Unable to host a hotspot successfully

We have several RPC/RSLA4AGX64-B102S-20 Orin AGX devices flashed with jetpack 6.1 that came with Quectel RM520N-GL modems installed (firmware RM520NGLAAR01A08M4G_01.204.01.204).

Here are some issues we are facing:

Slow ping compared to previous hardware version (TX2) becasue we had to lower the MTUs:

When we attempted to deploy our stack to the Orin while it was on LTE (which we need to be able to accomplish), we would lose our local ping to our wireguard, and the deploy would hang and never complete.

The resolution we found was to lower the MTUs from 1500 to 1300 in our /etc/docker/daemon.json file, our .yml file, and in the wireguard config file.

With these changes we were able to deploy while the orin was on LTE. This change also resolved being able to run a chat feature in our UI.
However, now our pings while a machine is on LTE are so much slower and we are sacrificing timing in communication with the machines.

Our next issue is:

Unable to access the internet using the hotspot connection:

In the same line of LTE/modem issues, we have the Orin’s connected over LTE. We use a t-mobile SIM card and have tested the cards on other devices and experienced no issues.
When I connect my phone (or any other client device) to the hotspots hosted on the Orin/ LTE and attempt to go to any internet site- such as google - nothing happens. However we are able to ping (http://www.google.com/) or 8.8.8.8 from the Orin.

We have tried adjusting our iptables with no luck so far. We haven’t found anything on the forums yet. Wondering if you might have any suggestions?

Hello,

Thanks for visiting the NVIDIA Developer Forums.
To ensure better visibility and support, I’ve moved your post to the Jetson category where it’s more appropriate

Cheers,
Tom

Hi,
The kernel versions are different between Jetpack 4/TX2 and Jetpack 6/Orin. Would suggest check whether all required configs are enabled. Please refer to the section to rebuild kernel image:
Kernel Customization — NVIDIA Jetson Linux Developer Guide

Thank you for the response. We have rebuilt a few of the Orin kernels to get our wireguard up, and just keep running into little snags with different bits. Do you happen to have any suggestions on the modules to look into that might be missing that would help solve the networking issues?

I was going to look at the manual for syslogic/jetson-agx-orin/rugged-edge-ai-computer-rpc-rsl-a4agx but it’s on a sharepoint that wants a password.

Here’s some things I did see. You’ve probably done most of this.

lsmod|grep -i mhi

If none of following, try them.

sudo modprobe mhi_pci_generic
sudo modprobe mhi_wwan_ctrl
sudo modprobe mhi_wwan_mbim
sudo modprobe mhi_net

sudo apt install modemmanager
sudo systemctl enable --now ModemManager
mmcli -L

Then configure your T-Mobile APN
sudo mmcli -m 0 --simple-connect="apn=fast.t-mobile.com,ip-type=ipv4v6"

mmcli -m 0 | grep 'bearer'
mmcli -b <bearer_id> | grep 'address'

Once connected you should have a wwan0 interface with a valid IP that you can test it with

ping -I wwan0 8.8.8.8
curl -4 --interface wwan0 http://example.com

hotspot (NAT / forwarding) To let Wi-Fi clients (your phone) share that connection.

Enable forwarding

sudo sysctl -w net.ipv4.ip_forward=1

Assuming your modem is wwan0 and your hotspot/Wi-Fi interface is wlan0

sudo iptables -t nat -A POSTROUTING -o wwan0 -j MASQUERADE
sudo iptables -A FORWARD -i wlan0 -o wwan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wwan0 -o wlan0 -j ACCEPT

Try to fix HTTPS stall

sudo iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Persist the rules using iptables-save

Then restart the hotspot, reconnect the phone, and try browsing.

If still no http{s} try reducing MTU:

sudo ip link set wwan0 mtu 1400

If 5G
sudo mmcli -m 0 --set-allowed-modes='5g|lte'

I had to rebuild the kernel to get the mhi modules set up, I was able to get that done successfully.

Modemmanager was installed and t-mobile had been set up, I’m happy to share an output if it would be helpful.

I added the iptables:

sudo iptables -t nat -A POSTROUTING -o wwan0 -j MASQUERADE sudo iptables -A FORWARD -i wlan0 -o wwan0 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i wwan0 -o wlan0 -j ACCEPT

I have a ping going from my laptop (which is connected to a totally different network) via wireguard. I also had a ping running to 8.8.8.8 running from the Orin.

