Community discussions

MikroTik App
 
taylorc
Member Candidate
Member Candidate
Topic Author
Posts: 101
Joined: Mon Aug 21, 2006 3:42 am

HOWTO: MC7411 -> Verizon LTE (US)

Wed Aug 09, 2023 7:31 am

After some personal adventures and assistance from Mikrotik Support, I wanted to share my findings here, in case someone else comes along trying to make this work.

My Hardware
RouterBoard: RB953GS-5HnT-RP (Because I need 2 WiFi interfaces AND a slot for the LTE card.)
LTE Card: Sierra Wireless MC7411 (Verizon certified, and activatable with no tricks.)
Auxiliary WiFi Card: Mikrotik R11e-2HPnD

I'm not going to go into all the configuration details of my router, just the important ones for getting the LTE going.

LTE Card Configuration
Before inserting the MC7411, connect it to a PC. (MiniPCIe to USB adapters are readily available on Amazon for under $20.) I used Linux. If you're on Windows, then use whatever terminal client you prefer. Run these commands:
screen /dev/ttyUSB2
AT!ENTERCND="A710"
AT!USBSPEED=0
AT!USBCOMP=1,1,100D
AT!RESET
The commands do the following, respectively:
* Gets a serial prompt to the card's AT command interface.
* Enables privileged commands. The default password is "A710". YMMV.
* Locks the USB interface to USB 2.0 mode.
* Enables MBIM mode, and the diag, nmea, modem, and mbim feature sets.
* IMPORTANT! Tells the card to clear its existing cellular configuration and start from scratch.

Insert the card into your RouterBoard and power it up.

Router Configuration
Set the configuration as follows:
/system/routerboard/usb/set type=mini-PCIe
/interface/lte/set [ find default-name=lte1 ] allow-roaming=yes apn-profiles=verizon
You should be all set! If your SIM is activated, enabling the interface should cause it to connect almost immediately. Don't forget to add appropriate masquerade rules and such, as you would for any other WAN interface.

IMPORTANT: If you find that your LTE modem keeps disconnecting every few seconds, add this firewall rule to the top of your firewall configuration to make the tower happy:
chain=output action=reject reject-with=icmp-port-unreachable connection-state=invalid protocol=tcp out-interface=lte1
Last edited by taylorc on Sun Aug 27, 2023 11:13 am, edited 1 time in total.
 
kiloon
just joined
Posts: 12
Joined: Sat Jul 09, 2022 2:14 pm

Re: HOWTO: MC7411 -> Verizon LTE (US)

Tue Aug 15, 2023 9:20 pm

Dude! You're awesome! Thi is saved my life... I was fighting with this for 3 days... And your solution works as soon as I put this in the firewall filter rules. I am using RBM33G with 2 LTE cards on it. Now its working perfect!
Thank you for your post! This was super helpfull!
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3025
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: HOWTO: MC7411 -> Verizon LTE (US)

Wed Aug 16, 2023 1:17 am

Good write up.

The background on the "Verizon drops" is that if ANY packet goes out the LTE interface with a src-address NOT same as one assigned, Verizon drops the LTE connection/context immediately. In theory, this actually shouldn't happen with a NAT rule... But sometime router service may not use the LTE interface's IP when sending a packet. e.g. traffic from /ip/neighbor's probe may go to LTE with wrong address. But there are other cases too.

Few notes here:

- The lte.npk package is NOT needed – that package is ONLY for long discontinued RBSXTLTE3-7. NOTE: All the newer SXT don't need this package. So that's a skippable step here too.

- Just to be clear... Verizon dropping LTE interface is fixed by the firewall filter rule blocking "invalid"...NOT the AT commands. So if you already seeing the LTE interface in RouterOS, you may just need the firewall rule at bottom – in case that part isn't clear ;)

- You might want an chain=output rule for the connection-state=invalid, instead to the forward one in /ip/firewall/filter. This covers bad packets going to Verizon, that are generated by the ROUTER itself (e.g. chain=forward ONLY covers the "invalid" one from LAN clients, but not router).

