Wireless Joint

The below is the solution to this issue with dd-wrt and wireguard.

New Update + Final Solution: So with KeepSolid, it's $99 for a lifetime, then I spend $12.50 a month for a private IP, everything works now, gaming/P2P/VOIP/etc. This is the recommended route I suggest you go with for any VPN provider you land upon, as having your own IP will allow you to access everything without sites blocking you if they know it's a known IP.

OpenVPN will kill your connection speed, this is not a solution. Installing VPN Apps on everything is also not a solution. The below is a decent solution between the two.

To solve this issue, I turned my Archer C7 (TP-Link) v2 into my main router. I purchased a VPN from KeepSolid and used this guide to run everything through Wireguard now. Speed is about 75% of my main speed (which is fine). This could be improved with a stronger hardware router. So pretty impressed with Wireguard.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624

My config now goes like this:

WG-3526 + MC7455 (XXX.XXX.1.1) = Internet -> Line into DDWRT router(XXX.XXX.0.1(Archer C7) Wan Port (internet port). Rest of my lan now runs through it.

This works for now, since I've had connection drops continually for the past 3+ weeks. Since I use this for my job, I cannot have these drops. Yes my speed is slower I'm fine with it. If it's stable and doesn't die every 1-4 hours.

This setup didn't take much to do. I'll continue to monitor the wan connection to see if it drops, maybe in a few months I'll get lucky and not have to go through wireguard, but at this point, I'm not worried about it.

------------------------------------
Hello all.

As a lot of you know, or having issues and don't know, AT&T has started putting Transparent proxies in front of our connections. In turn this is causing modems to stay connected but lose DNS. (You can Ping googles servers via IP 8.8.8.8, or anything else IP wise, but you cannot hit websites via DNS). So I wanted to start a thread and compile all the info/work arounds that have been presented(tested or not tested), and trying and just have a single thread for helping everyone. (This is mostly for my sanity to keep everything together). This is mainly for ROOTer firmware, but the solutions (if they work) should be able to be used on other software/hardware combos.

https://forums.att.com/conversations/ot ... 341?page=6

Solutions so far:

If you're on a MOFI firmware - update it and set your connection monitor to ping something like google.com or another website. The MOFI software will reboot the modem. You're issue should be resolved. (https://wirelessjoint.com/viewtopic.php?p=13321#p13321)

GoldenOrb/ROOTer:

[*]IPV6 only - I have not been able to get this to work at this time. A lot of info I have found is for sprint and not AT&T. (It's suggested that IPV6 isn't forced to go through AT&Ts transparent proxy, which resolves this issue). (https://wirelessjoint.com/viewtopic.php?f=15 ... pv6#p13577)(thread has no current resolution)(https://wirelessjoint.com/viewtopic.php?f=21&t=6) This thread is for T-Mobile :/

Found This for IPV6, haven't tested it yet though, removed the MBIM activation since Golden Orb Now works with IPV6 and QMI mode.
----------------------------------

[*]VPN Service - This I've tried, and it does work, but using OPENVPN inside of the ROOTer software kills bandwidth, using the application of your vendor seems to have better results, but it's going to be needed per device, and is not what I would consider a fix. Figuring out why openvpn causes a massive loss in speed is something to be looked at. I'm currently working with PIA, but since I have updated to the latest golden orb I can no longer get the OPENvpn settings working, no matter what I do.

----------------------------------

[*]L2TP - (https://wirelessjoint.com/viewtopic.php?p=10964#p10964) - Still trying to figure out how to do a L2TP on the ROOTer Firmware.

----------------------------------

[*]MTU Settings - (https://wirelessjoint.com/viewtopic.php?f=8& ... 110#p13311) Testing this, this morning.
(Network -> Interfaces -> WWAN0(WAN1) -> Edit -> Advanced -> Override MTU)

Edit: This did not resolve the issue. Today having multiple disconnects already in a 5 hour working time.

