Anybody got a T-mobile cellspot v2 to work with NAT'd firewall (IPFW)?

John Reynolds johnjen at
Sun Feb 18 05:02:58 UTC 2018

Hello all,

I've been struggling trying to get one of T-mobile's Cellspot (v2) 
fempto-towers to configure. I have a pretty vanilla setup with a 
11.1-RELEASE-p4 box acting as my gateway/fw (with various internal 
servers such as Samba, etc. running on it).

                                                                       ----> LAN machines
     Cable modem ->   re0 --FreeBSD ipfw --> igb0 -----> 8-port switch ----> LAN ....
                                                                       ----> T-mobile Cellspot

I can see that it is getting an IP address from my DHCP server and 
through tcpdump I see that it is talking to tmobile's servers--but it 
just abruptly "stops" and I get no further traffic to/from the device 
once I get to this point:

     cellspot.home-net.isakmp > [udp sum 
ok] isakmp 2.0 msgid 00000000 cookie a2e7eea
bc47d5a3a->0000000000000000: parent_sa ikev2_init[I]:
     (sa: len=112
         (p: #1 protoid=isakmp transform=12 len=112
             (t: #1 type=encr id=aes (type=keylen value=0100))
             (t: #2 type=encr id=aes (type=keylen value=0080))
             (t: #3 type=encr id=3des )
             (t: #4 type=integ id=#12 )
             (t: #5 type=integ id=aes-xcbc )
             (t: #6 type=integ id=hmac-sha )
             (t: #7 type=prf id=#5 )
             (t: #8 type=prf id=aes128_xcbc )
             (t: #9 type=prf id=hmac-sha )
             (t: #10 type=dh id=modp2048 )
             (t: #11 type=dh id=modp3072 )
             (t: #12 type=dh id=modp4096 )))
     (v2ke: len=256 group=modp2048)
     (nonce: len=32 
nonce=(e88267d563388560eadb76d831fe877330cf258e0f15783fe27eabdf2895cedc) )
     (n: prot_id=#0 type=16388(nat_detection_source_ip))
     (n: prot_id=#0 type=16389(nat_detection_destination_ip))
20:13:12.510298 IP (tos 0x0, ttl 127, id 27639, offset 0, flags [none], 
proto UDP (17), length 137)

I don't know if it's something I'm "doing" in my ipfw rules or if 
there's some sysctl for ipsec that I need to flip or if this box is just 
a dud. I've configured the box temporarily as an "open" firewall (with 
NAT) to try and eliminate it being "me" through some IPFW filtering. 
That made no difference. Just wondering if somebody out there has gotten 
one of these stupid CellSpot things and actually gotten it to talk to 
its mother ship and configure and actually WORK behind a NAT'd firewall. 
FWIW using Cox communications as internet provider and I know they don't 
block ports 500/4500/123.

My sysctl variables are:

kern.features.ipsec_natt: 1
kern.features.ipsec: 1
net.inet.ipsec.def_policy: 1
net.inet.ipsec.esp_trans_deflev: 1
net.inet.ipsec.esp_net_deflev: 1
net.inet.ipsec.ah_trans_deflev: 1
net.inet.ipsec.ah_net_deflev: 1
net.inet.ipsec.ah_cleartos: 1
net.inet.ipsec.ah_offsetmask: 0
net.inet.ipsec.dfbit: 0
net.inet.ipsec.ecn: 0
net.inet.ipsec.debug: 1
net.inet.ipsec.filtertunnel: 0
net.inet.ipsec.natt_cksum_policy: 0
net.inet.ipsec.check_policy_history: 0
net.inet.ipsec.crypto_support: 50331648

(changing filtertunnel to 1 made no difference)

My IPFW rules are:

00010 allow ip from any to any via lo0
00020 allow ip from any to any via igb0
00030 deny ip from any to any not antispoof in
00050 allow ip from any to any frag
00051 allow log udp from any to any dst-port 500
00054 allow log esp from any to any
00056 allow log ah from any to any
00058 allow log ipencap from any to any
00060 allow log udp from any 500 to any
00100 nat 1 ip from any to any via re0 in
00101 check-state :default
02000 skipto 10000 tcp from any to any via re0 out setup keep-state :default
02010 skipto 10000 udp from any to any via re0 out keep-state :default
05000 allow tcp from any to me dst-port 22,80,110,443,3458,4040,10993,123,500,4500 via re0 in setup keep-state :default
05001 allow udp from any to me dst-port 500,4500,123 via re0 in keep-state :default
09998 deny tcp from any to any via re0
09999 deny udp from any to any via re0
10000 nat 1 ip from any to any via re0 out
65534 allow ip from any to any
65535 deny ip from any to any

If anybody has any hints, I'd be much appreciated ....... :/ Thanks.


More information about the freebsd-questions mailing list