When I connected to my hotspot from my phone, I lost the wireguard ping from my laptop (which has happened when I tried the iptables changes in the past with this issue) and the Orin lost ping to 8.8.8.8.

I have to reboot to get wireguard back up. I reset the same iptables and this time I do not lose the pings, but my phone has no internet connection still. I included the tcp dump here:

I haven’t tried the tcp clamp yet because I would have to add the modules and rebuild the kernel again- which is fine - but not preferred because it makes our connection to our machines slower than our HW1 (TX2 with Sierra Wireless modem).

sudo tcpdump -i wlan0

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode

listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

15:48:53.701630 d2:30:5b:44:93:45 (oui Unknown) > Broadcast Null Unnumbered, xid, Flags [Response], length 6: 01 00

15:48:53.751953 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48

15:48:53.752008 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48

15:48:53.809268 IP6 fe80::ce5:557c:36c9:fd4f > ff02::16: HBH ICMP6, multicast listener report v2, 3 group record(s), length 68

15:48:53.809334 IP6 fe80::ce5:557c:36c9:fd4f > ff02::16: HBH ICMP6, multicast listener report v2, 3 group record(s), length 68

15:48:53.810231 IP6 :: > ff02::1:ffc9:fd4f: ICMP6, neighbor solicitation, who has fe80::ce5:557c:36c9:fd4f, length 32

15:48:53.810263 IP6 :: > ff02::1:ffc9:fd4f: ICMP6, neighbor solicitation, who has fe80::ce5:557c:36c9:fd4f, length 32

15:48:53.813396 ARP, Request who-has 10.42.0.1 tell 10.42.0.56, length 28

15:48:53.813419 ARP, Reply 10.42.0.1 is-at d4:ab:61:b0:cc:3c (oui Unknown), length 28

15:48:53.813519 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from d2:30:5b:44:93:45 (oui Unknown), length 300

15:48:53.813567 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from d2:30:5b:44:93:45 (oui Unknown), length 300

15:48:53.813621 IP6 fe80::ce5:557c:36c9:fd4f > ip6-allrouters: ICMP6, router solicitation, length 8

15:48:53.813645 IP6 fe80::ce5:557c:36c9:fd4f > ip6-allrouters: ICMP6, router solicitation, length 8

15:48:53.819681 IP 10.42.0.1.bootps > 10.42.0.56.bootpc: BOOTP/DHCP, Reply, length 300

15:48:53.820672 ARP, Request who-has 10.42.0.56 tell 10.42.0.56, length 28

15:48:53.820710 ARP, Request who-has 10.42.0.56 tell 10.42.0.56, length 28

15:48:53.857510 IP6 fe80::ce5:557c:36c9:fd4f > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48

15:48:53.857569 IP6 fe80::ce5:557c:36c9:fd4f > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48

15:48:53.943006 IP 10.42.0.56 > all-routers.mcast.net: igmp leave mdns.mcast.net

15:48:53.943064 IP 10.42.0.56 > all-routers.mcast.net: igmp leave mdns.mcast.net

15:48:53.943140 IP 10.42.0.56 > mdns.mcast.net: igmp v2 report mdns.mcast.net

15:48:53.943172 IP 10.42.0.56 > mdns.mcast.net: igmp v2 report mdns.mcast.net

15:48:54.262676 IP 10.42.0.56.mdns > mdns.mcast.net.mdns: 0 [5q] PTR (QU)? _hap._tcp.local. PTR (QU)? _hap._udp.local. PTR (QU)? _companion-link._tcp.local. PTR (QU)? _rdlink._tcp.local. PTR (QU)? lb._dns-sd._udp.local. (102)

15:48:54.262735 IP 10.42.0.56.mdns > mdns.mcast.net.mdns: 0 [5q] PTR (QU)? _hap._tcp.local. PTR (QU)? _hap._udp.local. PTR (QU)? _companion-link._tcp.local. PTR (QU)? _rdlink._tcp.local. PTR (QU)? lb._dns-sd._udp.local. (102)

15:48:54.263585 IP6 fe80::ce5:557c:36c9:fd4f.mdns > ff02::fb.mdns: 0 [5q] PTR (QU)? _hap._tcp.local. PTR (QU)? _hap._udp.local. PTR (QU)? _companion-link._tcp.local. PTR (QU)? _rdlink._tcp.local. PTR (QU)? lb._dns-sd._udp.local. (102)