----------------------------------

[*]Modem Reboot Script - This hasn't been updated in a while (https://wirelessjoint.com/viewtopic.php?f=21&t=121) Seems to only be avaialbe for WiFix. WiFix works for the WG3526 and others, places The Wireless Haven Ping Test as enabled, but 10mins per ping to check is WAY to long. This needs to be done every 5-10 seconds, not 10mins. As once the ports 80/443 are closed, no one wants to wait up to 10mins for this to figure out it's down.

Updated: Wifix The Wireless Haven Ping Test, while I'm sure it works, isn't a solution, waiting 10mins before it checks ping is way to long. A version in which this is shortened to like 5-10 seconds could help, but the 10min mark, you're already going into the router page and rebooting it yourself.

I am on ATT, will try the IPV6 fix.

Would a VPN fix this?

I'm just tethering to a phone via Wireguard and EasyTether to Windscribe VPN. All I ever pass over cellular are UDP packets.

Edit: I see that someone already mentioned VPN. FWIW, Wireguard is working well for me. I probably get about 75% or more of full speed.

cstring wrote: ↑Mon Oct 26, 2020 4:44 pm I am on ATT, will try the IPV6 fix.

Let me know how it goes.

tetranz wrote: ↑Mon Oct 26, 2020 5:17 pm Would a VPN fix this?

I'm just tethering to a phone via Wireguard and EasyTether to Windscribe VPN. All I ever pass over cellular are UDP packets.

Edit: I see that someone already mentioned VPN. FWIW, Wireguard is working well for me. I probably get about 75% or more of full speed.

Your edit does answer the question, but to clarify are you using the openvpn settings in the rooter software or are you using the application on your phone/pc from wireguard?

serverside wrote: ↑Mon Oct 26, 2020 4:06 pm Updated: Wifix The Wireless Haven Ping Test, while I'm sure it works, isn't a solution, waiting 10mins before it checks ping is way to long. A version in which this is shortened to like 5-10 seconds could help, but the 10min mark, you're already going into the router page and rebooting it yourself.

A ping test won't work because pings are successful even when you can't get http or https to load. I can ping any domain when I lose connectivity but can't get to any websites (other than Google). Already opened sessions (eg zoom calls) continue to work as well. ATT is black-holing web (80/443) traffic, not icmp (ping) traffic.

serverside wrote: ↑Mon Oct 26, 2020 9:17 pm Your edit does answer the question, but to clarify are you using the openvpn settings in the rooter software or are you using the application on your phone/pc from wireguard?

I'm not running OpenVPN. I have a Raspberry Pi that has an Ethernet cable from the WAN port of my router and USB to the phone.

The Pi runs Wireguard and EasyTether so it's all transparent to devices on the LAN side of the router.

It can also tether to an iPhone with USB using usbmuxd. Thinking about that got my attention when I read of the ATT problems here. I haven't quite got the iPhone tether (using Visible) working properly. It only seems to pass TCP intermittently. I had an idea to put it through Wireguard and to my surprise, it works perfectly. I guess that means it's passing UDP no problem but not TCP for some reason.

The phone is a cheap dual SIM Samsung Galaxy. Until a few days ago I had both T-Mobile and ATT but I've drop the ATT plan for now. I know it's kind of a toy setup compared to a separate modem and external antenna but I'm quite pleased with my little project. It's kind of nice to have low cost plug and play "unlimited" data with the Android because of EasyTether and "unlimited" on Verizon with Visible and nothing for the carriers to detect or object to provided I don't go crazy with the amount of traffic.

corywf wrote: ↑Mon Oct 26, 2020 10:17 pm A ping test won't work because pings are successful even when you can't get http or https to load. I can ping any domain when I lose connectivity but can't get to any websites (other than Google). Already opened sessions (eg zoom calls) continue to work as well. ATT is black-holing web (80/443) traffic, not icmp (ping) traffic.

So I was hoping this ping test was more pinging an https site vs IP. If it's IP, what's the point of it when the connection manager does it better with more options? This seems like a silly feature to have if it does what the orginal LEDE did better already.

tetranz wrote: ↑Mon Oct 26, 2020 10:32 pm I'm not running OpenVPN. I have a Raspberry Pi that has an Ethernet cable from the WAN port of my router and USB to the phone.

The Pi runs Wireguard and EasyTether so it's all transparent to devices on the LAN side of the router.