- Especially if you're using multiple interface, it likely best to have seperate NAT rules for each interface, matching on the out-interface. e.g. NOT an address-list like WAN. Keep any WAN interface list, just put any LTE NAT rules above it.

- If you don't have a miniPCIe-to-USB adapter, you can most of the time send the AT command with the modem in the Mikrotik using "/system/serial-termial port=usbX channel=2" and /port/print will show the usbX part to use. From the "serial-terminal", use can enter the AT commands shown above, instead of using "screen" from a seperate box. (But this only need if LTE isn't not showing)
 
taylorc
Member Candidate
Member Candidate
Topic Author
Posts: 101
Joined: Mon Aug 21, 2006 3:42 am

Re: HOWTO: MC7411 -> Verizon LTE (US)

Sun Aug 27, 2023 11:18 am

Thanks Amm0 for all your input! I tweaked the guide with some of your suggestions.

The reason I needed to connect the card to a PC first is because in its factory configuration it will try to go into USB 3.0 mode in the RouterBoard, which is unsupported and will prevent it from being recognized, at least in the RB953GS-5HnT-RP.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3025
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: HOWTO: MC7411 -> Verizon LTE (US)

Sun Aug 27, 2023 5:48 pm

That's true re needing a PC to switch USB for RB953. Sorry I did pay close enough attention the model number... The MC73xx are USB 2.0, but you're right the MC74xx are USB 3.0.
 
kiloon
just joined
Posts: 12
Joined: Sat Jul 09, 2022 2:14 pm

Re: HOWTO: MC7411 -> Verizon LTE (US)

Wed Nov 29, 2023 3:08 am

Oh guys! Help me out please! I do have now dropping out network connection with verizon every 3-7 seconds =((
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3025
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: HOWTO: MC7411 -> Verizon LTE (US)

Wed Nov 29, 2023 4:08 am

Oh guys! Help me out please! I do have now dropping out network connection with verizon every 3-7 seconds =((
I'm 99.99% sure that it's some packet escapes RouterOS with the wrong source address. Assuming you have a drop (or reject) for invalid packets — which is in the current default firewall — this should be covered. If even ONE bad packet (with wrong IP as source address)... Verizon drops the connection.

Forward traffic(e.g. from LAN) is NAT'ed (via /ip/firewall/nat rule to masquerade WAN) is not normally the cause. But internal services running on the router itself where a wrong src-address (e.g. IP assigned to LTE interface) "escapes". Historically either of the two:
- DDNS in /ip/cloud
- /ip/neighbor doing discovery on the LTE interface

So assuming you have a drop(/reject) rule for "invalid" connections already, try disabling /ip/neighbors (or limiting to the LAN interface list) which I suspect might be the issues. If not, try disabling DDNS in /ip/cloud.
 
kiloon
just joined
Posts: 12
Joined: Sat Jul 09, 2022 2:14 pm

Re: HOWTO: MC7411 -> Verizon LTE (US)

Thu Nov 30, 2023 4:37 am

Yes, you're absolutely correct. I did mistake while setting up firewall rule. I just made it correct (reject>forward>tcp) now everything is working fine.
I wonder how to trace invalid packets? So I will know what to drop or reject.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3025
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: HOWTO: MC7411 -> Verizon LTE (US)

Thu Nov 30, 2023 5:12 am

Yes, you're absolutely correct. I did mistake while setting up firewall rule. I just made it correct (reject>forward>tcp) now everything is working fine.
I wonder how to trace invalid packets? So I will know what to drop or reject.
You can check the "log" checkbox on the invalid rule. The log will then show the src/dest etc when the invalid, likely enough to know what to block before invalid.

But if you have multiple WANs, there is some small interval where packet(s) might be inflight before an outage of one of the WANs. But just ONE packet is enough to trip Verizon's firewall (much like rp-filter=strict except the rule "drop the LTE session".

Who is online

Users browsing this forum: No registered users and 21 guests