05_lab_5g_nsa_docker
Part 5: 5G NSA - Guided Lab Path
Learning Objective: Understand what part of a 5G NSA lab is Docker-friendly, what part is still conceptual, and how to build a clean NSA workspace without confusing it with the fully runnable 5G SA lab in Part 6.
This note is a guided bridge, not a full UERANSIM lab. You can build the EPC side of NSA with Docker, but you cannot do a genuine end-to-end NSA / EN-DC lab with UERANSIM alone.
Keep the documentation in this repo, but keep the working lab files in ~/Documents/mobility_lab/5g_nsa to avoid filling repo storage.
UERANSIM only supports 5G SA. It does not provide an LTE eNB, a dual-mode NSA UE, or EN-DC coordination. For a real NSA lab, you need srsRAN 4G or another LTE / NSA-capable RAN stack.
Table of Contents
- Read This First
- Recommended Path
- Workspace Setup
- Supported Milestone on This Host
- NSA Architecture at a Glance
- Docker-Side Service Blueprint
- Start the Supported EPC-Side Stack
- Register a Subscriber
- Verify the Stack
- Optional Linux User-Plane Profile
- What This Still Does Not Give You
- Security Comparison: NSA vs SA
- When You Are Ready for a Real NSA Lab
- Summary
Read This First
The easiest way to stay unconfused is to separate three different goals:
| Goal | Status | Best Path |
|---|---|---|
| Learn the core network side of NSA | ✅ Runnable enough to study | Build the EPC-side Docker stack in ~/Documents/mobility_lab/5g_nsa |
| Compare NSA vs SA behavior and architecture | ✅ Strong learning path | Read this part together with Part 4 and Part 6 |
| Run true end-to-end NSA / EN-DC | ❌ Not with UERANSIM | Add srsRAN 4G or another EN-DC-capable RAN |
The shortest honest answer
- NSA reuses the 4G EPC.
- The Docker part of NSA looks much closer to Part 4 than Part 6.
- The missing piece is the RAN side: LTE eNB + dual-mode UE + EN-DC coordination.
Recommended Path
If your goal is to learn NSA without wasting time, use this order:
- Build and understand the EPC services that NSA depends on.
- Compare them against the 5G SA core from Part 6.
- Use the external compose file in
~/Documents/mobility_lab/5g_nsa/docker-compose.ymlas your Docker-side NSA blueprint. - Only after that, decide whether you want to add
srsRAN 4Gfor a real LTE / NSA-adjacent RAN path.
Think of this lab as "prepare the packet core side of NSA first", not "pretend UERANSIM can do NSA".
Workspace Setup
The repo stays clean. The actual lab workspace lives outside it:
mkdir -p ~/Documents/mobility_lab/5g_nsa/{config,freeDiameter,log}
cd ~/Documents/mobility_lab/5g_nsa
Paths used in this part
| Item | Location |
|---|---|
| This documentation note | Published/4_Threat Modeling/Mobility/open5gs_lab/05_lab_5g_nsa_docker.md |
| Helper setup script | Published/4_Threat Modeling/Mobility/open5gs_lab/05_lab_5g_nsa_setup.sh |
| External compose file | ~/Documents/mobility_lab/5g_nsa/docker-compose.yml |
| Local configs | ~/Documents/mobility_lab/5g_nsa/config/ |
| freeDiameter configs | ~/Documents/mobility_lab/5g_nsa/freeDiameter/ |
| Logs | ~/Documents/mobility_lab/5g_nsa/log/ |
Docker Desktop target
Use the Docker Desktop disk image size you asked for:
- Disk image size:
80 GB - Suggested memory:
16 GB - Suggested CPUs:
6-8
This gives you enough room for the 4G EPC side, the 5G SA lab, and a local kind cluster without storing those artifacts inside the repo.
Current workspace contents
The external workspace now contains:
docker-compose.ymlconfig/hss.yamlconfig/pcrf.yamlconfig/mme.yamlconfig/sgwc.yamlconfig/sgwu.yamlconfig/smf.yamlconfig/upf.yamlfreeDiameter/hss.conffreeDiameter/pcrf.conffreeDiameter/mme.conffreeDiameter/smf.conf
Supported Milestone on This Host
Current implementation decision: on this macOS host, the supported milestone is a working EPC-side / control-plane NSA study lab. The full user-plane path remains a Linux-oriented extension.