15:48:54.263618 IP6 fe80::ce5:557c:36c9:fd4f.mdns > ff02::fb.mdns: 0 [5q] PTR (QU)? _hap._tcp.local. PTR (QU)? _hap._udp.local. PTR (QU)? _companion-link._tcp.local. PTR (QU)? _rdlink._tcp.local. PTR (QU)? lb._dns-sd._udp.local. (102)

15:48:54.263705 ARP, Request who-has 10.42.0.1 tell 10.42.0.56, length 28

15:48:54.263718 ARP, Request who-has 10.42.0.1 tell 10.42.0.56, length 28

15:48:54.263733 ARP, Reply 10.42.0.1 is-at d4:ab:61:b0:cc:3c (oui Unknown), length 28

15:48:54.335618 IP 10.42.0.56.52956 > 10.42.0.1.domain: 10499+ A? app-analytics-services.com. (44)

15:48:54.335793 IP 10.42.0.1.domain > 10.42.0.56.52956: 10499 1/0/0 A 142.250.190.110 (60)

15:48:54.444616 IP 10.42.0.56.65520 > 10.42.0.1.domain: 64888+ A? gsp85-ssl.ls.apple.com. (40)

15:48:54.444616 IP 10.42.0.56.60634 > 10.42.0.1.domain: 46334+ Type64? _dns.resolver.arpa. (36)

15:48:54.444616 IP 10.42.0.56.49703 > 10.42.0.1.domain: 4977+ A? www.google.com. (32)

15:48:54.444692 IP 10.42.0.56.59326 > 10.42.0.1.domain: 2378+ Type65? gsp85-ssl.ls.apple.com. (40)

15:48:54.444784 IP 10.42.0.1.domain > 10.42.0.56.60634: 46334 NXDomain 0/1/0 (116)

15:48:54.827605 IP 10.42.0.56.64911 > 10.42.0.1.domain: 51457+ Type65? captive.apple.com. (35)

15:48:54.827604 IP 10.42.0.56.62221 > 10.42.0.1.domain: 31545+ Type64? _dns.resolver.arpa. (36)

15:48:54.827602 IP 10.42.0.56.62030 > 10.42.0.1.domain: 48193+ A? captive.apple.com. (35)

15:48:54.827915 IP 10.42.0.1.domain > 10.42.0.56.62221: 31545 NXDomain 0/1/0 (116)

15:48:54.934553 ARP, Request who-has 10.42.0.1 tell 10.42.0.56, length 28

15:48:54.934602 ARP, Request who-has 10.42.0.1 tell 10.42.0.56, length 28

15:48:54.934623 ARP, Reply 10.42.0.1 is-at d4:ab:61:b0:cc:3c (oui Unknown), length 28

15:48:54.937961 IP 10.42.0.56.53308 > 10.42.0.1.domain: 6192+ A? 9-courier.push.apple.com. (42)

15:48:55.159075 ARP, Request who-has 10.42.0.56 tell 10.42.0.56, length 28

15:48:55.159121 ARP, Request who-has 10.42.0.56 tell 10.42.0.56, length 28

15:49:12.870683 IP 10.42.0.56.55738 > 17.248.139.234.https: Flags [S], seq 2454272655, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3412270513 ecr 0,sackOK,eol], length 0

15:49:12.879839 IP 10.42.0.56.55734 > uschi5-vip-bx-003.a.aaplimg.com.http: Flags [S], seq 1327499416, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1242691461 ecr 0,sackOK,eol], length 0

15:49:12.879838 IP 10.42.0.56.55042 > 17.248.139.228.https: UDP, length 1350

15:49:12.881932 IP 10.42.0.56.55744 > 17.248.139.235.https: Flags [S], seq 51943387, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 262275998 ecr 0,sackOK,eol], length 0

15:49:12.900747 IP 10.42.0.1.domain > 10.42.0.56.55149: 40191 0/1/0 (88)

15:49:12.910433 IP 10.42.0.56.55751 > 17.248.139.237.https: Flags [S], seq 569184430, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2391734137 ecr 0,sackOK,eol], length 0

