FortiGate + T-Mobile for Out of Band Access

I’ve been growing increasingly frustrated with the ongoing move towards mediocrity at Opengear, presumably the result of the Digi acquisition, similar to what happened to Nimble after HPE bought them. The last few hardware releases are just average at best. For example, here we are 2024 and they don’t even have a 5G-capable cellular modem in any device. So, I decided I’m done with the combo device options and will separate out of band access from the management / serial layer, and it seems there are also far nicer console servers out there these days to fill just the serial need.

Here’s where I ended up and I’m very happy with it; Fortinet FortiGate firewall + third party T-Mobile cell modem. It works awesome. Instead of the horrible 4G OpenGear performance, just gaining you serial access, now I’ve got a full firewall and 60+ Mbit/sec access out of band for network emergencies or maintenance. There is a caveat. If you want this solution to operate completely standalone, without a call-home VPN server, you’re going to need to use IPv6 since T-Mobile does not sell static IPv4, nor are you able to connect inbound to an IPv4 endpoint because their entire network is CG-NAT on the v4 side. However, you could also have the firewall, or a device behind it, tunnel out to an independent access point from your production networks.

So, the hardware inventory is the combo of a POE-enabled FortiGate firewall device (you can find a 60E-POE on eBay for under $100 for example, even the current 60F-POE for a few hundred) and an outdoor POE-powered cellular modem compatible with T-Mobile for $122 (link). You could of course use any FortiGate or firewall, and an injector, this just made for a cleaner solution.

First step is the modem. In that above link you’ll find it, it’s a ZTE MC7010. On the T-Mobile side, order a SIM, and a plan for either a tablet or hotspot; tablet plans seem to work fine and sometimes have more monthly traffic for the dollar. SIM arrives, modem arrives, throw the nano SIM in the modem and plug it in.

Ethernet connect your laptop into the PoE injector and within a minute or so you should have 5G internet. You can also use a ZTE app on your phone to bluetooth into the modem and get a signal level, which you can monitor in real time to aim the device towards the strongest tower.

My modem came by default in bridge mode, which is the non-NAT mode you want, so that was great, and the modem is accessible at https://192.168.254.1. If you get a private IP assigned to your computer on that 192.168.254.0/24 range, you’re probably in access mode and you’ll want to change that so you get assigned a routed IP. The password comes in a sticker in the box, so be mindful to not discard that before you’ve changed it. The IMEI is on the sticker too.

Here’s the first issue. The modem comes with an APN that does not request or obtain an IPv6 address assignment, so you’ll just get a v4 assignment on your computer, which is unusable as a server. I also don’t know if the default APN allows for the fastest service, as it’s set to epc.tmobile.com which is described as what “older” devices should use, so I’d still complete this next step even if you were planning to do a call-home scenario and don’t care about IPv6. The proper APN to change to is fast.tmobile.com. You do this in the modem settings, but you have to check the switch to turn off the internet services first before it will let you change it.

So, first, turn off internet; it will take 30-60 sec for whatever reason, and may require you to log in again:

Next, in the Set Internet area, go to APN Settings and flip it to manual, add a new profile name, make sure to select IPv4v6, give it a name, set the APN to fast.tmobile.com, save it. I named mine TMOv6:

That’s pretty much it. You can do a speed test if you like, to see how much faster this modem is than old 4g crap. Hell, this little modem talking to T-Mobile gives me four times the upload speed of the complete shit 350/10 Spectrum cable service I have at one of my offices. Here’s the modem, not aimed properly, inside on my kitchen counter sideways, nowhere near a tower:

and here’s my super fast Spectrum bullshit…:

Really impressive for $160/mo Spectrum; a $35/mo cell plan is 4x faster on the upload.

Unplug and we’ll move on to the FortiGate side.

Unfortunately the FortiGate POE devices do not have POE on the WAN ports, just the ‘internal’ ports. So, first step was I had to unbind the ‘internal1’ through ‘internal8’ ports from the default switch fabric, making them independent. These are the sections you need to clear out:

config system physical-switch
    edit "sw0"
        set age-val 0
    next
end
config system virtual-switch
    edit "internal"
        set physical-switch "sw0"
        config port
            edit "internal1"
            next
            edit "internal2"
            next
            edit "internal3"
            next
            edit "internal4"
            next
            edit "internal5"
            next
            edit "internal6"
            next
            edit "internal7"
            next
            edit "internal8"
            next
        end
    next
endCode language: PHP (php)

Delete the virtual switch first, and then it should let you delete sw0 physical.

