Working from home doing my work requires internet and energy. Something that you can’t take for granted when living on the beach in Brasil. The energy drops a second or two at least 10 times a day. Luckily we have UPS for that, but I need a Dual WAN Router for Failover.
Needless to say, I’ve been exploring various Dual WAN Router for Failover solutions. I’m also interested in testing and doing training on Netscaler SD-WAN. So Twitter to the rescue.
If you don’t know Richard Parnell let me do a quick introduction. He’s the man behind the scene of all the keynote demos presented at Citrix Summit and Synergy.
He’s also the one paid by Citrix just to have fun & build the most amazing labs with the latest technology. This kind of travelling lab is used by Citrix System Engineers around the world and tracked by Tile.
Needless to say, I went with the $100 Ubiquiti EdgeMax EdgeRouter Lite ERLite-3 as recommended.
The EdgeOS is based upon Vyatta and are extremely powerful. I did some research but couldn’t find anything related to my needs and the latest EdgeOS Firmware 1.9.
So I headed over to UpWork and contracted an Ubiquiti expert named Issam for $40/hour (Protip: search for highest price & best rating). I even found PowerShell MVP Adam Bertram that created the GUI for my Automation Framework on UpWork.
Architecture
I have my main 50 mb/s fiber internet connection and a TP-LINK TL-MR3420 3G/4G Wireless N Router for failover when main link fails.
Shout out to my Netscaler mentor Dave Brett for the awesome Visio drawing.
Configuration
First, you’ll want to connect to the router and upgrade the firmware to the latest release. After that just connect through Putty and dump the configuration.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 |
Configure # Firewall Setup set firewall all-ping enable set firewall broadcast-ping disable set firewall ipv6-receive-redirects disable set firewall ipv6-src-route disable set firewall ip-src-route disable set firewall log-martians enable set firewall receive-redirects disable set firewall send-redirects enable set firewall source-validation disable set firewall syn-cookies enable set firewall name WAN_IN default-action drop set firewall name WAN_IN enable-default-log set firewall name WAN_IN rule 1 action accept set firewall name WAN_IN rule 1 description "Allow established connections" set firewall name WAN_IN rule 1 state established enable set firewall name WAN_IN rule 1 state related enable set firewall name WAN_IN rule 2 action drop set firewall name WAN_IN rule 2 log enable set firewall name WAN_IN rule 2 description "Drop invalid state" set firewall name WAN_IN rule 2 state invalid enable set firewall name WAN_LOCAL default-action drop set firewall name WAN_LOCAL enable-default-log set firewall name WAN_LOCAL rule 1 action accept set firewall name WAN_LOCAL rule 1 description "Allow established connections" set firewall name WAN_LOCAL rule 1 state established enable set firewall name WAN_LOCAL rule 1 state related enable set firewall name WAN_LOCAL rule 2 action drop set firewall name WAN_LOCAL rule 2 log enable set firewall name WAN_LOCAL rule 2 description "Drop invalid state" set firewall name WAN_LOCAL rule 2 state invalid enable # WAN Interfaces and NAT Setup set interfaces ethernet eth1 description WAN-Fiber set interfaces ethernet eth1 address dhcp set interfaces ethernet eth1 firewall in name WAN_IN set interfaces ethernet eth1 firewall local name WAN_LOCAL set service nat rule 5010 description "Masquerade for WAN-Fiber" set service nat rule 5010 outbound-interface eth1 set service nat rule 5010 type masquerade set interfaces ethernet eth2 description WAN-4G set interfaces ethernet eth2 address dhcp set interfaces ethernet eth2 firewall in name WAN_IN set interfaces ethernet eth2 firewall local name WAN_LOCAL set service nat rule 5020 description "Masquerade for WAN-4G" set service nat rule 5020 outbound-interface eth2 set service nat rule 5020 type masquerade # LAN Interface and DHCP Server set interfaces ethernet eth0 description LAN set interfaces ethernet eth0 address 192.168.2.1/24 set service dhcp-server disabled false set service dhcp-server shared-network-name LAN authoritative disable set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 default-router 192.168.2.1 set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 dns-server 192.168.2.1 set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 lease 86400 set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 start 192.168.2.100 stop 192.168.2.200 set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 bootfile-server 192.168.2.52 set service dhcp-server shared-network-name LAN subnet 192.168.2.0/24 bootfile-name pxelinux.0 set service dns forwarding listen-on eth0 # Custom Netscaler Unified Gateway (You might or not want this) set firewall name WAN_LOCAL rule 5 action accept set firewall name WAN_LOCAL rule 5 description 'Allow HTTPS GUI' set firewall name WAN_LOCAL rule 5 log disable set firewall name WAN_LOCAL rule 5 protocol tcp set firewall name WAN_LOCAL rule 5 destination port 443 set port-forward lan-interface eth0 set port-forward