Using T-Mobile Cellspot Safely

The T-Mobile Cellspot is a miniature Cell Tower for your home. If your cell service is bad at your home or other location and you are a T-Moble customer, they will “Give” you a Cellspot to use with a “Return Fee” in case you don’t eventually return it to them.

I don’t know for sure, but I think it uses the same protocols as the “Real” cell towers employed by T-Moble. The reason that I am guessing this is because the device requires “Open Ports”, which is a problem for most modern routers. Modern Routers do not “Open Ports” but rather use “Port Forwarding”. Here is the support page for the CellSpot. Notice the list of UDP ports that are required to be open.

“Open Ports:” mean that the firewall does nothing with traffic on those ports. The traffic passes directly onto the LAN – local area network. Modern routers do not support “Opening Ports”. Instead they support “Port Forwarding”.

“Port Forwarding” which modern routers provide, establishes a relationship between one or more LAN addresses and arriving packets with certain port numbers. This allows the router to know that the incoming packets are to be “forwarded” to the desired devices. This is not necessarily secure. And certainly “Open Ports” is not secure, since it allows attackers on the WAN – wide area network – to get up to any kind of mischief in attacking your home network.

And at this point your eyes are probably glazing over. Rather than showing your how to set up Port Forwarding on your router, or struggling with your ISP to do that, which they will probably refuse to do. Xfinity has no way to “Open Ports” in their router for you, apparently. This article provides another way to use the Cellspot.

In the following discussion I’m using Xfinity as an example of an ISP. The same discussion and requirements will apply regardless of your “Broadband” provider, whether it’s Cable, DSL or Fiber. Click on images below for a larger view and click on the X at the top right to close the image.

Alternate Scheme to Employ the Cell Spot

I’m assuming that you are using Xfinity internet service, that you have a Modem/ Router from Xfinity and that you can employ your own router in your home to provide WiFi and possibly wired internet connections to your devices. Also you will need an “Unmanaged Switch” in this case I’ve assumed a Netgear 5 port switch. Here are the components that we are talking about:

First Step

Ask Xfinity to turn off Wifi and the Firewall in the router. I don’t have their service, so I don’t know if you can do this. I had a service a while ago and they did that for me. If Xfinity cannot / will not do this for you, then purchasing a Modem without a router and installing that with Xfinity will solve the problem. A Modem has no firewall and no router function. It just provides an Ethernet directly to you home. You must use a “Router” with a firewall and WiFi with a Modem.

Once you have the Firewall turned off or a modem installed, you connect the Switch and Router to your Xfinity device. Also enable WiFi on your own router and change all your devices to use the WiFi on your own router rather than the Xfinity provided WiFi.

If you are using a Modem that has no router function you can skip the following step. Continue at Next Step for using a Modem.

LAN Addresses Must be Different

If you have the router opened up, this step can be tricky. The problem is that your router’s LAN addresses must be different from the LAN addresses assumed by the Xfinity router. LAN addresses are typically of the form 192.168.x.1-255 with the router being 192.168.x.1. The X is in the range 0-255 and the Xfinity router and your home router cannot use the same number for X.

You can tell what number the Xfinity router is using by looking at a device IP address. For same using CMD in windows to open a terminal and type ipconfig.

In this case the X is 1. Note that the IPv4 Address is and the Default Gateway – another name for the router – is

So before you connect your router to the xfinity device, check your IP address and note the X. Then connect your router directly to a computer or laptop using a Wire and use the Router’s configuration web page to check it’s LAN configuration. Here’s what my router’s LAN page looks like:

Notice the IP address. This can be changed to be different than the Xfinity router, but always use 192.168.x.1 and just replace the X with another number.

Next Step

Once your router is different from the Xfinity router and Xfinity has turned off the WiFi and Firewall [ Or you have a “Modem” installed” ] Now you can connect the devices as follows.

This connection allows the Cellspot to talk freely to the T-Mobile cellular network over the internet, and keeps you safe behind your personal WiFi router firewall. Which ports you use for which connection does not matter for the Switch. All the ports are the same and the function of the switch is to figure out who is connected to which port and forward the packets to the correct device.

At this point the Cellspot should begin working. Check the lights to see that it has found the cell provider service and is ready to operate.

I hope this helps if you want to use this device. I have no way to test this since I don’t have T-Mobile or Xfinity, but this is not my first time at the Rodeo.

Why So Strange?

Why, you might ask, is the CellSpot so strange or different than modern practice. Well I think the dirty little secret about the Cellspot is that it is actually a real, but miniature “Cell Tower” and that all Cell Towers talk this way over the Internet to their “providers”.

Of course a cell tower would not work with a NAT router. We might be surprised to find out that the Cell Towers are actually out there naked on the internet, but they were probably designed with only minimal security in mind since they were designed before the modern era of Cyber Security problems have arisen. I have not yet heard of the cellular phone network being attacked, but I would not be surprised to find soon that it has been.

The point of this article is to use the Cellspot in a safe way in your home or business so that it does not cause security problems for you.