Followup, Enabling Failover using a Netgear LB1121-100NAS (review below): The basic failover configuration is documented here:
WAN Failover https://doc.astlinux-project.org/userdoc:tt_wan_failover Since most 4G/LTE providers only support outbound-only (NAT'ed), IPv4-only, dynamic IPv4 address networks, any basic failover configuration over 4G/LTE must deal with those constraints. But, there is another way ... Enhanced WAN Failover using WireGuard: If you are able to run a second AstLinux instance (or most any distro with WireGuard) on a static IPv4 address you can establish an always-up WireGuard VPN over the 4G/LTE connection. When idle the VPN consumes less than 0.5 MB/day of data. With this setup, both IPv4 and IPv6 can be supported as well as allowing inbound traffic to the failover. When failover occurs, all the IPv4/IPv6 traffic is sent over the WireGuard VPN to the "Static" WireGuard endpoint. To be clear, while the WireGuard VPN is established over IPv4-only, the tunnel can simultaneously transport IPv4 and IPv6. Example: AstLinux "4G/LTE": Cable/DSL Modem on external interface and 4G/LTE Modem on failover interface. -- Internal 1st LAN IPv4: 192.168.101.1/255.255.255.0 Internal 1st LAN IPv6: fda6:a6:a6:d2::1/64 WireGuard IPv4: 10.4.1.10/255.255.255.0 WireGuard IPv6: fda6:a6:a6:ff::10/64 IPv6 ULA/NPTv6: fda6:a6:a6::/56 AstLinux "Static": Static IPv4 (or IPv4/IPv6) on external interface. -- Routable Public IPv4: 1.2.3.4 WireGuard IPv4: 10.4.1.1/255.255.255.0 WireGuard IPv6: fda6:a6:a6:ff::1/64 IPv6 ULA/NPTv6: fda6:a6:a6::/56 == AstLinux "4G/LTE" Endpoint Configuration Network tab -> WireGuard Configuration: Tunnel Options: IPv4 Address: 10.4.1.10 IPv4 NetMask: 255.255.255.0 IPv6/nn Address: fda6:a6:a6:ff::10/64 -- /mnt/kd/wireguard/peer/wg0.peer snippet -- [Peer] ## 4G/LTE Endpoint PublicKey = <For Static Endpoint> Endpoint = 1.2.3.4:51820 AllowedIPs = 0.0.0.0/0, ::/0 PersistentKeepalive = 25 -- Network tab -> WAN Failover Configuration: WAN Failover: Failover: [enabled] Secondary Gateway IPv4: 10.4.1.1 Secondary Gateway IPv6: fda6:a6:a6:ff::1 External Failover Interface: Connection Type: [DHCP] External Failover Destination Routes: IPv4 Routes: 192.168.5.0/24 1.2.3.4 Network tab -> Firewall Configuration: Firewall Options: _x_ Allow WireGuard VPN tunnel to the [1st] LAN Interface(s) == AstLinux "Static" Endpoint Configuration Network tab -> WireGuard Configuration: Tunnel Options: IPv4 Address: 10.4.1.1 IPv4 NetMask: 255.255.255.0 IPv6/nn Address: fda6:a6:a6:ff::1/64 -- /mnt/kd/wireguard/peer/wg0.peer snippet -- [Peer] ## Static Endpoint PublicKey = <For 4G/LTE Endpoint> AllowedIPs = 10.4.1.10/32, 192.168.101.0/24, fda6:a6:a6:ff::10/128, fda6:a6:a6:d2::/64 -- -- /mnt/kd/rc.conf.d/user.conf snippet -- NAT_FOREIGN_NETWORK="192.168.101.0/24" -- == I personally tested this scenario and it worked as expected. Note that one AstLinux "Static" server can support many remote failover AstLinux "4G/LTE" boxes. Tip: if you have shell access to AstLinux "Static", 'ssh root@10.4.1.10' will access AstLinux "4G/LTE" over the VPN connection, regardless if failover is active. Lonnie ================================== Per a post by Michael Knill "4G backup" I purchased a Netgear LB1121-100NAS (North America) supporting PoE and includes a power adapter. LTE Modem LB1120 and LB1121 User Manual https://www.downloads.netgear.com/files/GDC/LB1120/LB112x_UM_EN.pdf Overall, I'm pleased with the LB1121, the PoE is good to have, makes easy positioning for good reception. I also tested the Netgear 6000450 MIMO Antenna, it can add 1-bar, but with no antenna and 4 out of 5 bars sitting on the lab bench I was able to get 90/20 Mbps (down/up) on a speed test. If a person were to mount the modem on a wall next to a window, the antenna would be useful to reach over and place on the glass. I tested with "Ting" a MVNO (Mobile