection for the TiVo Mini. However, while most lights on the Airave are solid green, L-Net and LTE are blinking red. Thank you!

Edited by jtrotter54
spelling error, added attachement
Link to comment
Share on other sites

49 minutes ago, jtrotter54 said:

=

I've attached a picture.

The modem does not have wireless routing capabilities. I rearranged the switch. Now the order goes Airave, Eero, TV and TiVo. It looks like a promising setup as both Eero and TiVo are working along with the MoCA connection for the TiVo Mini. However, while most lights on the Airave are solid green, L-Net and LTE are blinking red. Thank you!

 

A cable modem, such as the CM1200, passes a single public IP address to the device connected behind it. It is not a router. It does not do routing or if so it's very limited. 

The proper setup is Modem --> Router --> Switch --> hardwire connected devices. 

So make sure the white ethernet cable goes into the Eero's WAN port. Then you want to connect an ethernet cable from the LAN port of the Eero into one of the ethernet ports on the switch. Then you want to connect other hardwired devices, like the AIrave 4, to the ethernet switch. 

Also give the Airave 4 a good hard reset when you do this so it erases whatever previous IP assignment it had on file. 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...