Sorry - Feel like this should be simple, but don’t know if it’s possible. Problem arises because I can’t install OpenVPN license on B30 WAN (detected as RMA device - bought used). The OpenVPN is required to bypass Tmobile video throttling.
Home network situation.
Two peplink routers: Max BR1 ENT LTEA (no WiFi) and Balance 30 Pro.
There is a single Internet connection, provided by an LTE hotspot (Inseego MiFi X Pro). It can connect to either the BR1or Balance via USB or Gig WAN (or to the B30 via WiFi WAN), preferably using IP passthrough on USB or Ethernet.
BR1 can have the OpenVPN client license.
Would like to support 4 wireless vlans for home, work, IOT/TV and guests.
Is there a way to use the OpenVPN client license on the BR1 (so OpenVPN wan), connect it to the B30, and use the B30 Wireless VLANs for wireless client distribution?
So you have an Inseego device connected to a BR1 Mini (without wifi, but can support OVPN) which you want to then connect to a Balance 30 to enable the wifi component? That seems like quite a lot for trying to get around streaming restrictions on T-Mobile. If you were my client and asked me this, my recommendation would be to buy a B One 5G.
However, if you wish to continue on this multi-vendor, partially EOL hardware path, you could put the SIM card in the Balance 30 Pro and just do it all there (limited to LTE of course). I don’t recommend doing that. From there you can trunk VLANs between the BR1 and the Balance 30 (not terribly familiar with the B30 but you should be able to) and route traffic accordingly via the BR1 Mini if that’s your desire.
Lastly, what streaming restrictions do you have on T-Mobile? The only restrictions I’m aware of (and we sell/manage tens of thousands of TMO lines) is business plans block it by default, but you can add a feature SOC to remove the blocks quite easily.
Thanks for the response. I’m a Calyx user, so currently it’s against ToS to move the SIM to another device (although they may be starting a BYOD program soon). Even if I could move the SIM, a) the older devices are 4G and don’t support B71, so I’m not sure how the service would be, and b) I’m pretty sure the Peplink doesn’t have any ready way to change the IMEI on the SIM to emulate the hotspot.
In short - just a home user trying to jerry-rig my way around the issue who unfortunately purchased the RMA’d B30 pro without knowing. I also have a Surf Soho that does have an OVPN license - and it works with the B30 - but it involves BGP and supports wireless… Was hoping the BR1 LTEA would have a bit more horsepower and offer better throughput on OVPN.
Ah, Calyx. OK, makes sense. I’ll start off by saying Calyx is a GPO and in order to keep the program effective for groups like Calyx, T-Mobile needs to impose certain limitations. You circumventing this contributes to TMO seeing Calyx, PC4P, and others as not beneficial to them and contributory to ending those programs altogether.
Now, I’ll take off the “do the right thing” hat
You’re not going to have “more horsepower” with really any of those devices and your configuration is extremely complicated. While I’m a homelabber that runs BGP in the house, it’s quite a workaround for day to day use of your network. The BR1 Mini using encrypted SpeedFusion sees 60Mbps of throughput according to the spec sheet (https://download.peplink.com/resources/peplink_max_br1_mini_hw3_datasheet.pdf) . Assuming that OVPN is just as efficient from a VPN standpoint and you’re using a modern-ish cipher, you’ll see roughly the same on OVPN. The B One 5G supports up to 200Mbps.
While I know that N71 generally isn’t going to delivery 200Mbps of throughput, your hardware will limit you with the BR1 Mini even with N71. My recommendation stands: get a B One 5G (we’re happy to see if we can get you one at a good price, just DM me), and if you are on Calyx you can do passthrough to get the WAN IP on your B One 5G and initiate the OVPN tunnel from there to your endpoint.
Well - I will say that when Calyx was on Sprint, the service was unthrottled and no VPN was required, so T-mobile moved the goal posts on Calyx users. Also - unlike many Calyx users, I haven’t broken ToS by performing “magic” with another router yet - so I don’t feel too badly about using a VPN. If the BYOD service does come to fruition, I might see how the service is with the SIM in 4G LTE (till recently, 4G was better than 5G where I am anyway).
