8

I have an internet connected Ubuntu server, connected by Ethernet to a residential ADSL line. This is adequate, most of the time, but I can't rely upon the ADSL link to be as reliable as I'd like. Murphy's law has already dictated that down-time comes when it is least convenient.

I'd like to use a 'pay-as-you-go' 3G USB dongle to provide a fail-over. I'm lacking information both about sample configurations that work for other people - and about the most suitable (inexpensive) hardware for my purposes. The objective is that, when my ADSL line is disconnected, the server detects this and dials up the 3G service - monitoring the ADSL line and switching back seamlessly when its connection is restored.

The principle service I care about is an OpenVPN tunnel - over UDP to a remote server. The other useful service would be Squid - so I'd still have web-access from my LAN when ADSL is disconnected.

Questions:

  1. How difficult would this be to set up?
  2. Would I be forced to 'roll my own' - or are there packages/howtos I've overlooked?
  3. What (inexpensive) hardware is recommended (concerned with unattended reliability - mainly)?
  4. Any anecdotes of success or failure from others who've tackled this already?
aSteve
  • 231
  • 1
  • 4
  • 10
  • This would be ALOT easier if you could get a 3G router instead. Have you checked if it's possible with your provider? – pauska Feb 17 '12 at 13:21
  • I've not ruled out a hardware solution... but the starting point is that I have one Ethernet connection to the ISP supplied basic ADSL router); One standard PC running Ubuntu Server (with one Ethernet port built-in and several free USB ports) - and one USB 3G dongle. My dual requirements are a dependable solution that doesn't cost the earth. – aSteve Feb 17 '12 at 20:00
  • There is something about hayes AT commands here: http://stackoverflow.com/questions/7280718/what-does-the-at-modem-comand-do –  May 29 '12 at 16:05

6 Answers6

4

I have done this any times for customers and i have not found a developed system to make this so i have ever roll my own, the steps that Manwe has given you are more or less what i do when i need them but i will paste here any crude bash scripts i am using (when i have time i want to make this much better in python).

Basically i check if i have internet or not and if i am using the wan backup and make the changes needed

#!/bin/bash
PATH="/bin:/sbin:/usr/bin:/usr/sbin"
primary_gw="192.168.1.1" #for example.
check_one="8.8.8.8"
check_two="8.8.4.4"

#first we check internet connection.
if `ping -c 1 -W 1 $check_one |grep -E '(unreachable|100\%\ packet\ loss)' &> /dev/null` &&\
   `ping -c 1 -W 1 $check_two |grep -E '(unreachable|100\%\ packet\ loss)' &>/dev/null`
  then #if we don't have internet
    if [ -e /tmp/wan_backup ]
      #if we are using backup right now we try to change to primary connection
      then ./script_change_to_primary.sh && rm /tmp/wan_backup
      #else we change to wan backup.
      else ./script_change_to_backup.sh && touch /tmp/wan_backup
    fi
fi

#if we are using wan backup right now we check if primary connection works.
if [ -e /tmp/wan_backup ]
  then
    if `ip route add $check_one via $primary_gw; ip route add $check_two via $primary_gw;\
        sleep 2; ping -c 1 -W 1 $check_one | grep -E '(unreachable|100\%\ packet\ loss)' &> /dev/null &&\
        ping -c 1 -W 1 $check_two | grep -E '(unreachable|100\%\ packet\ loss)' &> /dev/null`
      then #don't works we clean the routes and stay using backup
        ip route del $check_one via $primary_gw
        ip route del $check_two via $primary_gw
      else #it works so we change active connection 
        ip route del $check_one via $primary_gw
        ip route del $check_two via $primary_gw
        ./script_change_to_primary.sh
        rm /tmp/wan_backup
    fi
fi

Given that you only want your server to use 3g if adsl goes down i would only use iptables snat or masquerade only in the adsl iface and i would block access to squid in ./script_change_to_secondary.sh, your files could be:

script_change_to_secondary.sh

#!/bin/bash
pon 3gIsp #this one it is going to change the default route of server anyway
#drop squid connections, you could disable here the boot snat or masquerade for adsl
#but given your adsl is not active i don't see the need anyway
iptables -I INPUT -s LAN_IP_RANGE -d SERVER_IP -p tcp --dport 3128 -j DROP

script_change_to_primary.sh

#!/bin/bash
poff 3gIsp
iptables -D INPUT -s LAN_IP_RANGE -d SERVER_IP -p tcp --dport 3128 -j DROP
/etc/init.d/openvpn restart

You should have too in /etc/ppp/ip-up.d/ a bash script with "/etc/init.d/openvpn restart", this way every time you connect to a ppp provider your openvpn will restart automatically.