It can also tether to an iPhone with USB using usbmuxd. Thinking about that got my attention when I read of the ATT problems here. I haven't quite got the iPhone tether (using Visible) working properly. It only seems to pass TCP intermittently. I had an idea to put it through Wireguard and to my surprise, it works perfectly. I guess that means it's passing UDP no problem but not TCP for some reason.

The phone is a cheap dual SIM Samsung Galaxy. Until a few days ago I had both T-Mobile and ATT but I've drop the ATT plan for now. I know it's kind of a toy setup compared to a separate modem and external antenna but I'm quite pleased with my little project. It's kind of nice to have low cost plug and play "unlimited" data with the Android because of EasyTether and "unlimited" on Verizon with Visible and nothing for the carriers to detect or object to provided I don't go crazy with the amount of traffic.

Ah, yea so it seems the application is passing bandwidth better as described above. Thanks for the info. the more on this topic the better. What VPN provider are you using?

serverside wrote: ↑Tue Oct 27, 2020 8:54 amAh, yea so it seems the application is passing bandwidth better as described above. Thanks for the info. the more on this topic the better. What VPN provider are you using?

https://windscribe.com

At first I created my own Wireguard server at Digital Ocean but Windscribe works great so there's no point or saving in having my own since I paid for a year at Windscribe for $45. It has a config generator which gives you raw configuration rather than forcing you to use their client.

I might write it all up as a blog post. It was mostly just a fun project with a Raspberry Pi but I'm now using it all the time for work with Zoom and Slack etc. I'm in a good T-Mobile signal area right now but will try it in our RV soon.

tetranz wrote: ↑Tue Oct 27, 2020 9:05 am https://windscribe.com

At first I created my own Wireguard server at Digital Ocean but Windscribe works great so there's no point or saving in having my own since I paid for a year at Windscribe for $45. It has a config generator which gives you raw configuration rather than forcing you to use their client.

I might write it all up as a blog post. It was mostly just a fun project with a Raspberry Pi but I'm now using it all the time for work with Zoom and Slack etc. I'm in a good T-Mobile signal area right now but will try it in our RV soon.

what was your original bandwidth vs with the VPN on?

serverside wrote: ↑Tue Oct 27, 2020 1:27 pm what was your original bandwidth vs with the VPN on?

I just tried speedtest.net several times with and without the VPN and it's hard to notice any difference. I said 75% above but it's better than that. I usually get between 20 and 40 Mbps. I'm in Houston using T-Mobile with a Magenta Unlimited 55 plan (discount for oldies like me). I'm using a Windscribe server in Dallas.

I'm over the 50 GB for the month so I'm into possible de-prioritization but I haven't noticed any slowdown. The "modem" is a cheap phone sitting on a high shelf.

i have been having the disconnects for months, I keep updating the new firmware, mine doesn't require a reboot, i actually lose all connection to the tower. at least that is how the Moxi is reporting it, however within a minute or 2 it reconnects without fail, and everything comes back. I do have a DECO Mesh Network behind the MOXI and MOXI wifi is disabled.

Some of the recommendations I found that i have completed:
-Upgrade Firmware - already did this on 4.3 now
- Set the Provider to AT&T - did this, don't think it helped.
- Turn off the Auto MTU - this broke my connection totally, reverted back to Auto MTU and its fine.
- IPV6 has been disabled for a long time, nothing different.
- Bandlock and Advanced Bandlock set - mine are set on BL = 4 and ABL = 4/12

I haven't tested VPN yet but may try that if it is found as a permanent solution. just came looking for other options to try.

Update - MTU doesn't resolve this. TTL same thing.

TBHockeysl wrote: ↑Tue Oct 27, 2020 3:36 pm i have been having the disconnects for months, I keep updating the new firmware, mine doesn't require a reboot, i actually lose all connection to the tower. at least that is how the Moxi is reporting it, however within a minute or 2 it reconnects without fail, and everything comes back. I do have a DECO Mesh Network behind the MOXI and MOXI wifi is disabled.

