Hi Lonnie
So are you saying that you can configure a second external interface and the
associated routing to it with the Failover Tab but just leave Failover disabled?
If so, I assume it uses the same EXT firewall rules?
Regards
Michael Knill
On 22/5/18, 8:59 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
Hi Michael,
> I noticed you also pass the VPN traffic to the site LAN
Yes, I tried to implement the general case, easy to remove stuff.
> the VPN would normally just be used for voice traffic and management only.
In that case "External Failover Destination Routes: IPv4 Routes:" could
define all the destination routes you need without "Failover" enabled ... and
let Asterisk dynamically choose the SIP route. Handling inbound calls over the
4G/LTE VPN would also be possible.
All seems to work well, the only fundamental issue may be the latency of
4G/LTE for SIP traffic ... though clearly much better than no traffic.
Lonnie
> On May 21, 2018, at 5:36 PM, Michael Knill
<michael.kn...@ipcsolutions.com.au> wrote:
>
> Thanks Lonnie you beat me to it.
> Interestingly one of my partners is using Asterisk as their Softswitch
and they were thinking of setting up a single VPN Tunnel to the SoftSwitch for
voice traffic and so everything still works on both the primary and failover
links. There should be no failover scripts required!
>
> I noticed you also pass the VPN traffic to the site LAN but this would
not actually be required in practice as the VPN would normally just be used for
voice traffic and management only. On all VPN connections that run voice
traffic I set directmedia=no in sip.conf. PS I actually now use a directmedia
ACL on the VPN subnet so I don't need to configure anything. E.g.
>
> directmedia=yes
> directmediapermit=0.0.0.0/0
> directmediadeny=<VPN Subnet>
>
> Thanks again Lonnie for testing. Im looking forward to implementing it.
>
> Regards
> Michael Knill
>
> On 22/5/18, 6:59 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
>
> Followup, Enabling Failover using a Netgear LB1121-100NAS (review
below):
>
> The basic failover configuration is documented here:
>
> WAN Failover
> https://doc.astlinux-project.org/userdoc:tt_wan_failover
>
> Since most 4G/LTE providers only support outbound-only (NAT'ed),
IPv4-only, dynamic IPv4 address networks, any basic failover configuration over
4G/LTE must deal with those constraints.
>
> But, there is another way ...
>
> Enhanced WAN Failover using WireGuard:
>
> If you are able to run a second AstLinux instance (or most any distro
with WireGuard) on a static IPv4 address you can establish an always-up
WireGuard VPN over the 4G/LTE connection. When idle the VPN consumes less than
0.5 MB/day of data.
>
> With this setup, both IPv4 and IPv6 can be supported as well as
allowing inbound traffic to the failover. When failover occurs, all the
IPv4/IPv6 traffic is sent over the WireGuard VPN to the "Static" WireGuard
endpoint.
>
> To be clear, while the WireGuard VPN is established over IPv4-only,
the tunnel can simultaneously transport IPv4 and IPv6.
>
> Example:
>
> AstLinux "4G/LTE": Cable/DSL Modem on external interface and 4G/LTE
Modem on failover interface.
> --
> Internal 1st LAN IPv4: 192.168.101.1/255.255.255.0
> Internal 1st LAN IPv6: fda6:a6:a6:d2::1/64
> WireGuard IPv4: 10.4.1.10/255.255.255.0
> WireGuard IPv6: fda6:a6:a6:ff::10/64
> IPv6 ULA/NPTv6: fda6:a6:a6::/56
>
> AstLinux "Static": Static IPv4 (or IPv4/IPv6) on external interface.