Well like i have said it is a bit ugly and crude but it works :) if you find a integrated clean solution for this make me know please :), one good thing of roll-your-own it is that you have a complete control of the system, this is an oversimplification of what i do in any customers that have two or three connections alive at the same time and do a load balancing and QoS all integrated with scripts that detect connections problems and changes the routes and the QoS.

If you prefer an integrated solution to a roll-your-own you can use a distribution like zentyal, it supports what you want to use but it is a complete distribution tailored to create a SmallBusiness server, i usually prefer to configure my servers at my own but this is a good distribution that can be managed via web.

skuda21
  • 173
  • 1
  • 6
  • Zemtyal - like Zeroshell - looks like a slick appliance... though I'd prefer a package that integrates with Ubuntu (server) - perhaps as an "upstart" service. The down-side with Zemtyal, for my current needs, is that I'm really looking for a non-proprietary solution... even if the 'free basic subscription' would probably be sufficient for my immediate needs. – aSteve Feb 22 '12 at 15:53
  • I think you will end creating a roll-your-own solution like the one i have described in the post, i was only referring Zentyal like an alternative, you have more power and customization if you create your solution anyway, it is what i usually do. – skuda21 Feb 22 '12 at 17:00
  • Zentyal it is open source and free, they sell any plugins and support, like many other opensource players, not that you should use it (i don't think so) but it is free. – skuda21 Feb 22 '12 at 19:34
  • I stand corrected. :) Thanks... I'll have to have a think about this - I guess. – aSteve Feb 22 '12 at 21:17
3

We have couple of smaller edimax 3g routers that have 1 wlan, 1 lan and usb for 3G stick. Lan port can be configured to be part of the lan or as primary wan port port (3g acting as failover). I'm not affiliated with edimax and we use them on the road or on conventions for their size (and one of the ones we have is battery powered).

Having said that I would go with a setup in the ubuntu server.

Answers:

  1. Easy if you are experienced server admin. Otherwise if you are willing to spend the time to learn and understand what you are doing it's doable for a poweruser.
  2. I don't know about available packages, but

change to 3g - script example:

pon YourIsp-name
route del default gw "your_adls_defaultGW"
route add -host "ping_or_other_test_host_for_checking_adsl_route" gw  "your_adls_defaultGW"
"do_other_stuff_like_restart_openvpn_maybe"

change to adsl - script example:

poff YourIsp-name
route add default gw "your_adls_defaultGW"
route del -host "ping_or_other_test_host_for_checking_adsl_route" gw  "your_adls_defaultGW"
"do_other_stuff_like_restart_openvpn_maybe"

Using dhcp with adsl will screw this simple example and you have to either modify /etc/resolv.conf with every change or use open dns servers like google 8.8.8.8 (or your own resolver). Now.. monitoring is a bit more difficult, but putting something like this to cron (don't, this is a naive exmaple), will give you failover to 3g and back.

ping -q -c 2 "ping_or_other_test_host_for_checking_adsl_route"  && TARGETUP=1 || TARGETUP=0 ;  echo $TARGETUP ; if [ "$TARGETUP" == 1 ] ; then ( rm /tmp/.adsl_down ; [ -e /tmp/.adsl_up ] || ( PATH_TO_YOUR_ADSL_UP_SCRIPT && touch /tmp/.adsl_up ) ); else  ( rm /tmp/.adsl_up ; [ -e /tmp/.adsl_down ] || ( PATH_TO_YOUR_3G_UP_SCRIPT && touch /tmp/.adsl_down )) ; fi

Three) See Edimax 3g routers ( zeroshell linuxfw-distribution looks like zeroshell has failover in it, so get a cheap pc for a router and use zeroshell. I haven't tested it though )

Four) Test, persist and when failover is needed for the first time, it's going to fail (because of something stupid...).

I'm not sure that you need squid for this setup unless to speed up 3g connection with local cache of most common pages you visit..