wan-interface eth1 set port-forward rule 10 forward-to address 192.168.2.13 set port-forward rule 10 forward-to port 443 set port-forward rule 10 original-port 443 set port-forward rule 10 protocol tcp # Failover Setup set firewall modify failover rule 1 action accept set firewall modify failover rule 1 description "Exclude LAN subnet" set firewall modify failover rule 1 destination address 192.168.2.0/24 set firewall modify failover rule 10 action modify set firewall modify failover rule 10 modify lb-group G set load-balance group G interface eth1 set load-balance group G interface eth2 failover-only set interfaces ethernet eth0 description LAN set interfaces ethernet eth0 firewall in modify failover # Remove Default Interface delete interfaces ethernet eth0 address 192.168.1.1/24 # Allow Access to 192.168.0.x from LAN set firewall modify failover rule 5 action modify set firewall modify failover rule 5 destination address 192.168.0.0/24 set firewall modify failover rule 5 modify table main # Custom Hosts Names set system static-host-mapping host-name vcsa.vsphere.local inet 192.168.2.8 set system static-host-mapping host-name esxi-ss-01.vsphere.local inet 192.168.2.7 set system static-host-mapping host-name esxi-ss-02.vsphere.local inet 192.168.2.6 set system static-host-mapping host-name ug.xenapptraining.com inet 192.168.2.13 set system static-host-mapping host-name fs.xenapptraining.com inet 192.168.2.13 commit save exit |
In my setup, I have external traffic routed to the EdgeRouter and from there Port Forward to 192.168.2.13 which is my Netscaler Unified Gateway.
As you can see from the above configuration, this router is extremely flexible. I can even add custom Hosts names to the router. No more custom hosts file entries on my computer(s).
To check the status of your configuration run the following command:
1 |
show load-balance status |
Conclusion
How could anyone live without the EdgeRouter? It’s perfect for any professional home or branch office. Get two internet connections from two different vendors and you have yourself a $100 Dual WAN Router for Failover. There are even bigger models that let you bundle 8 WAN interfaces!
There’s another option as well – my entire home lab networking is free courtesy of Meraki (the MX firewall appliance does 4G failover). Jump on it if you haven’t already!
https://meraki.cisco.com/freeap
https://meraki.cisco.com/freemx
https://meraki.cisco.com/freeswitch
That’s correct, I was looking into that as well, but currently it’s not available in Brasil and many others countries. It also has a 300 mb/s limit.
I know this post is two years old but I found it usefull. So Can I use the Ubiquiti EdgeRouter X Advanced Gigabit Ethernet Routers ER-X 256MB Storage 5 Gigabit RJ45 ports for the same job? I have a comcast, AT&T, and Version wireless access points and I would like to use this solution for fail over. Also I went to UpWork and looked for Ubiquiti expert and it returned nothing. What were the exact categories you chose when looking for someone to program this router? Or if you have a suggestion.
Yes you can, the ERX have more ports compared to this older model. I just updated the link to the expert I’m using.
Out of the box there is a wizard you can run for dual WAN config. They add more and more to the web interface, but I think cmd line is still the most powerful.
Agree, same goes for the Secure Gateway product.
We have our EdgeRouter-X setup for dual WAN set in balancing mode but would like to drop one of the providers and purchase a Ethernet 4G LTE Modem to replace it as a fail-over. Does any one know what $G modem would activate and connect only when the WAN port is activated?
Sorry, no idea.
Hi, nice post.
So just one question doesn’t the TP-LINK TL-MR3420 3G/4G supposed to do this failover process? I’m currently in the same situation working from home in a Brasilian Beach and the fiber connection it’s not reliable.
Thanks man!
Yes indeed Rafael
I have a couple questions about the experience of using this setup.
How long does it take for a WAN failure to be detected and fail over to the backup WAN?
How is a WAN connection failure detected? (Ping timeouts, dns lookup failures, etc)
For this setup to work for me, I need the detection to be based on pings failing (satellites are going in and out of range all the time), and I need the failover to happen very quickly, ideally in under a second. For example, sustaining a video call with only a short blip. Is there hope for me?
You simply need to test, pretty fast failover if I remember correctly, but more close to 5 seconds.
Is it possible to X-over the failover?
E.g. Two DSL routers (two lines incoming)
– DSL#1 should routed to LAN#1
– DSL#2 should routed to LAN#2
– if DSL#1 crashes route DSL#2 to LAN#1
– if DSL#2 crashes route DSL#1 to LAN#2
Never tried, but the UBNT forum would be a great place to start.
2023
I moved over from Edge to a TP-Link ER7206. It has multiple WAN port capabilities. For someone without networking admin experience its easy to setup and maintain.
It comes in two variants
ER605 CAD $80
ER7206 CAD $170 (+SPF WAN port)
And I just saw
TL-R470T+ CAD $50