Some of the recommendations I found that i have completed:
-Upgrade Firmware - already did this on 4.3 now
- Set the Provider to AT&T - did this, don't think it helped.
- Turn off the Auto MTU - this broke my connection totally, reverted back to Auto MTU and its fine.
- IPV6 has been disabled for a long time, nothing different.
- Bandlock and Advanced Bandlock set - mine are set on BL = 4 and ABL = 4/12

I haven't tested VPN yet but may try that if it is found as a permanent solution. just came looking for other options to try.

Have you tried setting it to IPV6 only? The ATT thread shows they aren't pushing IPV6 connections through the transparent proxy.

serverside wrote: ↑Thu Oct 29, 2020 11:36 am Update - MTU doesn't resolve this. TTL same thing.



Have you tried setting it to IPV6 only? The ATT thread shows they aren't pushing IPV6 connections through the transparent proxy.

Have you had any luck with trying to set it to IPV6? I can't get my modem to stick to that. That being said I haven't had a disconnect since last week (knock on wood and whatever else).

corywf wrote: ↑Thu Oct 29, 2020 12:36 pm Have you had any luck with trying to set it to IPV6? I can't get my modem to stick to that. That being said I haven't had a disconnect since last week (knock on wood and whatever else).

Unfortunately no, mine also wouldn't take at all. It'd just kill the internet and never connect with those commands. I think it's cause ATT doesn't do IPV6 on our modems.

Will update the bigger thread, but:

I currently turned my Archer C7 (TP-Link) v2 into my main router. I purchased a VPN from KeepSolid and used this guide to run everything through Wireguard now. Speed is about 75% of my main speed (which is fine). This could be improved with a stronger hardware router. So pretty impressed with Wireguard.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624

My config now goes like this:

WG-3526 + MC7455 (XXX.XXX.1.1) = Internet -> Line into DDWRT router(XXX.XXX.0.1(Archer C7) Wan Port (internet port). Rest of my lan now runs through it.

This works for now, since I've had connection drops continually for the past 3+ weeks. Since I use this for my job, I cannot have these drops. Yes my speed is slower I'm fine with it. If it's stable and doesn't die every 1-4 hours.

This setup didn't take much to do. I'll continue to monitor the wan connection to see if it drops, maybe in a few months I'll get lucky and not have to go through wireguard, but at this point, I'm not worried about it.

I have the same problem here. We need some sort of website checker instead of ping to tell when its down. Instead of pinging google maybe check to see if you can actually get to google.

Not sure if theres a way to setup a raspberry pi to check sites and reboot rooter or not?

Yes, surely one of the wizards we have here can whip up a http/https check and reboot on fail script.

All VPN's degrade the raw data speed to a certain degree due to the encryption/decryption overhead at both the user and server side.
Throughput depends primarily on the hardware (CPU/memory) the the VPN client it's running on. Most consumer grade mobile routers usually run on some "cheesy" MTK CPU's with only 128/256MB memory, which cannot handle real-time encryption/decryption well.
The server side of the VPN provider is usually running on very fast hardware, however the additional hop of your data through their gateway adds additional delay regardless how fast your VPN client is.

WireGuard was designed to be secure yet the least CPU intensive of most VPN's, which runs best on newer dual-core Asus, Linksys, or Netgear routers.

Some interesting info on Transparent Proxies.
Transparent proxies act as intermediaries between a user and a web service/server such as ATT's. When a user connects to a service, the transparent proxy intercepts the request before passing it on to the provider. Transparent proxies are considered transparent because the user isn’t aware of them. On the other hand, the servers hosting the service can recognize a proxied traffic which is coming from the user. They can also be used to cache both data and DNS info, which can could cause random disconnections.

Possible solution include the use of VPN's or just a secure DNS (DNSSec).

