First, I want to add to my Netgear LB1121 review. I tried to enable native 4G/LTE IPv6 support ... enabled IPv4v6 and IPv6 in the APN entry and tried DHCPv6-client (dhcp6c) as well as Router Advertisements and I saw nothing. So it could be the T-Mobile GSM tower in my area does not support IPv6 or the Netgear LB1121 does not bridge 4G/LTE IPv6 to the NIC.
The Netgear LB1121 (Linux, Busybox based) does support IPv6 on it's network stack as "ip -6 neigh show dev eth2" shows LLA's. Hi David, from my googling it looks like 4G/LTE IPv6 support is hit and miss, if you want the highest reliability stick with IPv4-only. As you said AT&T might do NPTv6 with fake-GUA's to support IPv6 anyway. > Next a question... I don't have a external host let alone one with a static > IP address. I was wondering... I can configure wireguard to attach to DNS > name, does not need to be a IP address. But how often does wireguard check > for a remote host? DNS resolution only occurs at startup unless you check this entry in the WireGuard config: -- DNS Update: _x_ Continually Update DNS Endpoints for peers -- > And what happens when I take down that remote host... I think WireGuard will silently fail when the remote peer is not reachable, WireGuard uses UDP. I'm not sure if the internal timers will trigger more traffic over 4G/LTE if the remote peer is not reachable versus a working idle VPN. Edge conditions would need to be tested to know for sure. Lonnie > On May 22, 2018, at 4:34 AM, David Kerr <da...@kerr.net> wrote: > > So, a couple of observations and questions... > > I was looking at my iPhone which has AT&T. As reported by Lonnie my device > is getting allocated a 10 dot private IPv4 address. If I go to a website to > discover my public IP address I see the NAT host address.... 107.77.x.y. > However what is interesting is that AT&T have allocated me two global IPv6 > addresses... 2600:380:4477:d922:xxx::/64, it will be interested to see > whether I can use this to reach through to the router... I'm not confident > though as if I go to test-ipv6.com from my iPhone it shows a different > address... 2600:387:6:803::x so it looks like AT&T is even NATing IPv6. Yuk. > > Next a question... I don't have a external host let alone one with a static > IP address. I was wondering... I can configure wireguard to attach to DNS > name, does not need to be a IP address. But how often does wireguard check > for a remote host? So, for example, if I had a VM image that was not running > most of the time, but which I fire up when needed (could be on AWS, or > somewhere else). That VM images would register it's IP address with a > dynamic DNS service on boot up then start wireguard and wait for the > connection. How long before the wireguard client (talking through the WAN > failover) will notice that the DNS now resolves to a valid IP and connects? > And what happens when I take down that remote host... I might just leave the > DNS records pointing to a IP address that is no longer listening (and might > get reassigned to someone else's VM). Or I might delete the DNS record from > the dynamic DNS server (probably a better idea). Is wireguard going to start > trying to resolve the DNS name again, or will it just assume the same IP > address as last time? > > David. > > > > > > > > On Mon, May 21, 2018 at 6:59 PM, Lonnie Abelbeck <li...@lonnie.abelbeck.com> > wrote: > Hi Michael, > > > I noticed you also pass the VPN traffic to the site LAN > > Yes, I tried to implement the general case, easy to remove stuff. > > > the VPN would normally just be used for voice traffic and management only. > > In that case "External Failover Destination Routes: IPv4 Routes:" could > define all the destination routes you need without "Failover" enabled ... and > let Asterisk dynamically choose the SIP route. Handling inbound calls over > the 4G/LTE VPN would also be possible. > > > All seems to work well, the only fundamental issue may be the latency of > 4G/LTE for SIP traffic ... though clearly much better than no traffic. > > Lonnie > > > > > > On May 21, 2018, at 5:36 PM, Michael Knill > > <michael.kn...