Hi,

I've just now replaced some generic Huawei LTE router with the Chateau LTE12 and configured it for passthrough mode.
For management, I have removed ether5 from the bridge and assigned an IP address to it. ether5 is connected to my hardware firewall to a DMZ interface so that there is no way for an intruder to enter my LAN through that management port.
ether1 obviously is connected to the WAN port of my hardware firewall, which makes use of the passthrough'd public IP.

So far so good, but how is the Chateau supposed to reach the internet for NTP, DNS and Firmware Upgrades?

I see multiple approaches:
- set time manually, do firmware upgrades manually by downloading the files from mikrotik website and uploading it to the router manually, dns therefore not needed -> boom, done
- default route to my hardware firewall through the management interface and allow traffic on that firewall to the internet

wouldn't the second approach with its default route interfere with the purpose of the modem (sending all traffic back to the firewall, effectively creating a layer 3 loop)?
or is that of no concern because of passthrough mode and the internal bridge (which is the passthrough target) does nothing but plain passthrough?

would it be advisable to create a separated VRF? if so, i was thinking about creating the VRF for internet access and leaving all the management stuff in the main VRF, as there are some services (like FTP, iirc), which you can't bind to a different VRF than "main".

Please share your thoughts and best practices, if there are any.
Thanks!

Through your default gateway... Meaning it needs a route to your default gateway, whatever that is ( i guess the router connected to the LTE device )... and ofcorse it must be reachable...

I' ve not used Chateau, but i' ve used LTE and LTE6 devices with passthrough mode configured... So i guess same principles apply.
When you set your modem to passthrough mode, then it is only responsible for IP configuration and modem settings... So it actually does not have access to the internet itself anymore... Unless you make the appropriate configuration...
What i would do is, configure VLANs on the interfaces connecting the Router and the LTE device... Those VLAN interfaces would be used for management purposes of the LTE and for communication with the Router. Then i would use the interface ( not the VLAN one ) for the passthrough.
You will also need a route on the LTE device so that you can reach it from the LAN side of the other Router.

What i would do is, configure VLANs on the interfaces connecting the Router and the LTE device... Those VLAN interfaces would be used for management purposes of the LTE and for communication with the Router. Then i would use the interface ( not the VLAN one ) for the passthrough.
You will also need a route on the LTE device so that you can reach it from the LAN side of the other Router.

This is how I currently have configured it, the only thing different in my config is, that I don't use a VLAN on the interface from the Chateau to my router. Instead, I used the pyhsical interface ether5 for that, so that I can access the Chateau with untagged traffic, in case of emergency. ether5 is not member of the bridge.
I as well have a route to my LAN network on the Chateau, that is all working fine.

But how will I get internet access on the Chateau? Just change the route to my LAN on the Chateau from destination 192.168.0.0/24 to 0.0.0.0/0 and make it the default route? On my router I can allow traffic for that, that's no problem. But my concern was that a default route like this would interfere with internet access in general, that's why I was thinking about a separate VRF...

If there's currently no default route and internet works for the router behind it, adding default route won't change anything for the other router.

But how will I get internet access on the Chateau?

By sending the traffic to your other Router. Just add a default Route on Chateau with dst-address the Router that has Internet Access... Also specify DNS to your LTE device...
If it still won't work, there is some mistake in your configuration.

If you show a Network topology with addresses etc. we can be more precise...

i use a simply way with vlan :
on modem :
on ether 1 => 2 vlan
vlan 2 = internet
vlan 3 = management
dhcp client = vlan 3 management
lte passtrough on vlan 2 internet
(nothing else here)

on router :
on ether 1 => 2 vlan
vlan 2 = internet
vlan 3 = management
dhcp client = vlan 2 internet
interface list : wan = vlan2 (and srcnat the wan)
add port bridge : vlan 3 management (then modem receive ip from router)

add roMon just in case

i use a simply way with vlan :
on modem :
on ether 1 => 2 vlan
vlan 2 = internet
vlan 3 = management
dhcp client = vlan 3 management
lte passtrough on vlan 2 internet
(nothing else here)

on router :
on ether 1 => 2 vlan
vlan 2 = internet
vlan 3 = management
dhcp client = vlan 2 internet
interface list : wan = vlan2 (and srcnat the wan)
add port bridge : vlan 3 management (then modem receive ip from router)

add roMon just in case

Very interesting.
Is it possible to have your config here from modem and your router?
Thanks

@azzurro @jimint I was wondering if you got this working OK as I'm about to attempt a similar config?

Thanks,
Steve