Menu
▾
▴
Re: [Astlinux-users] WAN Failover using Netgear LB1121 4G/LTE Modem
|
From: David K. <da...@ke...> - 2018-05-28 23:48:49
|
Michael, Easy... up here in the US northeast we get storms that take out power and network rather regularly. Where I live both are delivered by overhead wires and a tree down takes out power and internet. We just got hit by a storm two weeks ago that cut service to over 100,000 customers in over half-a-dozen counties in Connecticut. It took electricity company 48 hours to restore power to me, and Comcast cable 7 days to restore internet service (some people in my town were without power for 7 days). This happens somewhat regularly, at least once or twice a year, that I have a large Battery UPS (will run 8 hours for my essential network services) and a gas powered backup generator. This last incident was the final straw for me... I have bought the LB1121 and setup WAN failover. All my voice and alarm services go over internet, so I consider it an essential service (though the FCC would not agree... only POTS is considered an essential service by them, that is so 20th century -- but politics and lobbying will keep it that way). David On Mon, May 28, 2018 at 6:08 PM, Michael Knill < mic...@ip...> wrote: > Hi Lonnie > > So what are you trying to solve with Asterisk failover? > > Regards > Michael Knill > > On 28/5/18, 10:00 pm, "Lonnie Abelbeck" <li...@lo...> > wrote: > > Hi Michael, > > Yes, you can use OpenVPN and WireGuard at the same time, no problem. > I do. > > WireGuard is much faster / more efficient than OpenVPN, mostly since > it resides in the kernel and can use multiple cores. Here are some > benchmarks I posted to the WireGuard mailing list: > > https://lists.zx2c4.com/pipermail/wireguard/2017-December/002204.html > > There are user-space implementations of WireGuard, written in Golang, > starting to appear for testing, but for non-Linux endpoints I would stick > with OpenVPN for now. > > BTW, I currently have WAN Failover on my production AstLinux box using > the Netgear LB1121 4G/LTE over WireGuard VPN to a Linode KVM running > AstLinux. Working is dual stack IPv4/IPv6 failover for the AstLinux box > itself and any internal network of my choosing. I have outbound Asterisk > failover working, but that is still a work in progress, not sure the best > method yet. > > Lonnie > > > > > > On May 28, 2018, at 5:03 AM, Michael Knill < > mic...@ip...> wrote: > > > > Hi group > > > > Im ready to do some testing. > > I have a number of sites that are set up as OpenVPN Servers. Should > there be any issues using Wireguard as well? > > PS I just looked up Wireguard and I cant believe the difference in > benchmarks to Open VPN. That's crazy! > > > > Regards > > Michael Knill > > > > On 24/5/18, 9:23 am, "Michael Knill" <michael.knill@ipcsolutions. > com.au> wrote: > > > > Thanks Lonnie. I don't have a specific scenario yet but handy to > know its possible. > > > > Regards > > Michael Knill > > > > On 24/5/18, 8:54 am, "Lonnie Abelbeck" <li...@lo...> > wrote: > > > > Michael, > > > >> So are you saying that you can configure a second external > interface and the associated routing to it with the Failover Tab but just > leave Failover disabled? > > > > Yes, "External Failover Destination Routes:" automatically > defines static routes, automatically removed and added for DHCP changes. > > > > > >> If so, I assume it uses the same EXT firewall rules? > > > > Yes. There is a way to treat EXTIF and EXT2IF firewall rules > differently, but the same is usually OK. > > > > Lonnie > > > > > > > >> On May 23, 2018, at 5:17 PM, Michael Knill < > mic...@ip...> wrote: > >> > >> Hi Lonnie > >> > >> So are you saying that you can configure a second external > interface and the associated routing to it with the Failover Tab but just > leave Failover disabled? > >> If so, I assume it uses the same EXT firewall rules? > >> > >> Regards > >> Michael Knill > >> > >> On 22/5/18, 8:59 am, "Lonnie Abelbeck" <li...@lo...