eNB/Basestation LGW Router mode configuration example

This has come up a few times in the Facebook group. This is a overview of my router mode configuration with Mikrotik.

As a disclaimer there may be problems with my specific configuration but I hope it gives you a idea on how to use router mode so you can do 1:1 NAT for traffic shaping and accounting, or even just to give customers public addresses. If anyone believes I may be doing something wrong please help me out and correct me!

The eNB has to have internet access to connect to the cloud services - via NAT or public addressing.

At this point is recommended to firewall the eNB or keep it on private address space. I am running in Router mode with a public address on the eNB. I allow all outbound established/related and block everything inbound to the eNB. Make sure your eNB is firewalled if you put it on public space! I believe @jesse may know better what to block, but, itā€™s advised to at least block SNMP, SSH, and HTTP/HTTPs to the eNB. I took a nuclear approach and blocked everything not in my management address space.

The settings we will be changing are under the LTE Settings > LGW settings.

Router mode

My example uses 10.1.50.1/24 as the pool. You can use whatever address space fits your network as the pool.

On the ā€˜LGW Settingsā€™ page we want to look at ā€˜LGW Modeā€™. We want to set it to router (by default I believe itā€™s set to NAT.) Under ā€˜LGW IP Poolā€™ we set 10.1.50.1. Currently you have no choice but to dedicate a /24 to the pool, so we decided to do private addressing.

In order to access this address space you will need a static route to the public or private address you assigned to the WAN interface of the eNB.

Example: /ip route add distance=1 dst-address=10.1.50.0/24 gateway=address-of-eNB-here

We run OSPF in our network and in order to get to this address space from the rest of the network I had to enable ā€˜Redistribute Static Routeā€™ in the OSPF instance. There may be a better way to do this without doing so, but I am not sure.

ā€˜IMSI IP Bindingā€™

This is where you tell the eNB what static IP to bind to what IMSI. The IMSI is SIM card specific so you will have to know what sim card is in use at every customer.

Before we deploy a customer we assign the IMSI a static address (example - 10.1.50.21). If you have ā€œRemote HTTPs accessā€ enabled in the UE you will be able to remotely manage the UE with this address if you have the static route in place.

Now that the CPE is assigned a static address we can take and do a 1:1 NAT or 1 to MANY if you need to.

In our example we have a small subnet set aside and we assign a /32 to the bridge interface per customer, and then NETMAP from the private IP to the public IP. There is multiple ways to do this - pick what fits best for you. I am tight on address space at the moment and /32s are the best way for us to conserve at a slowly growing site.

Example: /ip firewall nat add action=netmap chain=srcnat comment=ā€œCustomer Nameā€ src-address=10.1.50.21 to-addresses=public-address-here

Another noteā€¦ When I originally set this up I was having issues with the eNB and this was the configuration I found to work. I donā€™t see why it would not work with a simple SRCNAT rule instead of the NETMAP action. I just have not had time to revisit it and I donā€™t want to break customers.

Now the UE is able to establish connections outbound to the world via itā€™s own or shared address. If it has itā€™s own you can apply traffic shaping policy via the local router or a more centralized shaping solution.

I am not currently allowing inbound access to our LTE customers by design, and this is a short coming. You can easily add a DSTNAT rule to overcome this. We have not had to yet, but, we are only servicing residential customers at this point. If it comes to this I would prefer to dedicate a router for it instead of having it setup on our site router. You may also want to firewall ports to the UE, like SNMP. Currently there is no way to restrict SNMP, it answers by default with the community of ā€˜publicā€™.

Please also see the LGW guide:

Joe

3 Likes

Thanks for taking the time to write this out Joe!

1 Like

I hope others find it helpful!

Great job on this very detailed article Joe!

As you mentioned, if you were to add any DSTNAT rules, you would want to firewall management ports. The only management port for the UE would be HTTPS (443), and this port is not open by default. To enable this port, you would need to enable the ā€œAllow HTTPs Login from WANā€ setting under System->Web Setting.

1 Like

Thanks a bunch, that worked perfectly. Now I can run public IPs for my clients which was a potential hold-back on mass deployment

2 Likes

Good info, thanks for sharing.

1 Like

Hi,

Under LTE Settings, I donā€™t have anything that says "LGW Settings"
I have many other items though starting with ā€œX2 Handoverā€

What am I missing?

Thanks

Your eNB has an old firmware. Could you please upgrade the firmware? After upgrading, the eNB will have the LGW settings tab.

http://na.baicells.com/download/BaiStation_V100R001C00B060SPC012.IMG

To upgrade the firmware, please follow the following steps:

  1. Log into the eNBā€™s web gui 192.168.150.1
  2. Go to ā€œSystem Settingsā€
  3. Go to ā€œFirmware Upgradeā€
  4. Click ā€œChoose fileā€ and choose the firmware file.
    5, Click ā€œFLASH IMAGEā€.

Thank you,
Sonny

1 Like

So we went through this process and have managed to route in our bench test. We also use MIkrotik.

What I donā€™t understand, is where the static 10.x.x.x address appears. We donā€™t see it on the eNB or the UE interfaces. We see 192.168.251.1 reporting from the CloudCore CPE monitor list.

Are we just flying blind and hoping we have it right until we test or am I missing something?

Also traceroutes from the UE side are odd. The PC reported the UE, then timeout for the eNB, timeout for the next router and then a reply from the destination.

Would love to bend ear on this topic and would reimburse you for time. We have a new design finished and last part is ti determine how handle publicbip assignments to clients to track down copy right infringement requests.