I appreciate the offer to connect on the B1 5G (and who knows, may take you up on it in a year or two), but in the immediate future I’ll stick with the cheap route. Even EoL older peplink hardware is better than most mass-market router out there (at least from a security perspective).
Yeah, the Sprint / TMO merger wasn’t good for everyone, but TMO will never admit that
Understood you’re not using the magic, and that’s cool. I didn’t mean to imply you were not a good person, so please dont take it that way.
You want this to work, you can do what you’re already doing, but I don’t think you’ll get much out of it on a BR1 Mini. If you want to, use BGP or OSPF to route up to the OVPN endpoint (BR1) and then use the Inseego as the uplink in passthrough mode. You pretty much have it already set up (per your comments), but I would put some of those older devices on their latest capable firmwares to make sure everything lines up perfectly.
" A USB to Ethernet adapter is a device that allows a USB port to be connected to an Ethernet wire if your laptop lacks an Ethernet port . USB to Ethernet adapters enable users to connect many devices using an Ethernet cable "
Hi - I have the Balance 30 Pro (LTEA) and it is set as the first device for IP passthrough - so all VLANs and Firewall rules are set up on it. The MAX BR1 should be arriving today (unconfigured).
Currently I connect a USB directly between my Inseego hotspot and the B30 pro to act as the WAN port. The Inseego also has an Ethernet port (which seems a bit less reliable) that can be used as the WAN connection for the B30 - so no need to go USB to Ethernet that I can determine.
Right now, I have some BGP routing set-up between the B30 Pro and a Surf Soho to let the OpenVPN client (active on the Surf Soho) work. The Surf Soho will be removed from the picture in favor of the BR1.
From what I read above, it seems like I need to:
Connect Inseego hotspot to Max BR1 ENT LTEA (Cat6 - MAX-BR1-ENT-LTEA-W-T)
Purchase/activate OpenVPN Client on Max BR1
Configure all desired firewall access rules on Max BR1 (copied from existing B30 configuration)
Configure VLANs on Max BR1 and set up DHCP for each (copied from existing B30 configuration).
Assign the VLANs to a LAN port and set it as Trunk.
Go LAN-to-LAN between Max BR1 and B30 Pro.
Have identical VLANs on B30 Pro (except with DHCP server disabled/no DHCP).
Assign VLANs to Wireless SSIDs for 4 networks (home use, work use, guest use, IOT).
A more affordable and easier solution would be instead of the max br1, I would’ve put in a raspberry pi (much cheaper), and installed docker with an OVPN container to use as a proxy for my clients. Then all traffic would be routed through the RPI, and then tunneled through the OVPN, which would then go through the balance. The RPI would just be another client on your network, that would basically. When I had my media setup at the house that’s how I routed all media traffic. Bonus, I also ran Pi-Hole which became an internal DNS server, so it blocked ads network wide.
Well - the BR1 was a $60 ebay purchase, plus the $20 for the OVPN license - so didn’t break the bank. I mostly have it set up, but am banging my head because the streaming VLAN seems to be set up correctly, and there are no issues connecting to the network on the Roku TV, but the services themselves seem to barf when the TV is connected to the network. Probably a Roku thing … because connecting to the same network on my laptop and accessing the streaming services works fine (and yes, I’ve uninstalled reinstalled the services, flushed the roku “cache”, signed-out and in of various accounts, etc).
On the Peplink, I just have it set so that anything connected to the IOT VLAN is funneled out the OPVPN network (and no other firewall rules). Not sure that I’m missing anything, because as I said - seems to work fine on my laptop.
I do have the IOT set with inter-VLAN routing disabled. Not sure if that makes a difference, but I thought the whole point was to isolate that network.
That’s pretty awesome… I used an openvpn container. Highly recommend looking at using Docker. Makes management a little easier. Plus you can backup the container, in case something screws up, or if you need to rebuild, it’s a bit quicker. Good luck!