> > wrote: > >> > >> Hi Michael, > >> > >>> I noticed you also pass the VPN traffic to the site LAN > >> > >> Yes, I tried to implement the general case, easy to remove stuff. > >> > >>> the VPN would normally just be used for voice traffic and > management only. > >> > >> In that case "External Failover Destination Routes: IPv4 Routes:" > could define all the destination routes you need without "Failover" enabled > ... and let Asterisk dynamically choose the SIP route. Handling inbound > calls over the 4G/LTE VPN would also be possible. > >> > >> > >> All seems to work well, the only fundamental issue may be the > latency of 4G/LTE for SIP traffic ... though clearly much better than no > traffic. > >> > >> Lonnie > >> > >> > >> > >> > >>> On May 21, 2018, at 5:36 PM, Michael Knill < > mic...@ip...> wrote: > >>> > >>> Thanks Lonnie you beat me to it. > >>> Interestingly one of my partners is using Asterisk as their > Softswitch and they were thinking of setting up a single VPN Tunnel to the > SoftSwitch for voice traffic and so everything still works on both the > primary and failover links. There should be no failover scripts required! > >>> > >>> I noticed you also pass the VPN traffic to the site LAN but this > would not actually be required in practice as the VPN would normally just > be used for voice traffic and management only. On all VPN connections that > run voice traffic I set directmedia=no in sip.conf. PS I actually now use a > directmedia ACL on the VPN subnet so I don't need to configure anything. > E.g. > >>> > >>> directmedia=yes > >>> directmediapermit=0.0.0.0/0 > >>> directmediadeny=<VPN Subnet> > >>> > >>> Thanks again Lonnie for testing. Im looking forward to > implementing it. > >>> > >>> Regards > >>> Michael Knill > >>> > >>> On 22/5/18, 6:59 am, "Lonnie Abelbeck" <li...@lo...> > wrote: > >>> > >>> Followup, Enabling Failover using a Netgear LB1121-100NAS (review > below): > >>> > >>> The basic failover configuration is documented here: > >>> > >>> WAN Failover > >>> https://doc.astlinux-project.org/userdoc:tt_wan_failover > >>> > >>> Since most 4G/LTE providers only support outbound-only (NAT'ed), > IPv4-only, dynamic IPv4 address networks, any basic failover configuration > over 4G/LTE must deal with those constraints. > >>> > >>> But, there is another way ... > >>> > >>> Enhanced WAN Failover using WireGuard: > >>> > >>> If you are able to run a second AstLinux instance (or most any > distro with WireGuard) on a static IPv4 address you can establish an > always-up WireGuard VPN over the 4G/LTE connection. When idle the VPN > consumes less than 0.5 MB/day of data. > >>> > >>> With this setup, both IPv4 and IPv6 can be supported as well as > allowing inbound traffic to the failover. When failover occurs, all the > IPv4/IPv6 traffic is sent over the WireGuard VPN to the "Static" WireGuard > endpoint. > >>> > >>> To be clear, while the WireGuard VPN is established over > IPv4-only, the tunnel can simultaneously transport IPv4 and IPv6. > >>> > >>> Example: > >>> > >>> AstLinux "4G/LTE": Cable/DSL Modem on external interface and > 4G/LTE Modem on failover interface. > >>> -- > >>> Internal 1st LAN IPv4: 192.168.101.1/255.255.255.0 > >>> Internal 1st LAN IPv6: fda6:a6:a6:d2::1/64 > >>> WireGuard IPv4: 10.4.1.10/255.255.255.0 > >>> WireGuard IPv6: fda6:a6:a6:ff::10/64 > >>> IPv6 ULA/NPTv6: fda6:a6:a6::/56 > >>> > >>> AstLinux "Static": Static IPv4 (or IPv4/IPv6) on external > interface. > >>> -- > >>> Routable Public IPv4: 1.2.3.4 > >>> WireGuard IPv4: 10.4.1.1/255.255.255.0 > >>> WireGuard IPv6: fda6:a6:a6:ff::1/64 > >>> IPv6 ULA/NPTv6: fda6:a6:a6::/56 > >>> > >>> > >>> == AstLinux "4G/LTE" Endpoint Configuration > >>> > >>> Network tab -> WireGuard Configuration: > >>> Tunnel Options: > >>> IPv4 Address: 10.4.1.10 > >>> IPv4 NetMask: 255.255.255.0 > >>> IPv6/nn Address: fda6:a6:a6:ff::10/64 > >>> > >>> -- /mnt/kd/wireguard/peer/wg0.peer snippet -- > >>> [Peer] > >>> ## 4G/LTE Endpoint > >>> PublicKey = <For Static Endpoint> > >>> Endpoint = 1.2.3.4:51820 > >>> AllowedIPs = 0.0.0.0/0, ::/0 > >>> PersistentKeepalive = 25 > >>> -- > >>> > >>> Network tab -> WAN Failover Configuration: > >>> WAN Failover: > >>> Failover: [enabled] > >>> Secondary Gateway IPv4: 10.4.1.1 > >>> Secondary Gateway IPv6: fda6:a6:a6:ff::1 > >>> > >>> External Failover Interface: > >>> Connection Type: [DHCP] > >>> > >>> External Failover Destination Routes: > >>> IPv4 Routes: 192.168.5.0/24 1.2.3.4 > >>> > >>> > >>> Network tab -> Firewall Configuration: > >>> Firewall Options: > >>> _x_ Allow WireGuard VPN tunnel to the [1st] LAN Interface(s) > >>> > >>> > >>> == AstLinux "Static" Endpoint Configuration > >>> > >>> Network tab -> WireGuard Configuration: > >>> Tunnel Options: > >>> IPv4 