What is verified here
The following services are up and usable from ~/Documents/mobility_lab/5g_nsa:
mongodbwebuihsspcrfmmesgwcsmf
The following were also tested from the running stack:
- WebUI responds on
http://localhost:9999 - HSS <-> MME Diameter association comes up
- PCRF <-> SMF Diameter association comes up
- MME listens on S1AP
36412
What is not the supported baseline on this Mac
The gradiant/open5gs* images run here under linux/amd64 emulation. The EPC-side control plane works, but the upf path tries to create ogstun with ip tuntap add, which Docker Desktop on this host does not allow cleanly. Because of that:
- the default supported baseline is control-plane/EPC-side study
- the deeper user-plane profile is documented as optional and Linux-oriented
- the deeper RAN/EN-DC path still requires
srsRAN 4Gor equivalent
NSA Architecture at a Glance
graph TB
UE[UE
Dual-mode LTE + NR]
subgraph "RAN"
eNB[eNB
Master Node]
gNB[gNB
Secondary Node]
end
subgraph "4G EPC reused by NSA"
MME[MME]
HSS[HSS]
PCRF[PCRF]
SGWC[SGW-C]
SGWU[SGW-U]
SMF[PGW-C / SMF]
UPF[PGW-U / UPF]
end
UE -->|LTE control + data| eNB
UE -.->|NR data boost| gNB
gNB -.->|X2 / coordination| eNB
eNB -->|S1-MME| MME
eNB -->|S1-U| SGWU
gNB -.->|S1-U or X2 path| SGWU
MME --> HSS
MME --> SGWC
SGWC --> SGWU
SGWC --> SMF
SMF --> PCRF
SMF --> UPF
style eNB fill:#ffe1e1
style gNB fill:#e1f0ff
style MME fill:#f0e1ff
style SGWU fill:#ffe1f0
style UPF fill:#fff0e1Core idea
- eNB is still the control-plane anchor
- gNB adds NR capacity
- EPC stays in place
- This is why NSA is operationally closer to LTE than to full 5G SA
Docker-Side Service Blueprint
The external file at ~/Documents/mobility_lab/5g_nsa/docker-compose.yml is the Docker side of the lab.
What it represents
| Service | Role in NSA |
|---|---|
mongodb |
Subscriber database backend |
webui |
Subscriber management |
hss |
LTE subscriber/auth database |
pcrf |
Policy control |
mme |
LTE mobility and control-plane anchor |
sgwc |
Serving Gateway control plane |
sgwu |
Serving Gateway user plane (linux-userplane profile) |
smf |
Acts as PGW-C in EPC terminology |
upf |
Acts as PGW-U / user-plane egress (linux-userplane profile) |
Why this matters
This service list is the answer to the most common NSA confusion:
- You do not start with AMF / NRF / AUSF
- You start with MME / HSS / SGW / PGW-style EPC functions
- The RAN is what makes it NSA, not a 5G SA core
Start the Supported EPC-Side Stack
From the external workspace:
cd ~/Documents/mobility_lab/5g_nsa
# supported control-plane / EPC-side baseline
docker compose up -d mongodb hss pcrf smf sgwc mme webui
# check status
docker compose ps
Expected baseline:
mongodb,webui,hss,pcrf,smf,sgwc, andmmeshould be Upwebuishould answer on http://localhost:9999
Stop the supported baseline
cd ~/Documents/mobility_lab/5g_nsa
docker compose down --remove-orphans
Why this order works
- MongoDB must be ready before HSS and PCRF
- HSS and PCRF must be up before MME and SMF establish Diameter peers
- MME, SGW-C, and SMF then expose the EPC-side control-plane path you want to study
Register a Subscriber
Use the WebUI:
- Open http://localhost:9999
- Login with:
- Username:
admin - Password:
1423
- Username:
- Go to Subscribers
- Click Add
- Use a starter subscriber such as:
- IMSI:
001010000000001 - K:
465B5CE8B199B49FAA5F0A2EE238A6BC - OPc:
E8ED289DEBA952E4283B54E88E6183CA - APN/DNN:
internet
- IMSI:
Why this still matters without a full NSA RAN
Even before you add a real eNB / UE path, this lets you study:
- HSS-backed subscriber state
- Diameter-based auth dependencies
- PCRF policy relationships
- EPC control-plane behavior
Verify the Stack
Check container health
cd ~/Documents/mobility_lab/5g_nsa
docker compose ps
Check Diameter peerings
cd ~/Documents/mobility_lab/5g_nsa
# HSS <-> MME
docker compose logs mme | grep -i "connected"
docker compose logs hss | grep -i "connected"
# PCRF <-> SMF
docker compose logs smf | grep -i "connected"
docker compose logs pcrf | grep -i "connected"
Expected signals:
CONNECTED TO 'hss.gradiant'CONNECTED TO 'mme.gradiant'CONNECTED TO 'pcrf.gradiant'CONNECTED TO 'smf.gradiant'
Check MME readiness
cd ~/Documents/mobility_lab/5g_nsa
docker compose logs mme | grep -i "s1ap\\|36412\\|initialize"
You should see MME listening on S1AP and completing initialization.
