More Novatel MiFi Hacking: Exceeding the 5 connection limit

Friday, August 27th, 2010 at 1:16 am | 68,730 views | trackback url
Tags: , , , , , ,

Novatel MiFi 2372After testing several different methods, I finally managed to get around the 5-client restriction on the Novatel MiFi 2372 I recently purchased from Amazon.

First, some background information:

The Novatel 2372 I purchased had “some minor issues“, and I was looking for a way to get at the firmware, or updated versions of the firmware, so I could address and hopefully fix these. I was more than happy to start rolling my own firmware, to put onto the device if necessary.

If you search the Interweb, there are hundreds of posts, blogs and webpages out there on how to tweak the MiFi device by making changes to the exported config.xml file and re-import it. Some of these work, some (even after making the changes), do not. One of them is the hard-coded limit on incoming device (client) connections on the MiFi itself… this is hard-locked at 5 connections, no matter how you modify the config.xml to support more.

You can however, update the number of DHCP addresses the DHCP server on the MiFi will give out, just not the number of incoming connections to the MiFi.

But I figured out a better way to solve this in a very clean and elegant way. Unfortunately, it involves a second router… but one with a LOT more functionality. This can probably be reproduced by a smaller router, but I used what I already had in my personal lab to create this working proof of concept.

Because I travel with all of this gear on my back (literally), I wanted to keep everything small, tight and light. I pack it all in a North Face Surge backpack (so far, the best backpack I’ve ever owned for computers and commuting) and carry it with me to/from work (a 2.5-hour train ride each way, every day; 5 hours total). I looked into the smaller “pocket” routers from Asus, D-Link, Linksys, Netgear and others to start with.

I started with two D-Link portable units; the D-Link DWL-G730AP and the D-Link DAP-1350.

Both of these D-Link models support multi-mode functionality with wireless router, access point, or wireless client mode. You can also power both of these access points directly via USB, which is a huge requirement in my case.

I have my entire kit down to one wire to the wall, and don’t want to relax that requirement. Anything I buy that I intend to travel with, has to support charging over USB, or be able to run from an external solar or battery solution.

While both of these models are small, light and capable… neither of them support “multi-mode wireless”. Multi-mode wireless means that the device can behave as a wireless client as well as a wireless Access Point.

Some devices don’t support multi-mode out of the box, but that functionality can be added by re-flashing with third-party firmware like DD-WRT or Tomato or others.

Next, I looked at the ASUS WL-330GE and the Netgear WGR101 units.

(Sorry, ASUS, I had to link to Amazon, because your site is so broken, I can’t find or link directly to any products on it. Please drop the unnecessary use of Flash and Javascript; it’s not helping you here).

These units were also small, light and powerful… but also lack the ability to do multi-mode as well.

Also, none of these devices can be re-flashed with DD-WRT, my choice for a replacement firmware to add increased functionality that the hardware supports, but the on-board vendor software does not. DD-WRT has a very large list of supported devices, and these are not on that list.

So, I fell back to an old staple, my Buffalo Wireless WHR-HP-G54 router, which I flashed with DD-WRT.

“DD-WRT is a Linux based alternative OpenSource firmware suitable for a great variety of WLAN routers and embedded systems. The main emphasis lies on providing the easiest possible handling while at the same time supporting a great number of functionalities within the framework of the respective hardware platform used.”

I had to flash my WHR with the latest v2.4 firmware to support “Universal Repeater Mode“. Universal Repeater Mode is where you have an access point (AP1) that you can place anywhere and it will wirelessly connect to, and then re-broadcast (“repeat”) the strongest signal onto another wireless network (with or without security). Unlike WDS, once you have this appliance setup, it will work with any open network.

I flashed the WHR, and then configured it as follows (full screenshots follow below, click to see full-size). In the instructions below, my MiFi is ‘router-1’, and my WHR is ‘router-2’.

  1. Plug your computer/laptop into the router (router-2) directly, using one of the wired ports. The router does not need to be connected to the Internet at all, just powered on. You’ll get a DHCP address from the router.
  2. Log into the router and change the IP of this router (router-2) to one that is on a different IP range from the one your MiFi (router-1) is configured for. For example, if your MiFi is on, put this router on Click “Save” to save the settings, then click “Apply Settings” to activate them. This will cause your connection to drop out temporarily, and reconnect you with a new DHCP address in the new IP range.
  3. Once you’re reconnected, log back into the GUI with the new IP and go to the “Security” -> “Firewall” tab. Temporarily set the “SPI Firewall” to “Enabled”, and uncheck all of the boxes. Click “Save”, then “Apply Settings”. In my configuration, I’ve enabled the firewall for ping, multicast and identd (as shown below). Choose whatever will work in your environment.