Address: 10.4.1.1 > >>> IPv4 NetMask: 255.255.255.0 > >>> IPv6/nn Address: fda6:a6:a6:ff::1/64 > >>> > >>> > >>> -- /mnt/kd/wireguard/peer/wg0.peer snippet -- > >>> [Peer] > >>> ## Static Endpoint > >>> PublicKey = <For 4G/LTE Endpoint> > >>> AllowedIPs = 10.4.1.10/32, 192.168.101.0/24, > fda6:a6:a6:ff::10/128, fda6:a6:a6:d2::/64 > >>> -- > >>> > >>> -- /mnt/kd/rc.conf.d/user.conf snippet -- > >>> NAT_FOREIGN_NETWORK="192.168.101.0/24" > >>> -- > >>> > >>> == > >>> > >>> I personally tested this scenario and it worked as expected. > >>> > >>> Note that one AstLinux "Static" server can support many remote > failover AstLinux "4G/LTE" boxes. > >>> > >>> Tip: if you have shell access to AstLinux "Static", 'ssh > root@10.4.1.10' will access AstLinux "4G/LTE" over the VPN connection, > regardless if failover is active. > >>> > >>> Lonnie > >>> > >>> > >>> > >>> > >>> > >>> ================================== > >>> Per a post by Michael Knill "4G backup" I purchased a Netgear > LB1121-100NAS (North America) supporting PoE and includes a power adapter. > >>> > >>> LTE Modem LB1120 and LB1121 User Manual > >>> https://www.downloads.netgear.com/files/GDC/LB1120/LB112x_ > UM_EN.pdf > >>> > >>> Overall, I'm pleased with the LB1121, the PoE is good to have, > makes easy positioning for good reception. > >>> > >>> I also tested the Netgear 6000450 MIMO Antenna, it can add 1-bar, > but with no antenna and 4 out of 5 bars sitting on the lab bench I was able > to get 90/20 Mbps (down/up) on a speed test. > >>> > >>> If a person were to mount the modem on a wall next to a window, > the antenna would be useful to reach over and place on the glass. > >>> > >>> I tested with "Ting" a MVNO (Mobile Virtual Network Operator) for > T-Mobile's GSM network. I ordered a GSM SIM card from Ting, the Netgear > LB1121 comes with an empty SIM slot. > >>> > >>> I connected the Netgear LB1121 to a spare ethernet interface, > Network tab -> Failover Interface: [eth2] and also ... > >>> -- Network tab -> WAN Failover Configuration: -- > >>> External Failover Interface: > >>> Connection Type: [DHCP] > >>> > >>> External Failover Destination Routes: > >>> IPv4 Routes: 192.168.5.0/24 > >>> -- > >>> If you change the LB1121's IPv4 address, also change the above > IPv4 Routes: as this is required when the LB1121 is set to "Bridge Mode". > >>> Note: WAN Failover is disabled at this point in time. We are now > simply defining a 2nd external interface. > >>> > >>> With Ting I needed to edit the APN ... > >>> -- > >>> Ting (GSM) T-Mobile > >>> APN: wholesale > >>> -- > >>> and the LB1121 easily allows for that via the web interface, > which defaults to http://192.168.5.1 > >>> > >>> Firmware updates are via the web interface, but you must have a > SIM card activated and installed to perform an upgrade over the GSM network. > >>> > >>> Web interface password changes don't ask for a match, so a typo > requires a reset to factory defaults to fix it. But overall, the web > interface is nicely done. > >>> > >>> After I got the LB1121 configured as desired, working, and > firmware upgraded, I then switched to "Bridge Mode", depending on your > 4G/LTE carrier your DHCP will acquire a publicly routable IPv4 address or > an address that looks public but is actually behind NAT. > >>> BTW: Ting/T-Mobile uses odd "private" address ranges like > 25.0.0.0/8 (UK Ministry of Defense) and 100.128.0.0/9 (T-Mobile), they > look publicly routable, but they are NAT'ed to a different public address > :-( > >>> > >>> On a PoE 802.3af switch, the LB1121 draws 1.1 Watts, cool to the > touch. > >>> > >>> The main issues are the 4G/LTE networks, the Ting MVNO for > T-Mobile is IPv4 only, and NAT'ed even when in bridge mode. So a true > failover is difficult to do, but by limiting your failover requirements > this can still be useful. Below is one such technique using WireGuard VPN. > >>> > >>> I have a test AstLinux box talking to my main AstLinux box over > WireGuard over 4G/LTE ... works nicely. Though "PersistentKeepalive = 25" > is required to deal with the NAT and dynamic addressing. > >>> > >>> FYI: Interestingly, the WireGuard overhead even with a keepalive > every 25 seconds results in 454 KB/day of data, which at $10/GB is only > 0.00454 $/day. > >>> > >>> == Dynamic 4G/LTE Modem Endpoint > >>> > >>> -- WireGuard IPv4 10.4.1.10/255.255.255.0 -- > >>> [Peer] > >>> ## 4G/LTE Endpoint > >>> PublicKey = <For Static Endpoint> > >>> Endpoint = 1.2.3.4:51820 > >>> AllowedIPs = 10.4.1.1/32 > >>> PersistentKeepalive = 25 > >>> -- > >>> > >>> -- Network tab -> WAN Failover Configuration: -- > >>> External Failover Interface: > >>> Connection Type: [DHCP] > >>> > >>> External Failover Destination Routes: > >>> IPv4 Routes: 192.168.5.0/24 1.2.3.4 > >>> -- > >>> > >>> == Static IPv4 1.2.3.4 Endpoint > >>> > >>> -- WireGuard IPv4 10.4.1.1/255.255.255.0 -- > >>> [Peer] > >>> ## Static Endpoint > >>> PublicKey = <For 4G/LTE Endpoint> > >>> AllowedIPs = 10.4.1.10/32 > >>> -- > >>> > >>> iperf3 test across the VPN ... > >>> > >>> 4G/LTE ~ # iperf3 -s > >>> > >>> Static ~ # iperf3 -c 10.4.1.10 -u > >>> Connecting to host 10.4.1.10, port 5201 > >>> [ 5] local 10.4.1.1 port 37415 connected to 10.4.1.10 port 5201 > >>> [ ID] Interval Transfer Bitrate Total > Datagrams > >>> [ 5] 0.00-1.00 sec 128 KBytes 1.05 Mbits/sec 96 > >>> ... > >>> [ 5] 9.00-10.00 sec 128 KBytes 1.05 Mbits/sec 96 > >>> - - - - - - - - - - - - - - - - - - - - - - - - - > >>> [ ID] Interval Transfer Bitrate Jitter > Lost/Total Datagrams > >>> [ 5] 0.00-10.00 sec 1.25 MBytes 1.05 Mbits/sec 0.000 ms > 0/959 (0%) sender > >>> [ 5] 0.00-10.16 sec 1.25 MBytes 1.03 Mbits/sec 2.543 ms > 0/959 (0%) receiver > >>> > >>> > >>> Typical ping times: 100-400 ms > >>> > >>> Note that without the VPN there would be no way to reach "4G/LTE" > from "Static" with the network NAT issues described above. > >>> > >>> So with a Netgear LB1121 4G/LTE Modem, by using this WireGuard > VPN technique on the "Failover Interface" (2nd External) your public server > on 1.2.3.4 will be able to access a remote AstLinux box via 4G/LTE. > >>> > >>> > >>> Lonnie > >>> > >>> > >>> ------------------------------------------------------------ > ------------------ > >>> Check out the vibrant tech community on one of the world's most > >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >>> _______________________________________________ > >>> Astlinux-users mailing list > >>> Ast...@li... > >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users > >>> > >>> Donations to support AstLinux are graciously accepted via PayPal > to pa...@kr.... > >>> > >>> > >>> ------------------------------------------------------------ > ------------------ > >>> Check out the vibrant tech community on one of the world's most > >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >>> _______________________________________________ > >>> Astlinux-users mailing list > >>> Ast...@li... > >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users > >>> > >>> Donations to support AstLinux are graciously accepted via PayPal > to pa...@kr.... > >> > >> > >> ------------------------------------------------------------ > ------------------ > >> Check out the vibrant tech community on one of the world's most > >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >> _______________________________________________ > >> Astlinux-users mailing list > >> Ast...@li... > >> https://lists.sourceforge.net/lists/listinfo/astlinux-users > >> > >> Donations to support AstLinux are graciously accepted via PayPal > to pa...@kr.... > >> > >> ------------------------------------------------------------ > ------------------ > >> Check out the vibrant tech community on one of the world's most > >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >> _______________________________________________ > >> Astlinux-users mailing list > >> Ast...@li... > >> https://lists.sourceforge.net/lists/listinfo/astlinux-users > >> > >> Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... > > > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's > most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > Astlinux-users mailing list > > Ast...@li... > > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > > > Donations to support AstLinux are graciously accepted via > PayPal to pa...@kr.... > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > Astlinux-users mailing list > > Ast...@li... > > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > > > Donations to support AstLinux are graciously accepted via PayPal > to pa...@kr.... > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > Astlinux-users mailing list > > Ast...@li... > > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... |
