This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

4g Failover on sg135

I have recently installed an sg135 at a small hotel.

 

I've created 2 subnets:

 

192.168.0.1/24 for Guests Wifi

192.168.1.1/24 for Hotel Admin, security cameraa, point of sales etc.

 

The main internet connection is via Telstra Cable which is 55/5 Mbps.

It's not that reliable though...

 

I'd like to add a 4G Cellular connection as a failover, but only to the 192.168.1.1/24 subnet, ie the Hotel Admin side.

The Guests chew up a lot of bandwidth so they'll have to wait until the Cable recovers.

 

The 4G connection is 20/20 Mbps although this varies a fair bit.

 

How best to do this? I did experiment with this a year or so ago and wasn't that happy.

When the Cable recovered the Sophos UTM kept using the 4G DNS which is complicated by the following:

"The Telstra Next-G 3G internet service is fast, works well in a lot of areas around Australia and can be sorted out fairly cheaply
these days. One big downside to the service however is that by default you receive an IP address that is behind a firewall that
performs NAT. Generally this isn't an issue however for some more specific tasks it either makes life more difficult than necessary
and makes some other things downright impossible.
One manifestation of this issue is the inability to connect to some corporate VPNs. One reason for this is that the Next-G service
gives you an IP address on the 10.x.x.x subnet and a lot of corporate networks also use this range (so it might be a good idea to
avoid this IP address range on your LAN)."

When I was testing last year this seemed to cause connection problems for some users on the network.

I was testing the 4G failover using a usb dongle.

I could also use a Dovado Pro AC and plug the dongle into that, then plug the Dovado into the UTM as a bridged modem?

http://www.dovado.com/en/products

 

Cheers, Martin



This thread was automatically locked due to age.
Parents
  • Martin, take a look at this thread.

    Cheers- Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Bob,

     

    I had a chat to Sophos and they came up with this:

    Seems to work well.

    What do you think?

    The Dell XPS subnet represents the Hotel Back Office.

    The Internal Network represents the Guest Network.

    So when the External Wan goes down, the Dell XPS retains internet access via the 4G connection.

  • Well, if you read the link I posted above and if I understand what you want to happen, I would not do it that way.

    I would put both interfaces in 'Active' unless the 4g connection is not a fixed, monthly fee.

    I would masq 'Internal (Network) -> Uplink Interfaces' and 'Dell XPS (Network) -> External (WAN)'.

    I would make the first Multipath rule 'Any -> Any -> Any bound to External', the second would be 'Internal (Network) -> Any -> Any bound to 4g MF821' and the final 'Any -> Any -> Any bound to External with 'Skip rule on interface error' unchecked'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Bob, I really do appreciate all the help you provide to me :)

     

    I'm not that fussed about instant failover, but if it's available without incurring huge data costs then I'll look at it.

     

    I have 2 options with Telstra, the 4G service I use:

     

    A) I have a prepaid usb modem that has about 20GB in it. However this has the private IP address problem as listed in my OP.

    This is my own modem, so I'd only charge the Client $10/GB for usage.

     

    B) A Business 4G service which is monthly, starting at $40 per month with 5GB included, overage is at $10/GB.

     

    So I'd prefer A) as would the client, but I think the private IP address would kill it.

     

    So, assuming B) is the way to go, would the multi-path still be the best way?

  • I'd try it with both in Active and see what the usage is when the 4g connection's not actively being used.  You can probably tell from looking at the charts in 'Network Usage' and on the 'Bandwidth Usage' tab.  Please let us know what you find.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I'd try it with both in Active and see what the usage is when the 4g connection's not actively being used.  You can probably tell from looking at the charts in 'Network Usage' and on the 'Bandwidth Usage' tab.  Please let us know what you find.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Thanks again Bob,

     

    Another issue we have is that the primary internet is very intermittent, ie it will be active but incredibly slow.

    This means the 4G failover doesn't kick in.

    Is there a way to say if the speed drops below a certain amount, say 1Mbps, the 4G kicks in?

  • No way, Martin.  It seems like a business connection would have an SLA and that the hotel could lean on them to get their line fixed.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Bob,

    Sadly in Australia SLAs don't mean much when dealing with Telstra/NBN, at the moment they just blame each other.

    In any event, even with SLAs they only refund a pittance if the line goes down for x%.

    They don't actually fix the problem.

  • That might tempt me to switch to Vodafone. ;-)

    If the outages are longer, you could show someone at the site how to disable/enable the Interface in WebAdmin.

    If you're a bit of a Linux wizard, you could craft a way to have someone run enable/disable scripts from their PC.  At the command line as root, get the REF_ of a PPPOE interface named External with cc get_object_by_name interface pppoe 'External' |grep \'ref\' - let's say you learn that it's REF_IntPpeExternal.  Disable the interface with cc change_object REF_IntPpeExternal status 0 and enable with the same command with 1 instead of 0.

    Good luck, mate!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Sorry it's taken so long to respond, but I haven't been able to reply or create forum posts because Ublock Origin is blocking parts of the Forum :(

     

    Back to 4G Failover :)

    After working with Sophos Support, they came up with this:

    "We have kept both the ISPs in the Active state in Uplink Balancing.
    MASQ Config :


    We have created three Mutipath rules as below,
    1
    Source : Martin Network
    Service : Any
    Destination : ANY
    Interface : External WAN
    Tick : Skip rule on interface error
    2
    ·         

    Source : Martin Network
    Service : Any
    Destination : ANY
    Interface : External: 4G
    Tick : Skip rule on interface error
    3
    ·         

    Source : Home Network
    Service : Any
    Destination : ANY
    Interface : External WAN
    Untick : Skip rule on interface error
    We have tested keeping the WAN off and its working as expected."

     

    Which all seemed to work except the 4G Service would go down, and not recover, after a day or two.

    Sophos have suggested the following:

     

    "Would it be possible to disable the Automatic Monitoring and add the Google DNS Address 8.8.8.8 as a monitoring host and check if you encounter the same issue?"

     

    Which I haven't been able to test, I'll do so this weekend.

  • That probably won't help, but it's worth a try.

    FWIW, I always prefer using Multipathing and having both interfaces in 'Active' unless paying by the megabyte-transferred for the backup connection.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA