I am using Quectel EC25-E miniPCIe module in the data-only mode, inside third-party router based on OpenWRT firmware (Turris Omnia).
So far everything works fine in PPP mode, but I like to upgrade to ECM mode for better network throughput.
As a part of this PPP to ECM migration effort, I would like to configure DMZ or NAT port forwarding in ECM mode (which was enabled via AT+QCFG="usbnet",1 command).
Quectel EC25-E in ECM mode seems to support web-based configuration for NAT, firewall, UPnP and DMZ.
My problem is that after changing default password from “admin” my unit to longer allows me to log in.
Resetting unit to factory default settings via AT+QPRTPARA=3 doesn’t seem to affect configuration of QCMAP web auth.
So, my questions are:
Regarding implementation of DMZ or NAT port forwarding in ECM mode: is it functional as of now?
Is there any way to reset QCMAP web auth settings to factory defaults? Maybe some AT command?
Alternatively, is it possible to configure DMZ or NAT port forwarding in ECM mode via AT commands?
Obviously it performs NAT in ECM mode and has two distinct IP addresses on both sides (LAN and WAN). This can be confirmed via traceroute command, for example.
If i traceroute to google’s 8.8.8.8, firsts hops shows that there is NAT
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 _gateway (192.168.225.1) 3.199 ms 3.250 ms 3.290 ms
2 100.64.0.0 (100.64.0.0) 72.020 ms 90.933 ms 90.899 ms
3 10.70.5.229 (10.70.5.229) 90.863 ms 90.943 ms 94.981 ms
Is there way to define DMZ IP or port forward to LAN IP (all ports)?
Thanks. ECM works nicely if you only need internet connection, but if you need access from internet or m2m network to device then it’s more complicated and may not work.
No, I couldn’t resolve this issue and so, I ultimately settled on the PPP mode of EC25 module.
QMI mode didn’t work for me because EC25 and host router (Turris Omnia) start to disagree about external IP address on the LTE interface after each reconnection to the carrier (i.e. on session expiry). EC25 reconnects successfully, gets a different IP address, and then host router doesn’t have a way to get notified about that and continues to send packets in the vain, to an old IP address. Probably I could hack up a script which polls uqmi -d /dev/cdc-wdm0 --get-current-settings in a loop (and updates host-side settings accordingly) or whatever, but I decided that setting up PPP is just easier.
In ECM mode, I couldn’t enable port forwarding through EC25’s builtin NAT. It looks like implementation of this feature in EC25 firmware is incomplete, or at least not properly documented. No way to reset unit to the factory settings etc. I hope to see this feature implemented some time later in the future.
MBIM mode didn’t work under TurrisOS/OpenWRT at all (lack of drivers or whatever).
Regarding original question about port passthrough via NAT on EC25 in ECM mode, CVE-2021-31698 vulnerability (shell injection in AT command handler) may be of help.
On older firmware revisions (before April 2021) AT+QFUMOCFG command argument was passed to the system() call without prior sanitization/cleaning. Quick check looks like this:
AT+QFUMOCFG="dmacc","`reboot`"
If your unit is vulnerable, then it may be possible to invoke iptables command on EC25 this way, and so rewrite firewall rules to enable port forwarding via NAT in ECM mode.
I have two functional modems. One of them has RM500 module and the other RM520. I’m interested to enable IP passthrough. The modem with RM500 module is behaving in the right way. But the other modem with RM520 module does not. I have set both modems to ECM mode and followed the instructions presented here. I have internet connectivity in my both modems, the only problem is that I cannot enable IP passthrough in the newer module (RM520). Here I provide some information that might help for debugging:
