Re: LM1200 repeatedly dropping link

@JohnPeng Can the LM1200 firmware be revised to permit bridged connection when the WAN port is connected, but switch to router mode when the WAN fails? That will allow use as a failover device where the WAN source allows bridging but the LTE source (Verizon) does not. I'd rather be bridged but, barring other options, router mode is acceptable.

Hi everyone,

I've had quite the adventure today getting my gear up and running. I'd like to give some insight on how I've come to the same conclusion that the Netgear expert members like @JohnPeng have that there is something going on with the Verizon network specifically. If you are looking for a straight answer I can't really give you one as to why, but I'd like to share my troubleshooting and coming to the conclusion I needed to move to a different 4G provider entirely. With that in mind, there is a lot to go over here so if you skip this post I understand. EDIT: I'm also going to throw in here, I know the difference in router vs bridge mode. I'd need bridge mode to work to have some ports working. But apparently even in bridge mode ports won't forward.

For an idea of my network and situation, I have recently transitioned to working hybrid, but I'll mostly be working from home. I have a fiber line built in directly to my home and I typically don't have any problems with it - however my work is critical in that I'd need a constant connection and no time to fumble through my phone and get a hotspot running. Even if my ISP is running at a 90% connectivity rate through the year if something happens in that 10% it can be very bad. I currently utilize a lot of Tp-link devices and the Omada controller software hosted on a Ubuntu VM - the ER605 is my gateway and supports load balancing and failover. I also have a dedicated Debian VM running various services. For this post it will just be called Services.

I received my LM1200 and plugged in my currently active PagePlus 4G SIM card for testing. PagePlus is a pre-pay MVNO dedicated to Verizon towers. SIM in the LM1200, put in the correct APN, plugged in my laptop directly and away it went. Cool, this connection is working. I then connected it to the ER605. At first some packets went through, then the entire network stopped and Omada complained about the LM1200 port being down completely. Sure enough I looked at the LM1200 and the LAN light isn't even on. Figured it was a bad Ethernet cable so I replaced with a known working one. Same issue.

I figured I was trying my luck with a pre-pay plan (this was before I started diving in to Google and finding this thread). I took my postpaid Verizon SIM from my iPhone and put it in to the LM1200. Same behavior as before - great with a single device, dead on the load balancer. Two for two so far. Checking online, people are talking about this and that, needing an actual data SIM vs a phone SIM or something to that effect, so I decided to add a plan to my Verizon account and add the actual IMEI of the LM1200 to it and Verizon recognized it being a Netgear device by name, fancy that. So surely, after driving to the Verizon store and getting this SIM card with a dedicated data plan, this would be the ticket right?

Nope. Same as before. Three for three here. Also to note, the LM1200 is in bridge mode and the ER605 catches an IP address through DHCP... Then the port goes down. Then it stays offline, refusing to obtain another IP address. Clearly something is wrong. Is it my network? Is it the LM1200 or the ER605? Time to narrow this down.

My first call to Verizon was as you'd expect - someone got on, heard my issue, transferred me to the help desk based in another country, I tried to explain what I was doing, they didn't understand, they actually called Netgear and dumped the call to them unbeknownst to either of us, so I spoke to the Netgear technician for a minute. Very much a help desk call, wouldn't listen when I said I was logged in to the LM1200 already, had me walk through the steps to open the browser, go to H T T P, etc.. After they gathered enough information from me, they determined the LM1200 is working as expected and terminated the call. OK then. Guess I'll take their word for now.