Virtual Network Operator) for T-Mobile's GSM network. I ordered a GSM SIM card from Ting, the Netgear LB1121 comes with an empty SIM slot. I connected the Netgear LB1121 to a spare ethernet interface, Network tab -> Failover Interface: [eth2] and also ... -- Network tab -> WAN Failover Configuration: -- External Failover Interface: Connection Type: [DHCP] External Failover Destination Routes: IPv4 Routes: 192.168.5.0/24 -- If you change the LB1121's IPv4 address, also change the above IPv4 Routes: as this is required when the LB1121 is set to "Bridge Mode". Note: WAN Failover is disabled at this point in time. We are now simply defining a 2nd external interface. With Ting I needed to edit the APN ... -- Ting (GSM) T-Mobile APN: wholesale -- and the LB1121 easily allows for that via the web interface, which defaults to http://192.168.5.1 Firmware updates are via the web interface, but you must have a SIM card activated and installed to perform an upgrade over the GSM network. Web interface password changes don't ask for a match, so a typo requires a reset to factory defaults to fix it. But overall, the web interface is nicely done. After I got the LB1121 configured as desired, working, and firmware upgraded, I then switched to "Bridge Mode", depending on your 4G/LTE carrier your DHCP will acquire a publicly routable IPv4 address or an address that looks public but is actually behind NAT. BTW: Ting/T-Mobile uses odd "private" address ranges like 25.0.0.0/8 (UK Ministry of Defense) and 100.128.0.0/9 (T-Mobile), they look publicly routable, but they are NAT'ed to a different public address :-( On a PoE 802.3af switch, the LB1121 draws 1.1 Watts, cool to the touch. The main issues are the 4G/LTE networks, the Ting MVNO for T-Mobile is IPv4 only, and NAT'ed even when in bridge mode. So a true failover is difficult to do, but by limiting your failover requirements this can still be useful. Below is one such technique using WireGuard VPN. I have a test AstLinux box talking to my main AstLinux box over WireGuard over 4G/LTE ... works nicely. Though "PersistentKeepalive = 25" is required to deal with the NAT and dynamic addressing. FYI: Interestingly, the WireGuard overhead even with a keepalive every 25 seconds results in 454 KB/day of data, which at $10/GB is only 0.00454 $/day. == Dynamic 4G/LTE Modem Endpoint -- WireGuard IPv4 10.4.1.10/255.255.255.0 -- [Peer] ## 4G/LTE Endpoint PublicKey = <For Static Endpoint> Endpoint = 1.2.3.4:51820 AllowedIPs = 10.4.1.1/32 PersistentKeepalive = 25 -- -- Network tab -> WAN Failover Configuration: -- External Failover Interface: Connection Type: [DHCP] External Failover Destination Routes: IPv4 Routes: 192.168.5.0/24 1.2.3.4 -- == Static IPv4 1.2.3.4 Endpoint -- WireGuard IPv4 10.4.1.1/255.255.255.0 -- [Peer] ## Static Endpoint PublicKey = <For 4G/LTE Endpoint> AllowedIPs = 10.4.1.10/32 -- iperf3 test across the VPN ... 4G/LTE ~ # iperf3 -s Static ~ # iperf3 -c 10.4.1.10 -u Connecting to host 10.4.1.10, port 5201 [ 5] local 10.4.1.1 port 37415 connected to 10.4.1.10 port 5201 [ ID] Interval Transfer Bitrate Total Datagrams [ 5] 0.00-1.00 sec 128 KBytes 1.05 Mbits/sec 96 ... [ 5] 9.00-10.00 sec 128 KBytes 1.05 Mbits/sec 96 - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Jitter Lost/Total Datagrams [ 5] 0.00-10.00 sec 1.25 MBytes 1.05 Mbits/sec 0.000 ms 0/959 (0%) sender [ 5] 0.00-10.16 sec 1.25 MBytes 1.03 Mbits/sec 2.543 ms 0/959 (0%) receiver Typical ping times: 100-400 ms Note that without the VPN there would be no way to reach "4G/LTE" from "Static" with the network NAT issues described above. So with a Netgear LB1121 4G/LTE Modem, by using this WireGuard VPN technique on the "Failover Interface" (2nd External) your public server on 1.2.3.4 will be able to access a remote AstLinux box via 4G/LTE. Lonnie ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