@ipcsolutions.com.au> wrote: > > > > Thanks Lonnie you beat me to it. > > Interestingly one of my partners is using Asterisk as their Softswitch and > > they were thinking of setting up a single VPN Tunnel to the SoftSwitch for > > voice traffic and so everything still works on both the primary and > > failover links. There should be no failover scripts required! > > > > I noticed you also pass the VPN traffic to the site LAN but this would not > > actually be required in practice as the VPN would normally just be used for > > voice traffic and management only. On all VPN connections that run voice > > traffic I set directmedia=no in sip.conf. PS I actually now use a > > directmedia ACL on the VPN subnet so I don't need to configure anything. > > E.g. > > > > directmedia=yes > > directmediapermit=0.0.0.0/0 > > directmediadeny=<VPN Subnet> > > > > Thanks again Lonnie for testing. Im looking forward to implementing it. > > > > Regards > > Michael Knill > > > > On 22/5/18, 6:59 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote: > > > > Followup, Enabling Failover using a Netgear LB1121-100NAS (review below): > > > > The basic failover configuration is documented here: > > > > WAN Failover > > https://doc.astlinux-project.org/userdoc:tt_wan_failover > > > > Since most 4G/LTE providers only support outbound-only (NAT'ed), > > IPv4-only, dynamic IPv4 address networks, any basic failover configuration > > over 4G/LTE must deal with those constraints. > > > > But, there is another way ... > > > > Enhanced WAN Failover using WireGuard: > > > > If you are able to run a second AstLinux instance (or most any distro > > with WireGuard) on a static IPv4 address you can establish an always-up > > WireGuard VPN over the 4G/LTE connection. When idle the VPN consumes less > > than 0.5 MB/day of data. > > > > With this setup, both IPv4 and IPv6 can be supported as well as allowing > > inbound traffic to the failover. When failover occurs, all the IPv4/IPv6 > > traffic is sent over the WireGuard VPN to the "Static" WireGuard endpoint. > > > > To be clear, while the WireGuard VPN is established over IPv4-only, the > > tunnel can simultaneously transport IPv4 and IPv6. > > > > Example: > > > > AstLinux "4G/LTE": Cable/DSL Modem on external interface and 4G/LTE > > Modem on failover interface. > > -- > > Internal 1st LAN IPv4: 192.168.101.1/255.255.255.0 > > Internal 1st LAN IPv6: fda6:a6:a6:d2::1/64 > > WireGuard IPv4: 10.4.1.10/255.255.255.0 > > WireGuard IPv6: fda6:a6:a6:ff::10/64 > > IPv6 ULA/NPTv6: fda6:a6:a6::/56 > > > > AstLinux "Static": Static IPv4 (or IPv4/IPv6) on external interface. > > -- > > Routable Public IPv4: 1.2.3.4 > > WireGuard IPv4: 10.4.1.1/255.255.255.0 > > WireGuard IPv6: fda6:a6:a6:ff::1/64 > > IPv6 ULA/NPTv6: fda6:a6:a6::/56 > > > > > > == AstLinux "4G/LTE" Endpoint Configuration > > > > Network tab -> WireGuard Configuration: > > Tunnel Options: > > IPv4 Address: 10.4.1.10 > > IPv4 NetMask: 255.255.255.0 > > IPv6/nn Address: fda6:a6:a6:ff::10/64 > > > > -- /mnt/kd/wireguard/peer/wg0.peer snippet -- > > [Peer] > > ## 4G/LTE Endpoint > > PublicKey = <For Static Endpoint> > > Endpoint = 1.2.3.4:51820 > > AllowedIPs = 0.0.0.0/0, ::/0 > > PersistentKeepalive = 25 > > -- > > > > Network tab -> WAN Failover Configuration: > > WAN Failover: > > Failover: [enabled] > > Secondary Gateway IPv4: 10.4.1.1 > > Secondary Gateway IPv6: fda6:a6:a6:ff::1 > > > > External Failover Interface: > > Connection Type: [DHCP] > > > > External Failover Destination Routes: > > IPv4 Routes: 192.168.5.0/24 1.2.3.4 > > > > > > Network tab -> Firewall Configuration: > > Firewall Options: > > _x_ Allow WireGuard VPN tunnel to the [1st] LAN Interface(s) > > > > > > == AstLinux "Static" Endpoint Configuration > > > > Network tab -> WireGuard Configuration: > > Tunnel Options: > > IPv4 Address: 10.4.1.1 > > IPv4 NetMask: 255.255.255.0 > > IPv6/nn Address: fda6:a6:a6:ff::1/64 > > > > > > -- /mnt/kd/wireguard/peer/wg0.peer snippet -- > > [Peer] > > ## Static Endpoint > > PublicKey = <For 4G/LTE Endpoint> > > AllowedIPs = 10.4.1.10/32, 192.168.101.0/24, fda6:a6:a6:ff::10/128, > > fda6:a6:a6:d2::/64 > > -- > > > > -- /mnt/kd/rc.conf.d/user.conf snippet -- > > NAT_FOREIGN_NETWORK="192.168.101.0/24" > > -- > > > > == > > > > I personally tested this scenario and it worked as expected. > > > > Note that one AstLinux "Static" server can support many remote failover > > AstLinux "4G/LTE" boxes. > > > > Tip: if you have shell access to AstLinux "Static", 'ssh root@10.4.1.10' > > will access AstLinux "4G/LTE" over the VPN connection, regardless if > > failover is active. > > > > Lonnie > > > > > > > > > > > > ================================== > > Per a post by Michael Knill "4G backup" I purchased a Netgear > > LB1121-100NAS (North America) supporting PoE and includes a power adapter. > > > > LTE Modem LB1120 and LB1121 User Manual > > https://www.downloads.netgear.com/files/GDC/LB1120/LB112x_UM_EN.pdf > > > > Overall, I'm pleased with the LB1121, the PoE is good to have, makes > > easy positioning for good reception. > > > > I also tested the Netgear 6000450 MIMO Antenna, it can add 1-bar, but > > with no