Back on the phone with Verizon. Figured maybe it was my internal DNS running on the Services server. While waiting for a rep I SSH'd in to the Services server and ran a packet trace pointed at UDP 53 for DNS. If anyone wants that command by the way:

tcpdump -ni (your_network_interface) udp port 53

(To find your network interface, this is typically found in /etc/network/interfaces on Debian or Ubuntu or by running "ip addr")

Testing again with one device, DNS fetching would work just fine. Suddenly when another device would get on the network, the packet dump turned in to multiple "ServFail 0/0/0 (55)" messages, even if the LM1200 managed to come back online. Unbound is a very simple DNS implementation and I use Cloudflare DNS for the forwards, so it was pretty unlikely that was down. On the other testing VM (Windows 10), I switched DNS away from my Services server and straight to Google's 8.8.8.8 - this worked for a brief moment, and then right back to the old behavior of no traffic passing at all. To me this was telling that something was actively killing the connection.

Finally getting through to another Verizon rep, I asked if they could hear me out before throwing me to help desk hell again. I had to explain the concept of failover as best as possible and what I was trying to achieve and they were super cool about it. After a minute for them to wrap their head around it, they told me the only solutions they'd really have for this is that they'd get Tier 2 on the phone and they would recommend a repeater/amplifier which is not what we'd want, or that Verizon specifically sells a mobile hotspot that will allow multiple devices. That was another tell for me that there is likely something in the terms of service saying they'd only allow one device for tunneling like this and to get around it I'd need to refund the LM1200 and add on yet another unwanted device to my Verizon plan. Told them I greatly appreciated their time and disconnected the call.

Googling deeper I found this thread, and people talking about the LM1200 and using it with T-Mobile through Google Fi, through AT&T with a data pre-pay plan - not so many hits with Verizon post-pay and pre-pay solutions. Neither of those carriers are great in my area, but I still need that backup and I had some cash to blow. Went to Best Buy, said goodbye to $70 for the Google Fi Unlimited Plus SIM card, activated, put in to the LM1200. Adjusted the APN and tadaa, working Internet to my test laptop. Threw the LM1200 back on the ER605, got an IP address just fine, killed the fiber line, tested with multiple devices, internal DNS working as expected, no problems at all. Pretty quick failover too, might I add. Other than time being wasted, I am now happy with the LM1200 and yes that plan is a bit pricey for pre-pay but I'd rather have peace of mind if something were to go down.

So here's a summary of testing:

- Tried a pre-pay Verizon SIM via PagePlus. Didn't work. Worth a shot.

- Used my current Verizon post-pay SIM from my iPhone to test. Nope, not working.

- Added a line on Verizon post-pay specific to a data plan with the LM1200's IMEI and gave that a try. No dice.

- The first time I'd seen the network port go down, I thought it could be a bad Ethernet cable. Switched to a known working cable, same result.

- Switching from internal DNS to external DNS specifically did not resolve the issue. Noted from internal DNS packet capture network would die specifically as more devices got online.

- Speaking with a good Verizon rep the idea on their end is that you get frustrated with this and just buy a mobile hotspot from them (not their words but my takeaway).

- Switching to a completely different carrier, no problems.

I'd say it is pretty conclusive at this point that Verizon does not work with the LM1200, or at least in a extremely limited capacity in that you can only have one device connected and failing over to a typical home LAN will not work. And yes, that is on Verizon and how they handle their network - however, I'd hope that Netgear recognizes this and puts a big fat asterisk on their product page noting the limitation of failover with the Verizon network. I hope someone from Netgear sees this and can update documentation, or something to that degree? I happen to live in a city with multiple phone towers, I'd still would have liked to use Verizon since they are very good here, but I can live with T-Mobile in this emergency use-case. I'd just feel bad for people with only Verizon nearby to get this and waste their time.

Also, one little side complaint - I host a VPN from home and implement Dynamic DNS to push a new WAN IP address if failover occurs to a domain name I bought. My VPN works as expected from my fiber line. However when connected to the LM1200 even in bridge mode it cannot see the required port open. I noted the IP address from the actual LM1200 and it differs from doing a Google search for my own public IP address. So I take it this isn't really a "bridge mode" then if ports cannot be opened? Any way to accomplish this? Would I have to, God forbid, turn on UPnP?

Thanks for coming to my TED talk everyone.