Manwe
  • 528
  • 3
  • 14
  • Your Ubuntu software approach is another suggestion that I should 'roll my own'. That's an option, I guess, though I'd prefer to use a polished pre-canned solution... if I could find one. The Edimax-3g router approach looks promising - and I can get one for £40 on Ebay... previously, I'd been unclear if these would fail-over to 3G automatically... and if I'd be informed of the fail-over event. Essentially, I'd need two uplinks - one Ethernet; one USB-3G-Dongle... and to support sensible rules about which to use to route traffic. – aSteve Feb 21 '12 at 15:09
  • I explained Squid badly... The server is on a LAN - and all hosts access the internet via the same router. Server connectivity is critical - but other LAN hosts less so. I'd like highly available access to basic services from my desktop - but, if my desktop were downloading a DVD ISO when ADSL fails, I'd not want that to fail-over to 3G as it would bust my monthly usage cap within hours. A proxy would allow me to switch my desktop to the 3G connection manually and be bandwidth cautious under those circumstances. Only my server needs to fail-over automatically when unattended. – aSteve Feb 21 '12 at 15:10
  • added link for zeroshell. have a look, it might contain or be everything you need – Manwe Feb 21 '12 at 19:49
  • Zeroshell looks as if it has the feature set I'm looking for... but, if I can avoid it, I don't want to switch to a new distribution 'just' for fail-over support... I'd like to avoid introducing another host, too - even a virtual one, as more complexity means more to go wrong. I'll investigate Zeroshell and see if the same fail-over software might be available for Ubuntu. – aSteve Feb 22 '12 at 15:45
2

Have you considered any hardware based solutions as i can see most posters using software solutions?

Not sure of how much you want to spend but a DrayTek Vigor 2830n would accommodate your needs. There may be cheaper alternatives, but this is the one I've used at two different sites and has functioned exceptionally well.

There are 3 WAN connectivity on this device, the Standard ADSL line, Ethernet connection and 3G dongle. You can set this up just using the ADSL and 3G dongle and using the router itself. The 3G dongle does not need to be on 'load-balance mode' but pure WAN-backup mode only.

Having re-read the original post, I'd like to add that you can even restrict VPN traffic only over the 3G dongle to minimise bandwidth cost on your 3G dongle.

Draytek Triple WAN Modem/router

Cold T
  • 2,401
  • 2
  • 17
  • 29
  • I'm definitely still considering hardware solutions. The DrayTek Vigor 2830n looks superb - though it is pricey (£160 second hand on ebay - the minimum price I've found.) I can get an 3G-6200N for ~£40 (also on ebay) - so, I'm wondering, is the DrayTek really four times as good as the Edimax? Will I have reliability problems with the cheaper hardware? Will it be significantly harder to configure/secure? – aSteve Feb 22 '12 at 21:29
  • I've only had experience using Edimax for wireless connectivity as I've found they are extremely stable and pretty standard to setup in terms of WiFi. As for modem/router configuration, the set-up and configuration is logical. You would enter the credentials for the ADSL line and 3G dongle, followed by enabling some QOS and WAN-Failover. I think it also gives you the ability to load-balance in terms of % as well. It's certainly not your average router/modem you would buy from Netgear for instance. Has amazing amount of features and definitely suited for SME class rather then home use. – Cold T Feb 23 '12 at 09:17
  • In recent years, I've been a fan of Netgear and a foe of Dlink - the former have 'just worked' for me, while the latter have caused a lot of grief. My only Edimax experience is with an IP camera - and that is, how can I put it politely? "Very basic"... and not a device I'd recommend to others. – aSteve Feb 23 '12 at 12:00
0

1) Not too difficult - run a task and check for the status of your DSL - when it failes, start up the 3G-Interface and fail over the default route. Maybe you might need to restart your VPN as well.

2 & 3) Never checked for a prebuild package myself, as my favourite firewall does include that feature by default. Check www.astaro.com (the software-appliance is free for home-use or you can use the default 30day trial for testing)

4) Never had any sigificant problems with WAN failovers (other than the backup-line beeing also down)

tsg

Truebsalgeblaese
  • 364
  • 1
  • 4
0

I think you could use keepalived to ping a remote internet address (Google mayhaps) every .. 30 seconds with some timeout. If the ping times out configure keepalived to shutdown eth0 and bring up the 3G interface then restart your VPN.

You should consider delays etc. when configuring keepalived so that it does not switch interfaces when not needed. Some testing/experiments will be needed. I cant think of a way to revert to the ADSL line when its back alive though.

If you have a router between the ADSL modem and your server, or the modem has a external address that you can ping you could probably use that as criteria for reverting the connection.

KeepaliveD site

Hope that can get you started!

Lukasz
  • 472
  • 2
  • 10
  • 18
0

You could use shorewall (ubuntu package available), and a very useful script named gwping to create a roll-your-own solution.

dbendlin
  • 1