> --
> Routable Public IPv4: 1.2.3.4
> WireGuard IPv4: 10.4.1.1/255.255.255.0
> WireGuard IPv6: fda6:a6:a6:ff::1/64
> IPv6 ULA/NPTv6: fda6:a6:a6::/56
>
>
> == AstLinux "4G/LTE" Endpoint Configuration
>
> Network tab -> WireGuard Configuration:
> Tunnel Options:
> IPv4 Address: 10.4.1.10
> IPv4 NetMask: 255.255.255.0
> IPv6/nn Address: fda6:a6:a6:ff::10/64
>
> -- /mnt/kd/wireguard/peer/wg0.peer snippet --
> [Peer]
> ## 4G/LTE Endpoint
> PublicKey = <For Static Endpoint>
> Endpoint = 1.2.3.4:51820
> AllowedIPs = 0.0.0.0/0, ::/0
> PersistentKeepalive = 25
> --
>
> Network tab -> WAN Failover Configuration:
> WAN Failover:
> Failover: [enabled]
> Secondary Gateway IPv4: 10.4.1.1
> Secondary Gateway IPv6: fda6:a6:a6:ff::1
>
> External Failover Interface:
> Connection Type: [DHCP]
>
> External Failover Destination Routes:
> IPv4 Routes: 192.168.5.0/24 1.2.3.4
>
>
> Network tab -> Firewall Configuration:
> Firewall Options:
> _x_ Allow WireGuard VPN tunnel to the [1st] LAN Interface(s)
>
>
> == AstLinux "Static" Endpoint Configuration
>
> Network tab -> WireGuard Configuration:
> Tunnel Options:
> IPv4 Address: 10.4.1.1
> IPv4 NetMask: 255.255.255.0
> IPv6/nn Address: fda6:a6:a6:ff::1/64
>
>
> -- /mnt/kd/wireguard/peer/wg0.peer snippet --
> [Peer]
> ## Static Endpoint
> PublicKey = <For 4G/LTE Endpoint>
> AllowedIPs = 10.4.1.10/32, 192.168.101.0/24, fda6:a6:a6:ff::10/128,
fda6:a6:a6:d2::/64
> --
>
> -- /mnt/kd/rc.conf.d/user.conf snippet --
> NAT_FOREIGN_NETWORK="192.168.101.0/24"
> --
>
> ==
>
> I personally tested this scenario and it worked as expected.
>
> Note that one AstLinux "Static" server can support many remote
failover AstLinux "4G/LTE" boxes.
>
> Tip: if you have shell access to AstLinux "Static", 'ssh
root@10.4.1.10' will access AstLinux "4G/LTE" over the VPN connection,
regardless if failover is active.
>
> Lonnie
>
>
>
>
>
> ==================================
> Per a post by Michael Knill "4G backup" I purchased a Netgear
LB1121-100NAS (North America) supporting PoE and includes a power adapter.
>
> LTE Modem LB1120 and LB1121 User Manual
> https://www.downloads.netgear.com/files/GDC/LB1120/LB112x_UM_EN.pdf
>
> Overall, I'm pleased with the LB1121, the PoE is good to have, makes
easy positioning for good reception.
>
> I also tested the Netgear 6000450 MIMO Antenna, it can add 1-bar, but
with no antenna and 4 out of 5 bars sitting on the lab bench I was able to get
90/20 Mbps (down/up) on a speed test.
>
> If a person were to mount the modem on a wall next to a window, the
antenna would be useful to reach over and place on the glass.
>
> I tested with "Ting" a MVNO (Mobile Virtual Network Operator) for
T-Mobile's GSM network. I ordered a GSM SIM card from Ting, the Netgear LB1121
comes with an empty SIM slot.
>
> I connected the Netgear LB1121 to a spare ethernet interface, Network
tab -> Failover Interface: [eth2] and also ...
> -- Network tab -> WAN Failover Configuration: --
> External Failover Interface:
> Connection Type: [DHCP]
>
> External Failover Destination Routes:
> IPv4 Routes: 192.168.5.0/24
> --
> If you change the LB1121's IPv4 address, also change the above IPv4
Routes: as this is required when the LB1121 is set to "Bridge Mode".
> Note: WAN Failover is disabled at this point in time. We are now
simply defining a 2nd external interface.
>
> With Ting I needed to edit the APN ...