15:49:12.926766 IP 10.42.0.56.55739 > 17.57.144.245.https: Flags [S], seq 2825343673, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3554408742 ecr 0,sackOK,eol], length 0

15:49:13.140436 IP 10.42.0.56.61348 > 17.248.139.235.https: UDP, length 1350

15:49:13.140530 IP 10.42.0.1 > 10.42.0.56: ICMP 17.248.139.235 udp port https unreachable, length 556

15:49:13.178480 IP 10.42.0.56.55752 > ec2-3-139-131-151.us-east-2.compute.amazonaws.com.https: Flags [S], seq 578139794, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 958595042 ecr 0,sackOK,eol], length 0

15:49:13.178485 IP 10.42.0.56.55741 > 17.57.144.244.https: Flags [S], seq 2629473313, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2349586108 ecr 0,sackOK,eol], length 0

15:49:15.862090 IP 10.42.0.56.53311 > 17.248.139.237.https: UDP, length 1350

15:49:15.870644 IP 10.42.0.56.55738 > 17.248.139.234.https: Flags [S], seq 2454272655, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3412273517 ecr 0,sackOK,eol], length 0

15:49:17.137393 IP 10.42.0.56.61348 > 17.248.139.235.https: UDP, length 1350

15:49:17.137471 IP 10.42.0.1 > 10.42.0.56: ICMP 17.248.139.235 udp port https unreachable, length 556

15:49:17.392274 IP 10.42.0.56.51585 > 17.248.139.236.https: UDP, length 1350

15:49:17.412750 IP 10.42.0.56.55746 > 17.248.139.233.https: Flags [S], seq 479947588, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3971783975 ecr 0,sackOK,eol], length 0

15:49:17.640831 IP 10.42.0.56.53304 > 17.248.139.230.https: UDP, length 1350

15:49:17.660176 IP 10.42.0.56.55747 > 17.248.139.229.https: Flags [S], seq 505442651, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2554418781 ecr 0,sackOK,eol], length 0

15:49:17.924890 IP 10.42.0.56.55751 > 17.248.139.237.https: Flags [S], seq 569184430, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2391739155 ecr 0,sackOK,eol], length 0

15:49:18.352533 IP 10.42.0.56.60933 > 10.42.0.1.domain: 44246+ A? gateway.fe2.apple-dns.net. (43)

15:49:29.874058 IP 10.42.0.56.55777 > ec2-3-139-131-151.us-east-2.compute.amazonaws.com.https: Flags [S], seq 818041811, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 4072805392 ecr 0,sackOK,eol], length 0

15:49:29.894415 IP 10.42.0.56.55778 > ord37s33-in-f4.1e100.net.https: Flags [S], seq 3954852942, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1721064030 ecr 0,sackOK,eol], length 0

15:49:29.956884 IP 10.42.0.56.49506 > 17.248.139.231.https: UDP, length 1350

15:49:29.970869 IP 10.42.0.56.55772 > 17.248.139.237.https: Flags [S], seq 1312364707, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 427004021 ecr 0,sackOK,eol], length 0

15:49:34.362249 IP 10.42.0.56.mdns > mdns.mcast.net.mdns: 0 [5q] PTR (QM)? _hap._tcp.local. PTR (QM)? _hap._udp.local. PTR (QM)? _companion-link._tcp.local. PTR (QM)? _rdlink._tcp.local. PTR (QM)? lb._dns-sd._udp.local. (102)

15:49:34.362305 IP 10.42.0.56.mdns > mdns.mcast.net.mdns: 0 [5q] PTR (QM)? _hap._tcp.local. PTR (QM)? _hap._udp.local. PTR (QM)? _companion-link._tcp.local. PTR (QM)? _rdlink._tcp.local. PTR (QM)? lb._dns-sd._udp.local. (102)

15:49:34.362349 IP6 fe80::ce5:557c:36c9:fd4f.mdns > ff02::fb.mdns: 0 [5q] PTR (QM)? _hap._tcp.local. PTR (QM)? _hap._udp.local. PTR (QM)? _companion-link._tcp.local. PTR (QM)? _rdlink._tcp.local. PTR (QM)? lb._dns-sd._udp.local. (102)

15:49:34.362385 IP6 fe80::ce5:557c:36c9:fd4f.mdns > ff02::fb.mdns: 0 [5q] PTR (QM)? _hap._tcp.local. PTR (QM)? _hap._udp.local. PTR (QM)? _companion-link._tcp.local. PTR (QM)? _rdlink._tcp.local. PTR (QM)? lb._dns-sd._udp.local. (102)

