It's important to choose a cellular plan that's appropriate for your access and data usage requirements.
If you are unsure, please don't hesitate to contact Opengear support for advice. Your carrier will also be able to help – your organization may already have a corporate account manager, otherwise check the carrier's website to get in touch with the local rep for your area.
Data usage considerations
A Opengear device providing Internet gateway connectivity for a LAN (i.e. Cellular Router or IP Passthrough mode) will typically use a lot more data than an Opengear device dedicated to remote OOB access.
Even in OOB mode, polled monitoring services such as Nagios or Solarwinds SNMP, and keepalive traffic from the Modem Watchdog and/or VPN or SSH tunnels can cumulatively use 10s or 100s of MB per month.
Therefore we recommend profiling your data usage during evaluation and/or the initial weeks and months of deployment, to get an idea of the data quota requirement specific for your network and usage patterns.
Always configure cellular data usage alerts to avoid overage charges.
Sharing data between SIMs
If you are deploying multiple Opengear devices, discuss pooling data across your SIMs with your cellular carrier. This can be particularly cost effective when combined with the Failover mode of operation.
Remote access considerations
There are three broad categories of cell plans you can order from carriers such as Verizon or AT&T:
- Private IP
- Public, static IP
- Private network created for you by the carrier
When choosing a plan type, consider both security and whether and how you will access the Opengear's cellular IP. These articles will assist with that decision:
- Supported carriers and services
- Remote access to a non-routable cellular IP
- Important security considerations when using a public cellular IP
The following sections provide illustrations on example deployments using the three plan types.
Plan type 1. Private IP
These plans employ carrier-grade NAT so data communications can be established outbound only.
Remote access requires that the Opengear device to establish an outbound tunnel (VPN or Lighthouse Call Home), over which inbound connections can then be established.
Note: Many carriers, particularly the major carriers in Europe, only offer this type of plan.
The carrier assigns an RFC1918 private IP address that is routed through out of the carrier wireless network and NATed/masqueraded onto to the Internet.
The private IP address cannot be reached via ping and you cannot SSH or browse to the Opengear device over the cellular network.
To simplify access when using this type of plan Opengear has developed Call Home feature, whereby the Opengear device calls home to our Lighthouse product (hosted in a central, remotely accessible location, e.g. your NOC) via an OpenVPN tunnel.
Similarly, the Opengear device can establish an outbound OpenVPN/IPSec tunnel to your VPN server or VPN router.
Opengear device users can then initiate sessions the remote Opengear device via the SSH or VPN tunnel.
Plans are often very cost effectiveNo additional infrastructure required using Lighthouse VM or your existing VPN router
Call Home requires no specialist VPN knowledge or complex configuration
Cannot browse or SSH directly to the Opengear device over the cellular network
The Opengear device must initiate and maintain an outbound Call Home SSH or VPN tunnel
If the central Lighthouse or VPN server is not available, you cannot access the console server via the cellular network
Plan type 2. Public, static IP address
These plans assigns the Opengear device a "real" public IP address that is accessible on the Internet. Data communications can be established both inbound and outbound.
Note: Particularly in Europe, this type of plan may be offered by a specialist value-add carrier reseller known as an MVNO. They are often marketed as "Fixed IP", "M2M" or "IoT" SIMs.
You may choose to either access the Opengear directly or, after reading the cellular security best practices, decide to mandate VPN for remote access. In the latter case, remote access then becomes similar to plan type 1.
Opengear device users can then initiate sessions the remote Opengear device directly using its public cellular IP, or via the optional SSH or VPN tunnel.
Ease of access
No need for additional hardware or tunneling
Opengear devices include many security/hardening options to help secure the interface (Firewall)
Read and implement Opengear's cellular security best practices
Possible target for malicious activity
One-time activation charge may not be cost effective for small deployments
May not be available from your carrier
Plan type 3. Carrier private network
By special arrangement, the cellular carrier securely connects their private network to your corporate private network (e.g. via VPN or MPLS), or provides a portal/access tools for establishing a VPN to their private network.
Once the networks are connected, data communications can be established both inbound and outbound between your corporate network and the Opengear's private cellular IP.
Note: Particularly in Europe, this type of plan may be offered by a specialist value-add carrier reseller known as an MVNO. They are sometimes marketed as "Private APN" or "M2M/IoT management portal" service offerings.
The cellular carrier creates a private IP network shared by all Opengear devices.
This private network is created within their larger carrier wireless network, so your Opengear devices typically sit on the same IP network segment and can communicate with each other whereas other devices in the carrier wireless network cannot communicate with the Opengear devices.
The private network is attached to the Internet via a carrier VPN gateway. You then access this private network by building a VPN tunnel across the Internet to the carrier gateway.
From a security perspective, this plan type is preferable to having the Opengear devices publicly accessible as per plan type 2. From a remote access perspective, this plan type preferable to requiring an outbound tunnel from each Opengear device as per plan type 1, but is often less convenient than plan type 2.
Opengear device users on the corporate LAN can then initiate sessions the remote Opengear device directly using its private cellular IP. Opengear device users outside the corporate LAN may have to use the carrier portal or VPN client to access the carrier private network.
Secure access to Opengear devices as if they were on local management networks
Routing to units from within corporate network
Carrier management & access portal may provide additional security and monitoring features
Requires VPN hardware and/or setup of MPLS circuits
Account and technical setup overheads
Remote users must access devices via the corporate network, this may present challenges to traveling "road warrior" type users
May not be available from your carrier