antenna and 4 out of 5 bars sitting on the lab bench I was able to > > get 90/20 Mbps (down/up) on a speed test. > > > > If a person were to mount the modem on a wall next to a window, the > > antenna would be useful to reach over and place on the glass. > > > > I tested with "Ting" a MVNO (Mobile Virtual Network Operator) for > > T-Mobile's GSM network. I ordered a GSM SIM card from Ting, the Netgear > > LB1121 comes with an empty SIM slot. > > > > I connected the Netgear LB1121 to a spare ethernet interface, Network > > tab -> Failover Interface: [eth2] and also ... > > -- Network tab -> WAN Failover Configuration: -- > > External Failover Interface: > > Connection Type: [DHCP] > > > > External Failover Destination Routes: > > IPv4 Routes: 192.168.5.0/24 > > -- > > If you change the LB1121's IPv4 address, also change the above IPv4 > > Routes: as this is required when the LB1121 is set to "Bridge Mode". > > Note: WAN Failover is disabled at this point in time. We are now simply > > defining a 2nd external interface. > > > > With Ting I needed to edit the APN ... > > -- > > Ting (GSM) T-Mobile > > APN: wholesale > > -- > > and the LB1121 easily allows for that via the web interface, which > > defaults to http://192.168.5.1 > > > > Firmware updates are via the web interface, but you must have a SIM card > > activated and installed to perform an upgrade over the GSM network. > > > > Web interface password changes don't ask for a match, so a typo requires > > a reset to factory defaults to fix it. But overall, the web interface is > > nicely done. > > > > After I got the LB1121 configured as desired, working, and firmware > > upgraded, I then switched to "Bridge Mode", depending on your 4G/LTE > > carrier your DHCP will acquire a publicly routable IPv4 address or an > > address that looks public but is actually behind NAT. > > BTW: Ting/T-Mobile uses odd "private" address ranges like 25.0.0.0/8 (UK > > Ministry of Defense) and 100.128.0.0/9 (T-Mobile), they look publicly > > routable, but they are NAT'ed to a different public address :-( > > > > On a PoE 802.3af switch, the LB1121 draws 1.1 Watts, cool to the touch. > > > > The main issues are the 4G/LTE networks, the Ting MVNO for T-Mobile is > > IPv4 only, and NAT'ed even when in bridge mode. So a true failover is > > difficult to do, but by limiting your failover requirements this can still > > be useful. Below is one such technique using WireGuard VPN. > > > > I have a test AstLinux box talking to my main AstLinux box over > > WireGuard over 4G/LTE ... works nicely. Though "PersistentKeepalive = 25" > > is required to deal with the NAT and dynamic addressing. > > > > FYI: Interestingly, the WireGuard overhead even with a keepalive every > > 25 seconds results in 454 KB/day of data, which at $10/GB is only 0.00454 > > $/day. > > > > == Dynamic 4G/LTE Modem Endpoint > > > > -- WireGuard IPv4 10.4.1.10/255.255.255.0 -- > > [Peer] > > ## 4G/LTE Endpoint > > PublicKey = <For Static Endpoint> > > Endpoint = 1.2.3.4:51820 > > AllowedIPs = 10.4.1.1/32 > > PersistentKeepalive = 25 > > -- > > > > -- Network tab -> WAN Failover Configuration: -- > > External Failover Interface: > > Connection Type: [DHCP] > > > > External Failover Destination Routes: > > IPv4 Routes: 192.168.5.0/24 1.2.3.4 > > -- > > > > == Static IPv4 1.2.3.4 Endpoint > > > > -- WireGuard IPv4 10.4.1.1/255.255.255.0 -- > > [Peer] > > ## Static Endpoint > > PublicKey = <For 4G/LTE Endpoint> > > AllowedIPs = 10.4.1.10/32 > > -- > > > > iperf3 test across the VPN ... > > > > 4G/LTE ~ # iperf3 -s > > > > Static ~ # iperf3 -c 10.4.1.10 -u > > Connecting to host 10.4.1.10, port 5201 > > [ 5] local 10.4.1.1 port 37415 connected to 10.4.1.10 port 5201 > > [ ID] Interval Transfer Bitrate Total Datagrams > > [ 5] 0.00-1.00 sec 128 KBytes 1.05 Mbits/sec 96 > > ... > > [ 5] 9.00-10.00 sec 128 KBytes 1.05 Mbits/sec 96 > > - - - - - - - - - - - - - - - - - - - - - - - - - > > [ ID] Interval Transfer Bitrate Jitter > > Lost/Total Datagrams > > [ 5] 0.00-10.00 sec 1.25 MBytes 1.05 Mbits/sec 0.000 ms 0/959 > > (0%) sender > > [ 5] 0.00-10.16 sec 1.25 MBytes 1.03 Mbits/sec 2.543 ms 0/959 > > (0%) receiver > > > > > > Typical ping times: 100-400 ms > > > > Note that without the VPN there would be no way to reach "4G/LTE" from > > "Static" with the network NAT issues described above. > > > > So with a Netgear LB1121 4G/LTE Modem, by using this WireGuard VPN > > technique on the "Failover Interface" (2nd External) your public server on > > 1.2.3.4 will be able to access a remote AstLinux box via 4G/LTE. > > > > > > Lonnie > > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