@greenpuddin Solute to you, Sir. You summarized all the issues we are facing with Verizon network now on LM1200.

1. LM1200 can only support one ethernet client on Verizon network. The data connection is teared down by the network if more than one clients connect through the ethernet port. We contacted Verizon to help finding the root cause, but so far, not results. This may be just how Verizon network setup. As customers reported, the issue also happens on the devices from other vendors. Another 2 Netgear branded devices also have the same issue.

Thanks for your suggestion to post a KB article to remind the customers on the Verizon network limitation when using LM1200. I will work with the internal team on it.

2. VPN connection from cellular network usually is limited by the carriers due to security reasons. Some carriers can provided the special APN for VPN connection with extra costs. This is not an issue on the device side.

Please let me know if you have any questions or suggestions.

Regards

John

Thanks for getting back to me @JohnPeng that was quick! Reading what others have said, maybe documentation should note in this situation for multiple devices Verizon SIMs should be set to router exclusively? Or maybe something in general if other providers start doing this, to test toggling between bridge and router mode?

Also, are you guys hiring by chance? I've always wanted to be a technical writer and I'm wrapping up my bachelors 🤣

@greenpuddinabout IP address being different than reported.

When I spoke with Verizon about getting a public IP address, they told me that their none of their consumer plans provide a public IP address.  The address you get will be double-NAT'ed and you will not be able to forward ports from the actual public IP you will be going through.

The only way to get a real outside-accessible public IP from which the LM1200 could forward ports is to get a business account, for which you have to actually have a business tax ID.

I am stuck with Verizon.  They are the one and only carrier that works at my house.  I can't work with satellite delays, and comcast wants $5000 to cross the road (not to mention having to sign a document allowing them to charge me for any additional expenses they see fit to charge 😡).  I get by with my firewall connected to my LM1200 running in router mode, but I have no way to get in from the outside like I need to be able to do.  For accessing the outside from in the house, the LM1200 works great in router mode on my Verizon service - very reliable connection with good performance for a cell service (I got used to having fiber at my previous address 😢 ).

Hello All,

I wanted to share my success with my lm1200 in bridge mode and a verizon sim...

I am currently using a verizon sim out of an old samsung s6 (dont think this matters but mentioning it anyway) and an Vnopn n3700 router running the latest pfSense. the lm1200 is set for bridge mode and the router has been set for IP stealth and changed the default ttl.

Not sure if specifics violate any terms on this site so I am keeping those things general but everyone should be able to figure it out.

After alot of trial and error, I have had success with my current setup. The boot loops are very rare. If they do happen its only a couple of times or I found that booting the lm1200 and letting it settle before boothing the router usually solved it.

The only issue that I am facing now is that the throughput of the lm1200 is not the greatest but it is better then nothing.

yes, you need to packet mangle the ttl. stealth mode allows the traffic to not be decremented through the router thus allowing all devices to act on the newly set ttl.

iptables, i would try to set:

iptables -t mangle -I POSTROUTING -o $(get_wanface) -j TTL --ttl-set 65
iptables -t mangle -I PREROUTING -i $(get_wanface) -j TTL --ttl-set 65

then save to boot config. shut it down. go into lm1200 and set factory defaults. Let it reboot..shut it down. give it a minute. boot it back up and let it settlle. then boot your router and see if that helps.

yes, i believe it does

does that router you are using also enable ipv6?

is so, add:

ip6tables -t mangle -A POSTROUTING -o $(get_wanface) -j HL --hl-set 65
ip6tables -t mangle -I PREROUTING -i $(get_wanface) -j HL --hl-set 65

in my case, I have an ipv4 outside address and dont have ipv6 enabled. as for nat, you dont have a choice unless you plug a specific device into the lm1200. ex. laptop. the verizon cell network using a non-commercial account will not let you nat any ports incomming anyway. they block all of that, so nat is only allowing multiple mac's outbound. this includes any vpn traffic thats needs to establish. only outbound traffic will inititate things like this.