Check WebUI reachability
curl -I http://localhost:9999
Optional Linux User-Plane Profile
The compose file includes a profile named linux-userplane for:
sgwuupf
Start it only when you are on a host where the Open5GS user-plane TUN setup is supported:
cd ~/Documents/mobility_lab/5g_nsa
docker compose --profile linux-userplane up -d sgwu upf
On this macOS Docker Desktop host, the upf path is not the supported baseline because the image tries to create ogstun with ip tuntap add and Docker Desktop does not permit that flow cleanly here.
That means the practical split is:
- macOS baseline = EPC-side control-plane study
- Linux extension = deeper user-plane testing
What This Still Does Not Give You
Even with Docker set up correctly, these pieces are still missing:
| Missing Piece | Why It Matters | Typical Tool |
|---|---|---|
LTE eNB |
NSA control plane still anchors on LTE | srsRAN 4G |
| Dual-mode UE | NSA UE must speak LTE and NR | srsUE or commercial test UE |
| EN-DC coordination | eNB and gNB must coordinate bearer / radio behavior | EN-DC-capable RAN stack |
| Real X2 / Xn behavior | Needed for realistic NSA signaling flow | LTE + NR capable simulator |
Practical reading of this lab
This part now gives you a clean and honest staging point:
- Docker for the EPC side
- Documentation for the NSA differences
- A clear boundary showing what must be added later
Security Comparison: NSA vs SA
| Topic | NSA | SA |
|---|---|---|
| Control-plane anchor | MME | AMF |
| Subscriber privacy | LTE-era exposure model | SUCI-based protection in 5G |
| Inter-NF protocols | Diameter + GTP-C + PFCP | SBA HTTP/2 + PFCP |
| Service discovery | Static / point-to-point | NRF-based |
| Slice awareness | Limited / effectively absent at EPC layer | Native 5G core support |
| Operational risk | Legacy protocol debt remains | Newer stack, larger SBA surface |
Security lens
NSA is not just "5G but older." It often means:
- new radio
- old core assumptions
- more interworking edges
- more downgrade / exposure opportunities
That is why it remains interesting from a telecom threat-modeling perspective.
When You Are Ready for a Real NSA Lab
Use this sequence:
- Keep Docker Desktop sized for the lab and keep your lab files in
~/Documents/mobility_lab. - Use the verified EPC-side baseline first.
- Move to Linux for user-plane-heavy work if you need deeper packet-core realism.
- Add
srsRAN 4Gwith ZMQ if you want a software-only LTE path. - Treat gNB / EN-DC support as the real maturity step, because that is the piece UERANSIM cannot give you.
Reference material
| Resource | URL |
|---|---|
| srsRAN 4G GitHub | https://github.com/srsran/srsRAN_4G |
| Open5GS + srsRAN LTE tutorial | https://open5gs.org/open5gs/docs/tutorial/02-srsran-4g/ |
| srsRAN Project Docker examples | https://github.com/srsran/srsRAN_Project/tree/main/docker |
Summary
- ✅ Reframed NSA as a guided lab path
- ✅ Separated Docker-possible work from RAN-missing work
- ✅ Moved the real workspace target to
~/Documents/mobility_lab/5g_nsa - ✅ Added a working EPC-side control-plane baseline
- ✅ Documented the Linux-only user-plane extension
- ✅ Kept the lab aligned with the truth: NSA reuses EPC, not the 5G SA core