Now you can edit your internal1 port which you’ll use for the WAN. If you want me to give you the cheater TL;DR version, here it is:

    edit "internal1"
        set vdom "root"
        set mode dhcp
        set allowaccess ping
        set type physical
        set lldp-reception disable
        set role wan
        set snmp-index 3
        config ipv6
            set ip6-allowaccess ping https ssh
            set dhcp6-prefix-delegation enable
            set autoconf enable
            config dhcp6-iapd-list
                edit 1
                    set prefix-hint ::/56
                    set prefix-hint-plt 0
                    set prefix-hint-vlt 0
                next
            end
        end
    next Code language: JavaScript (javascript)

NOTE, in the above, the firewall will become accessible via https over ipv6 from the general internet. You should of course change all the access defaults and add two factor auth before connecting, and even then only leave https/ssh open to the internet if you’re 100% sure what you’re doing. FortiGate’s have had https-based vulnerabilities before, so I do not recommend leaving it open even if you patch it regularly; do VPN instead and hit the management side.

It took me a while to figure the above out as being the magic combo of options to have the FortiGate obtain a usable v6 address on the WAN side. It kept getting just a T-Mobile IPv4 address via DHCP and nothing else. I ultimately stumbled across a helpful page which mentioned the dhcp6-prefix-delegation, autoconf, and dhcp6-iapd portions, which ultimately got it working. I’m not extending v6 inside, I just needed the internal1 interface to get a usable v6 so I can VPN to the firewall, and the device did not seem to want to do that until those additional options were added.

Throw some rules on and you can use this thing as a backup internet outbound if needed. I’m only paying $55/mo for a 100 GB plan, so plenty of room for emergencies. Otherwise, time to do your normal VPN config to connect to the device remotely and get into the rest of your network, and you can maintain the thing just like a normal internet-facing firewall.

Bonus Features

Want to know what the WAN IPv6 address is without coming up with your own solution using dynamic DNS on a system behind the firewall, or looking at the target VPN server if you use a call home setup, etc? Use the built-in FortiGuard service:

config system ddns
    edit 1
        set ddns-server FortiGuardDDNS
        set addr-type ipv6
        set server-type ipv6
        set ddns-domain "my-oob-device.fortiddns.com"
        set use-public-ip enable
        set monitor-interface "internal1"
    next
endCode language: JavaScript (javascript)

I did that and within a few seconds I was able to resolve the name I’d plugged in, since it was fortunately not already in use by someone else. You can actually add a second redundant provider if needed:

FortiGate-60E-POE # config system ddns

FortiGate-60E-POE (ddns) # edit 2
new entry '2' added

FortiGate-60E-POE (2) # set ddns-server 
dyndns.org        members.dyndns.org and dnsalias.com
dyns.net          www.dyns.net
tzo.com           rh.tzo.com
vavic.com         Peanut Hull
dipdns.net        dipdnsserver.dipdns.com
now.net.cn        ip.todayisp.com
dhs.org           members.dhs.org
easydns.com       members.easydns.com
genericDDNS       Generic DDNS based on RFC2136.
FortiGuardDDNS    FortiGuard DDNS service.
noip.com          dynupdate.no-ip.comCode language: PHP (php)

Next, want an SSL cert that matches the external side DDNS name? You can do that in FortiGate now too. Easiest from the GUI under System -> Settings. Just go into Certificates and Create New. Since you’re on the internet via this cell interface, and using a DDNS name, you can now use a Let’s Encrypt cert too. Give it the DDNS name, pick the interface, it will do the validation and install it. You can then select it from the drop down as the active cert to use for the https interface.

What you end up with config-wise looks like this:

config system global
    set admin-server-cert "my-oob-device.fortiddns.com" <---
    set gui-certificates enable
end
config vpn certificate local
    edit "my-oob-device.fortiddns.com" <---
        set password ENC ...
        set comments "Renewed with ACME on Wed May  1 12:12:12 2024 (UTC)"
        set range global
        set enroll-protocol acme2
        set acme-domain "my-oob-device.fortiddns.com" <---
        set acme-email "devnull@biz.com"
    next
end
Code language: CSS (css)

Leave a Reply

Your email address will not be published. Required fields are marked *