15:49:35.884130 IP 10.42.0.56.55777 > ec2-3-139-131-151.us-east-2.compute.amazonaws.com.https: Flags [S], seq 818041811, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 4072811399 ecr 0,sackOK,eol], length 0

15:49:35.884226 IP 10.42.0.1 > 10.42.0.56: ICMP ec2-3-139-131-151.us-east-2.compute.amazonaws.com tcp port https unreachable, length 72

15:49:35.896786 IP 10.42.0.56.55784 > ec2-3-139-131-151.us-east-2.compute.amazonaws.com.https: Flags [S], seq 1883362358, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2383174551 ecr 0,sackOK,tfo  cookiereq], length 0

15:49:35.896861 IP 10.42.0.1 > 10.42.0.56: ICMP ec2-3-139-131-151.us-east-2.compute.amazonaws.com tcp port https unreachable, length 72

15:49:35.900477 IP 10.42.0.56.55778 > ord37s33-in-f4.1e100.net.https: Flags [S], seq 3954852942, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1721070037 ecr 0,sackOK,eol], length 0

15:49:35.900544 IP 10.42.0.1 > 10.42.0.56: ICMP ord37s33-in-f4.1e100.net tcp port https unreachable, length 72

15:49:35.904351 IP 10.42.0.56.55785 > ec2-3-139-131-151.us-east-2.compute.amazonaws.com.https: Flags [S], seq 1449935426, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 4158524855 ecr 0,sackOK,tfo  cookiereq], length 0

15:49:36.907763 IP 10.42.0.56.55785 > ec2-3-139-131-151.us-east-2.compute.amazonaws.com.https: Flags [S], seq 1449935426, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 4158525858 ecr 0,sackOK,eol], length 0

15:49:36.907833 IP 10.42.0.1 > 10.42.0.56: ICMP ec2-3-139-131-151.us-east-2.compute.amazonaws.com tcp port https unreachable, length 72

15:49:36.917794 IP 10.42.0.56.55786 > ec2-3-139-131-151.us-east-2.compute.amazonaws.com.https: Flags [S], seq 2964539434, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2892483999 ecr 0,sackOK,tfo  cookiereq], length 0

15:49:37.919847 IP 10.42.0.56.55786 > ec2-3-139-131-151.us-east-2.compute.amazonaws.com.https: Flags [S], seq 2964539434, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2892485000 ecr 0,sackOK,eol], length 0

15:49:37.919937 IP 10.42.0.1 > 10.42.0.56: ICMP ec2-3-139-131-151.us-east-2.compute.amazonaws.com tcp port https unreachable, length 72

15:49:39.627494 IP 10.42.0.56.57217 > ord37s33-in-f4.1e100.net.https: UDP, length 1200

15:49:39.627580 IP 10.42.0.1 > 10.42.0.56: ICMP ord37s33-in-f4.1e100.net udp port https unreachable, length 556

15:49:40.539703 IP 10.42.0.56.53784 > 17.248.139.234.https: UDP, length 1350

15:49:40.539807 IP 10.42.0.1 > 10.42.0.56: ICMP 17.248.139.234 udp port https unreachable, length 556

15:49:40.795201 IP 10.42.0.56.51306 > 17.248.139.228.https: UDP, length 1350

15:49:40.795297 IP 10.42.0.1 > 10.42.0.56: ICMP 17.248.139.228 udp port https unreachable, length 556

15:49:40.796069 IP 10.42.0.56.57279 > 17.248.139.234.https: Flags [S], seq 4075068908, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3186020673 ecr 0,sackOK,eol], length 0

This is just outside our realm of expertise- is there any info that might help troubleshoot what is going on? Ideally we wouldn’t want to degrade the MTUs, currently we have docker and wireguard set to 1300, which again we wouldn’t prefer, but it was the only way we found to deploy while the Orin is on LTE and get some features to run on the machine.

I have also added this under my wg0.conf file. I do not lose any pings to anything (my laptop which is connected on a separate network >>> the Orin’s wg IP & the Orin which is connected via LTE t-mobile SIM card to 8.8.8.8). However I still cannot access any internet sites on my client device (my phone connected to the Orin’s hotspot)