DNSCrypt
https://opendns.com/about/innovations/dnscrypt/
https://openwrt.org/docs/guide-user/ser ... ypt-proxy/

SmartDNS
https://support.smartdnsproxy.com/artic ... rt-router/

I found this and applied the rules to my WE826 in the firewall settings. Rebooted and I'm not showing behind a proxy on https and my network is functioning correctly. Going to wait and see if it's just a fluke. If it stays up I'm going to install PiHole on my new rPi and enable DNSSEC through it.

https://support.smartdnsproxy.com/artic ... IpCkWQz-7o

corywf wrote: ↑Wed Nov 11, 2020 6:53 am I found this and applied the rules to my WE826 in the firewall settings. Rebooted and I'm not showing behind a proxy on https and my network is functioning correctly. Going to wait and see if it's just a fluke. If it stays up I'm going to install PiHole on my new rPi and enable DNSSEC through it.

https://support.smartdnsproxy.com/artic ... IpCkWQz-7o

Update. The fw rules didn't work. My internet shit the bed about an hour later. Any ideas what else I can try?

corywf wrote: ↑Wed Nov 11, 2020 6:53 am I found this and applied the rules to my WE826 in the firewall settings. Rebooted and I'm not showing behind a proxy on https and my network is functioning correctly. Going to wait and see if it's just a fluke. If it stays up I'm going to install PiHole on my new rPi and enable DNSSEC through it.

https://support.smartdnsproxy.com/artic ... IpCkWQz-7o

Thanks for the info, however the link you posted seems to be broken. Here's the correct link:
https://support.smartdnsproxy.com/artic ... wrt-router

I will play around with it once I borrow an active ATT sim from someone. Technically the commands make sense, however in practice it may fail depending on the carrier's implementation of the transparent proxy.

My bad. That ended up not working. I was able to set up a raspberry pi as a VPN router. I'm using Nord VPN Wireguard on the pi. It took about 3 days to get it working but it's working great. No difference in speed tests. Wireguard is definitely fast. And I'm not losing internet every hour.

According to reports by many users, seems like ATT has finally fixed the transparent proxy issue (no more VPN required), where the router would stay connected but there's no traffic through the main http/https ports 80/443 (aka DNS lookup issue).
https://forums.att.com/conversations/ot ... 41?page=14

On the other hand, if you're getting a hard disconnects from the tower, you could try ECM mode which provides auto-reconnect when the link goes down (in case you lose communication with the modem, you need to reflash it).

Quectel AT-command: Sierra AT-command:
Status Settings Format

BillA wrote: ↑Thu Nov 12, 2020 9:01 pm I'm glad it's working for you, but most people are unable to set up a separate VPN box.
Hopefully in the future, mobile routers will have enough processing power to be able to run a VPN with minimal speed degradation.

Yes, I think with wireguard this will be more feasible to run on a router. The setup wasn't easy on the pi but I feel like most people in this forum have the tinkerer's ability to figure it out. I really can't wait for Starlink though

BillA wrote: ↑Thu Nov 12, 2020 9:01 pm I'm glad it's working for you, but most people are unable to set up a separate VPN box.
Hopefully in the future, mobile routers will have enough processing power to be able to run a VPN with minimal speed degradation.

They need to release wireguard option on the LEDE/ROOTer goldenorb firmware. It'd help a ton of people here.

corywf wrote: ↑Thu Nov 12, 2020 9:05 pm Yes, I think with wireguard this will be more feasible to run on a router. The setup wasn't easy on the pi but I feel like most people in this forum have the tinkerer's ability to figure it out. I really can't wait for Starlink though

Can you post the config you did and how the we826 hooks up to the pi etc? maybe some pics if possible.

BillA wrote: ↑Wed Nov 11, 2020 2:05 am Solution include the use of VPN's or just a secure DNS (DNSSEC) such as DNSCrypt (https://www.opendns.com/about/innovations/dnscrypt/)

Dnscrypt might have solved my problems. Been having to reboot multiple times per day for the last couple of weeks, but after installing this in rooter last night, I've been running without problems for 20hrs so far.

https://openwrt.org/docs/guide-user/ser ... rypt-proxy

serverside wrote: ↑Sat Nov 14, 2020 8:06 am They need to release wireguard option on the LEDE/ROOTer goldenorb firmware. It'd help a ton of people here.

I agree, WireGuard is one of the fastest VPN's out there, and it's able to run on mid-range CPU routers with good throughput. By having it baked into GoldenOrb, it would solve both the carrier bypass issue and browsing privacy.