    dd-wrt Security -> Firewall
    (click to see full-size version)

  4. Next, go to the “Wireless” -> “Basic Settings”, and set Wireless Mode to “Repeater”.
  5. Under “Wireless Physical Interface”, set “Wireless Network Name (SSID)” to the network you wish to repeat. Mine is set to “Private Wireless” in the screenshot below; this is the exact name (SSID) that my MiFi is configured for.
    dd-wrt Wireless -> Basic
    (click to see full-size version)
  6. Set Network Configuration to “Bridged”, click on “Save”. The “Virtual Interfaces” section does not appear until you save the changes here.
  7. Click on “Add” under “Virtual Interfaces”, and enter an SSID for your public-facing SSID (I used “Free Wireless Internet” in the screenshot below). Set the AP Isolation to “disabled” and Network Configuration set to “Bridged”.

    dd-wrt Wireless -> Security
    (click to see full-size version)

  8. For faster latching to the MiFi, set the wireless channel to some numbered channel; specifically the same channel your MiFi is set to communicate on. If you set it to “Auto” here, it will take longer to associate and bridge to the MiFi. Click “Save” and then “Apply Settings” here to save and activate these settings.
  9. Go to “Wireless” -> “Wireless Security” and configure the wl0 interface (the vlan interface) to WPA2 Personal with a strong password. You can configure the wl0.1 (router-2) interface for whatever security you want to use. In my case, I left wl0.1 completely open, no encryption, to allow anyone within range to connect to my public-facing AP (router-2).
  10. Power on your MiFi and log into its web interface ( Here you’ll want to configure the MAC filter to only allow this router (router-2) to connect as the MiFi’s only wireless client. Since it’s secured with WPA2 and MAC filtering, you can be sure that nobody will log directly into your MiFi, bypassing your (router-2) universal router sitting behind it.
    MiFi WiFi MAC Filter
    (click to see full-size version)
  11. Now if you restart router-2 (public-facing WHR) and power-on router-1 (private, internal, MiFi), you’ll connect from router-2 -> router-1 -> 3G -> Internet. All wireless clients can connect directly to router-2, sending traffic back through router-1 to the live Internet.

This means that the WHR is the MiFi’s only wireless client (i.e. eating 1 out of 5 leases), but the WHR will accept and route ~253 individual clients, far exceeding the 5-device maximum imposed by the MiFi.

Here’s what the current lineup looks like…

(click to see full-size version)

Rev 3 of my design will compress this even smaller, perhaps into a single unit. I’m still working on the final design of that…

This works like a champ, and I’ve tested it on a busy Amtrak Acela train and in Penn Station in NYC…

If anyone has any questions about any steps here, or my configuration, let me know in the comments section below.

Good luck!

Last Modified: Sunday, March 6th, 2016 @ 04:00

8 Responses to “More Novatel MiFi Hacking: Exceeding the 5 connection limit”

  1. Hello, Mugen Power just released the 3300mAh Extended Battery for for Novatel Wireless MiFi 2352 and 2372, and 3600mAh Extended Battery for for Novatel/Verizon Wireless MiFi 2200.
    it should be last over 10 hours use with 1 charge!

    and if you visit their page on facebook, you can find a discount code:

  2. […] such a great router admin UI that you always learn something new with it. Thanks to Dave for this blogpost which has taught me how to do repeating of wireless signals using the Buffalo Wireless WHR-HP-G54 […]

  3. Haved you given any thought to using OpenVPN on your Buffalo to tunnel through the MiFi device and the 3G network to your VPN end point? I would be curious to read about this configuration as I am considering it.

  4. Thank you so much! This works perfectly on my Virgin Mobile MiFi 2200! It is exactly what I needed!

  5. Thank you so much! This works perfectly with my Virgin Mobile MiFi 2200 and Linksys WRT54G router with DD-WRT. This is exactly what I needed!

  6. […] at 8:39 pm | 2 views | trackback urlI fought this problem on the train into the city today, because my MiFi‘s hostname was not correctly reversing to it’s given IP (verified by dig) and Freenode […]

  7. […] a great set of instructions for how to “multiply” the port to allow wireless repeating here. The forum at DD-wrt is a good resource as welll for configuration issues and how to work around […]

  8. Does it give u an ip address for the wan ?
    I had it working for a brief time but not it is not traveling throu to the Internet. Where exactly would I find the wan connection status of it it is connected to my wifi.
    Thanks for the good post

Leave a Reply

You must be logged in to post a comment.

Bad Behavior has blocked 804 access attempts in the last 7 days.