Choosing a cellular plan

It's important to choose a cellular plan that's appropriate for your access and data usage requirements.

If you are unsure, please don't hesitate to contact Opengear support for advice.  Your carrier will also be able to help – your organization may already have a corporate account manager, otherwise check the carrier's website to get in touch with the local rep for your area.

Data usage considerations

A Opengear device providing Internet gateway connectivity for a LAN (i.e. Cellular Router or IP Passthrough mode) will typically use a lot more data than an Opengear device dedicated to remote OOB access.

Even in OOB mode, polled monitoring services such as Nagios or Solarwinds SNMP, and keepalive traffic from the Modem Watchdog and/or VPN or SSH tunnels can cumulatively use 10s or 100s of MB per month.

Therefore we recommend profiling your data usage during evaluation and/or the initial weeks and months of deployment, to get an idea of the data quota requirement specific for your network and usage patterns.

Always configure cellular data usage alerts to avoid overage charges.

Sharing data between SIMs

If you are deploying multiple Opengear devices, discuss pooling data across your SIMs with your cellular carrier.  This can be particularly cost effective when combined with the Failover mode of operation.

Remote access considerations

There are three broad categories of cell plans you can order from carriers such as Verizon or AT&T:

1. Private IP
2. Public, static IP
3. Private network created for you by the carrier

When choosing a plan type, consider both security and whether and how you will access the Opengear's cellular IP.  These articles will assist with that decision:

• Supported carriers and services
• Remote access to a non-routable cellular IP
• Important security considerations when using a public cellular IP

The following sections provide illustrations on example deployments using the three plan types.

Plan type 1. Private IP

These plans employ carrier-grade NAT so data communications can be established outbound only.

Remote access requires that the Opengear device to establish an outbound tunnel (VPN or Lighthouse Call Home), over which inbound connections can then be established.

Note: Many carriers, particularly the major carriers in Europe, only offer this type of plan.

Illustration:

The carrier assigns an RFC1918 private IP address that is routed through out of the carrier wireless network and NATed/masqueraded onto to the Internet.

The private IP address cannot be reached via ping and you cannot SSH or browse to the Opengear device over the cellular network.

Access options:

To simplify access when using this type of plan Opengear has developed Call Home feature, whereby the Opengear device calls home to our Lighthouse product (hosted in a central, remotely accessible location, e.g. your NOC) via an OpenVPN tunnel.

Similarly, the Opengear device can establish an outbound OpenVPN/IPSec tunnel to your VPN server or VPN router.

Opengear device users can then initiate sessions the remote Opengear device via the SSH or VPN tunnel.

Plan type 2. Public, static IP address

These plans assigns the Opengear device a "real" public IP address that is accessible on the Internet.  Data communications can be established both inbound and outbound.

Note: Particularly in Europe, this type of plan may be offered by a specialist value-add carrier reseller known as an MVNO.  They are often marketed as "Fixed IP", "M2M" or "IoT" SIMs.

Illustration:

Access options:

You may choose to either access the Opengear directly or, after reading the cellular security best practices, decide to mandate VPN for remote access.  In the latter case, remote access then becomes similar to plan type 1.

Opengear device users can then initiate sessions the remote Opengear device directly using its public cellular IP, or via the optional SSH or VPN tunnel.

Plan type 3. Carrier private network

By special arrangement, the cellular carrier securely connects their private network to your corporate private network (e.g. via VPN or MPLS), or provides a portal/access tools for establishing a VPN to their private network.

Once the networks are connected, data communications can be established both inbound and outbound between your corporate network and the Opengear's private cellular IP.

Note: Particularly in Europe, this type of plan may be offered by a specialist value-add carrier reseller known as an MVNO.  They are sometimes marketed as "Private APN" or "M2M/IoT management portal" service offerings.

Illustration:

The cellular carrier creates a private IP network shared by all Opengear devices.

This private network is created within their larger carrier wireless network, so your Opengear devices typically sit on the same IP network segment and can communicate with each other whereas other devices in the carrier wireless network cannot communicate with the Opengear devices.

The private network is attached to the Internet via a carrier VPN gateway.  You then access this private network by building a VPN tunnel across the Internet to the carrier gateway. 

Access options:

From a security perspective, this plan type is preferable to having the Opengear devices publicly accessible as per plan type 2.  From a remote access perspective, this plan type preferable to requiring an outbound tunnel from each Opengear device as per plan type 1, but is often less convenient than plan type 2.

Opengear device users on the corporate LAN can then initiate sessions the remote Opengear device directly using its private cellular IP.  Opengear device users outside the corporate LAN may have to use the carrier portal or VPN client to access the carrier private network.