NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
M6 and IP-passthrough with routable static IP
I have an M6 Pro (MR6550) and a T-Mobile business internet account, and I'm unable to use the M6 in passthrough mode.
The M6 (the hotspot) does some pretty inexplicable things. Like ARP my firewall from 192.168.3.1.
As I said, my firewall has a public routable (non RFC-1918) address, so 192.168.3.1 is not going to be adjacent on the subnet, and therefore my firewall will drop the ARP request at a minimum, and potentially trigger the IDS as there being misconfiguration of a peer on the network or even someone doing malicious probes.
It also sends SSDP packets to my network segment as multicasts. Why? Only hackers use SSDP on a WAN interface: to figure out (1) if you're misconfigured and (2) to know what sort of machines are on your network so they can tailor attacks after fingerprinting the hosts and looking up their attack surfaces and vulnerabilities.
But more to the point, it's a modem/bridge. It should be operating at layer 2 on the Ethernet side, and layer 3 on the 4G/5G side.
The correct behavior is trivial:
(1) When the APN provisioning is received from the 5G carrier, PROXY ARP the default gateway's IP address with your own (M6's) MAC address (or GARP it, that works too if the firewall has been sysctl'd to accept GARP's on a public interface... which is sometimes used for man-in-the-middle attacks on public networks).
(2) Then ARP REQUEST the firewall's IP address so you know where to forward the packets.
That 2nd step is likely unnecessary, since most IP neighbor implementations cache the address of an ARP requestor in anticipation of their being return traffic (i.e. some sort of answer).
You don't need SSDP. Or mDNS. Or to be trying to figure out anything about what's attached to the firewall. That's just suspicious behavior.
Also, don't IPv6 SSDP me if I'm not provisioned for IPv6! That just fills my logs with noise.
If I do a ping -c 1000 8.8.8.8 then I see spans of 8 or 9 packets being passed, then 20 or so dropped, then 8 or 9 passed, then 20 or so dropped... until the test completes.
How did this not turn up during homologation testing? I'm getting 62-70% packet loss!!!
22 Replies
So I have an adjacent issue regarding ip passthru. I just purchased the new Nighthawk 5g M7 - MH7150. My main objective is to use it as a backup WAN connection to my UI UDM-SE when my primary connection is not available. I'll also use it on trips when I'm away from home I had to purchase the docking cradle to get it to work as WAN backup. MY UI Ethernet POE to USB-C adapter did not work. I am only using the cradle to connect to my wan2 port. I have it working with the cradle but the M7 is providing a private 192.168.10.x address to the UDM-SE which I'm assuming is a double-NAT situation and not preferred. I cannot find any setting on the M7 for ip-passthru or bridge mode. I've looked using the mobile app and direct web interface to no avail. I know it is a fairly new device but wondering if anyone has any insight. I opened a ticket with NetGear as well. BTW, I'm using an eSIM from a 3rd-party provider and it is working very nicely as a standard mobile router. I didn't use the NetGear eSIM marketplace. I don't love the mobile app but it is usable.
Called yesterday because no one has answered my repeated requests for an update.
I was asked, "what sort of adapter is on my PC".
I said 8 weeks ago I was using a Mac Mini.
I was asked, "can you reproduce this on another machine?"
I said 8 weeks ago I reproduced it on a Mac Book Air with an USB-Ethernet dongle as well as using WiFi... and I reproduced it without any computer by generating traffic directly on the routers command line.
I was ask what tests I ran.
I attached output 8 weeks ago of a 1000 packet ping series, as well as running "iperf3".
No wonder they've not made any progress. No one has bothered to read the case notes.
I feel for you ... Ive been successfully using my M6 Pro as a backup router on a Unifi UDM Pro for two years with no issues. Unfortunately the M6 decided to update its firmware tonight (with no notification or input on my part) and I can attest that IP Passthrough does NOT work with firmware versionNTGX65_12.01.74.00.
I now have a $600 brick and as its out of warranty thus would require me to purchase a support contract to get any help ... Not really interested in paying them to fix a problem they created.
I think its time to unload it and move on to another solution ....
if you have IPV6 enabled in your router, disable it. I updated last night (to x.74) and it took me a minute to figure out that when IPv6 is enabled in the router, the M6 fails to give an passthrough IPv4 to it. I don't think this was how the older firmware behaved. I will have to do further testing and compare. I have no pressing need for IPv6 for now, so I might let it be for now.
And now 6 weeks have passed, and absolutely no progress.
No confirmation that this has been reproduced in the lab, or that a fix is undergoing testing.... or that a drop-dead date has been assigned to getting a fix published...
Shockingly bad technical support.
Not even a pretense of an SLA in time-to-resolution.
But the clincher is that this was a known issue with the M5, so they had foreknowledge of it supposedly before the M6 was even released.
5 weeks since I provided both all of the debugging information requested, and an engineering solution to the problem (basically just do Proxy ARP like every other modem on the market does) and I still don't have working firmware.
Or even confirmation that they understand the problem or have been able to reproduce it in the lab.
My concern is that the ISP may believe that the device their network is connecting to has a public IP address that they have assigned to that connection and the Firewall believes that it has a different public IP address. If packets keep arriving through the M6 that are addressed to the ISP public IP, the Firewall will ignore them. The goal is to confirm what IP the ISP is sending packets to, and the only way to do that appears to temporarily put the M6 into the default router mode.
If someone misconfigures their firewall with the wrong IP address, prefix, and default gateway then this is going to fail no matter what... Doesn't matter if they're on Ethernet, cellular, DOCSIS, or whatever.
Suppose that the Firewall public IP address is 111.222.333.a and the public IP address assigned to the M6 is 333.222.111.b.
If the M6 is put into passthrough mode, then it will send packets to the Firewall addressed to 333.222.111.b and the Firewall will ignore them because it is expecting packets addressed to 111.222.333.a
Put another way, if the M6 is in the default (router) mode, what public IP address does it display?
Um... first, they'd need to be on the same subnet.
So do you mean the M6 is on 111.222.333.b?
Again, in passthrough mode the M6 won't have an address. But it will know the address that the firewall behind it has. It will also know the address of the (provider-side) default gateway.
Or are we not talking about IP-passthrough mode any more?
Because:
if the M6 is in the default (router) mode
then that sounds like we're talking about routing mode and not IP passthrough mode.
I don't understand where CrimpOn​ is going here, but it still might be useful to see if the M6 is better behaved in router mode. Particularly the 60-70% packet loss.
Thanks for explaining where the IP Passthrough option is found.
my firewall has a public routable (non RFC-1918) address
Is this firewall public IP address the same as the public IP address that the M6 receives from the ISP?
Not sure I understand the question: if the hotspot is in IP passthrough mode, then it doesn't have an IP address because it's supposedly operating at layer 2.
I cannot seem to find where to set the M6 to bridge mode in the user manual.
https://www.downloads.netgear.com/files/GDC/MR6500/MR6500_MR6110_UM_EN.pdf
Is this an "Advanced" feature that is not in the user manual?
On the screen, it's "Settings", "More", "IP Passthrough".
It should be operating at layer 2 on the Ethernet side, and layer 3 on the 4G/5G side.
And when I say "operating at [...] layer 3 on the 4G/5G side", I mean stripping the Ethernet encapsulation of 0x800 packets and forwarding them over the radio. Easy peasy.
I opened a case 7 weeks ago. No progress. Not even a confirmation that they understand the problem or were able to reproduce it on the test bench.
