Automated internet failover?

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Automated internet failover?

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#223246 20-Sep-2017 16:35

I know enough about networking to be dangerous (did my CCNA R&S a few years ago) but I'm kind of out of my depth on this one.

First scenario:

If I have two home internet connections, say UFB and Cable or UFB and Skinny 4g, each connected via a standard ISP supplied router. I want devices on the network to switch to the secondary connection when the primary connection is down? Assume that for <reasons> I can't remove or replace the existing routers. I could conceivably put additional hardware between the network and those two routers, if I did so, what if anything could I put in to automatically route traffic down the primary connection when it's up, detect when it can't reach the internet through that connection and failover to the secondary connection, and flip back when required all automatically.

Second scenario:

Two business grade UFB connections, each a UFB ONT connected to Cisco ASA, Fortigate, Sonicwall or similar device. Probably each going to a seperate ISP. How do I have fully automated failover like above? Brain says VRRP or similar between the devices, but because they are connected to the ONT via ethernet, I think that as long as that ethernet connection is up, the failover wouldn't kick in? I'm thinking that if we had our own AS and were running BGP we could achieve this, but not 100% sure if that would and would prefer a cheaper option than buying IP's and paying money to APNIC every year anyways :-) The ideal solution should allow for connection A to be the primary connection B for local subnet X and Connection B to the primary connection for local subnet Y, and allow failover either way.

Is any of this possible? If so, how :-)

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup.

chevrolux

4962 posts

Uber Geek
Inactive user

#1869588 20-Sep-2017 17:21

All comes down to routing.

Scenario One is kind of crappy and you would hope that you would change the routers. But if you can't you would give each router's LAN an IP address on the same subnet. Have it all connected to the same network. Obviously only one should do DHCP, and the DHCP can hand out what you want your default route to be. If they have come from an ISP then they will both be NAT'ing so that stays as it is. After that, you would just go to your PC and set a static route with a higher metric (for windows anyway, also see terms like distance, weight etc). Then when your default route falls over, the secondary will kick in as your device just follows it's routing table.
Issue with this is it's a pain in the ass to go and set routes manually over all devices. Plus does not help with any inbound traffic unless you did something with dynamic DNS. Outbound DNS could be the issue too (if connections were from different ISP's and those servers were assigned to the client they wouldn't work outside of each network) so maybe a requirement to use 8.8.8.8 across the network too.

Scenario Two. Dead simple. Terminate both your WAN's on the router. Set your default route to the preferred WAN's gateway, and then have a second default route with a higher distance/weight/metric pointing to the secondary WAN's gateway. So when WAN 1 goes unreachable, the router will just use the second default route, when WAN 1 comes back online it all goes back to normal. Then your network's DHCP server can just tell clients to use your router as their default route, and the router will figure it out from there. Again, not helpful with inbound connections, but Dyn DNS could help with this.

BGP would be the VERY proper way to do this, but as you already pointed out, need to get a ASN, IP space and then a connection and ISP that will support it (don't think it would be possible over standard bitstream 2 products anyway and would need BS3 or higher, not too sure though).

sparkz25

750 posts

Ultimate Geek
Inactive user

#1869627 20-Sep-2017 17:58

check out sophos and set it up as a standby interface,i know you can run 2 sophos firewalls in conjunction with each other so if one dies the other will pick up and carry on, i have had a 2 degrees dongle working as a fail safe on a connection some time ago on sophos but that was a while ago

Jase2985

13463 posts

Uber Geek

ID Verified

Lifetime subscriber

#1869670 20-Sep-2017 19:00

we use a cisco router to do this at work (on a ship), cant remember the model. they arent internet connections but WAN connections back to the rest of the network ashore.

we have fibre, wifi, 3g, low latency satellite, and higher latency satellite (more data) and each has a different cost rating, the router checks each connection and uses the active one with the lowest cost.

there is about a 3 minute delay in switching over so that it gives the connections a chance to get back online this stops its continually switching back and forth due to a small drop out.

lxsw20

3554 posts

Uber Geek

Subscriber

#1869687 20-Sep-2017 19:17

We use Cisco Meraki at work and have 2 MX100s in HA. The main firewall will ping various sites every few minutes to see if the connection is live. It's not the best solution out there as it takes a full 5 minutes (!!!) from primary internet failure to fail over to the backup connection. Usually if it fails I go and pull the ethernet from the internet side so it fails over quicker.

https://documentation.meraki.com/MX-Z/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failover

nitrotech

1285 posts

Uber Geek

#1869779 20-Sep-2017 20:39

We use 2 UFB connections and have them on automatic failover using Mikrotik - routing marks on the packets decide which traffic goes out which connection and if one or other goes down it automatically switches to the other connection - I would imagine that MT would be the most cost effective solution for you.

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#1869795 20-Sep-2017 20:50

I use pfsense with my two dsl connections.

sessions are marked to use the correct wan, failover for high utilization or port down (PPPoE sessions terminated on box so it knows exactly when PPP is lost)

Downtime with this is normally sub 20 seconds however rare to actually have drops in my case.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

vulcannz

436 posts

Ultimate Geek
Inactive user

#1870092 21-Sep-2017 11:02

The Sonicwall has WAN Failover/Load Balancing built in. You simply connect your two ISPs. For failover it can use link failure and/or logical probing (probes up to two upstream targets using either ICMP or TCP). Failover time depends on your failure setting (ie 3 failed probes at 5 second intervals = 15 second failover time).