> --
> Ting (GSM) T-Mobile
> APN: wholesale
> --
> and the LB1121 easily allows for that via the web interface, which
defaults to http://192.168.5.1
>
> Firmware updates are via the web interface, but you must have a SIM
card activated and installed to perform an upgrade over the GSM network.
>
> Web interface password changes don't ask for a match, so a typo
requires a reset to factory defaults to fix it. But overall, the web interface
is nicely done.
>
> After I got the LB1121 configured as desired, working, and firmware
upgraded, I then switched to "Bridge Mode", depending on your 4G/LTE carrier
your DHCP will acquire a publicly routable IPv4 address or an address that
looks public but is actually behind NAT.
> BTW: Ting/T-Mobile uses odd "private" address ranges like 25.0.0.0/8
(UK Ministry of Defense) and 100.128.0.0/9 (T-Mobile), they look publicly
routable, but they are NAT'ed to a different public address :-(
>
> On a PoE 802.3af switch, the LB1121 draws 1.1 Watts, cool to the touch.
>
> The main issues are the 4G/LTE networks, the Ting MVNO for T-Mobile is
IPv4 only, and NAT'ed even when in bridge mode. So a true failover is
difficult to do, but by limiting your failover requirements this can still be
useful. Below is one such technique using WireGuard VPN.
>
> I have a test AstLinux box talking to my main AstLinux box over
WireGuard over 4G/LTE ... works nicely. Though "PersistentKeepalive = 25" is
required to deal with the NAT and dynamic addressing.
>
> FYI: Interestingly, the WireGuard overhead even with a keepalive every
25 seconds results in 454 KB/day of data, which at $10/GB is only 0.00454 $/day.
>
> == Dynamic 4G/LTE Modem Endpoint
>
> -- WireGuard IPv4 10.4.1.10/255.255.255.0 --
> [Peer]
> ## 4G/LTE Endpoint
> PublicKey = <For Static Endpoint>
> Endpoint = 1.2.3.4:51820
> AllowedIPs = 10.4.1.1/32
> PersistentKeepalive = 25
> --
>
> -- Network tab -> WAN Failover Configuration: --
> External Failover Interface:
> Connection Type: [DHCP]
>
> External Failover Destination Routes:
> IPv4 Routes: 192.168.5.0/24 1.2.3.4
> --
>
> == Static IPv4 1.2.3.4 Endpoint
>
> -- WireGuard IPv4 10.4.1.1/255.255.255.0 --
> [Peer]
> ## Static Endpoint
> PublicKey = <For 4G/LTE Endpoint>
> AllowedIPs = 10.4.1.10/32
> --
>
> iperf3 test across the VPN ...
>
> 4G/LTE ~ # iperf3 -s
>
> Static ~ # iperf3 -c 10.4.1.10 -u
> Connecting to host 10.4.1.10, port 5201
> [ 5] local 10.4.1.1 port 37415 connected to 10.4.1.10 port 5201
> [ ID] Interval Transfer Bitrate Total Datagrams
> [ 5] 0.00-1.00 sec 128 KBytes 1.05 Mbits/sec 96
> ...
> [ 5] 9.00-10.00 sec 128 KBytes 1.05 Mbits/sec 96
> - - - - - - - - - - - - - - - - - - - - - - - - -
> [ ID] Interval Transfer Bitrate Jitter
Lost/Total Datagrams
> [ 5] 0.00-10.00 sec 1.25 MBytes 1.05 Mbits/sec 0.000 ms 0/959
(0%) sender
> [ 5] 0.00-10.16 sec 1.25 MBytes 1.03 Mbits/sec 2.543 ms 0/959
(0%) receiver
>
>
> Typical ping times: 100-400 ms
>
> Note that without the VPN there would be no way to reach "4G/LTE" from
"Static" with the network NAT issues described above.
>
> So with a Netgear LB1121 4G/LTE Modem, by using this WireGuard VPN
technique on the "Failover Interface" (2nd External) your public server on
1.2.3.4 will be able to access a remote AstLinux box via 4G/LTE.
>
>
> Lonnie
>
>
>
------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
>
>
>
------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
