Backup ISP via Cellular

[elvisimprsntr]

elvisimprsntr, with the LR224, when it fails-over to LTE, does it allow you to restrict devices (say you only wanted to let your ELK and ISY have Internet access when on LTE)?

 

Was also wondering if FreedomPop's free plan was a consideration when you were looking for inexpensive LTE service.

See my other post.

 

I briefly looked at FP, but ultimately decided against it for two reasons.

1. A MVNO has lower priority than customers with direct service.

2. Not sure what their business model is that allows them to offer free service. Typically means ads. (Texts, recorded voice ads, ads interleaved while browsing, selling your data/info to third parties, etc.) Or, they make it up on overage charges. Kinda like what credit card companies do when offering credit to less than credit worthy individuals.

 

Update: FP might be using an alternate definition of free.

 

http://www.informationweek.com/wireless/freedompop-4g-data-for-free-if-youre-careful/d/d-id/1107035

[Scottmichaelj]

The LRT224 has service throttling but no white/black list for ports. So I configured the LTE BW to a crawl to effectively render any other access useless. I'll look the other setting in the LRT224 to find some other way to prevent other devices. Perhaps putting the Elk and ISY on its own subnet might allow a way to limit other devices. If you find a solution, post back.

If you didn't want "backup" internet for the other devices on the network why didn't you just buy the Netgear with the Dual WAN/LAN port and plug the LAN directly to the Elk XEP? You still wanted access to the ISY too huh? Why not make the Netgear only work on certain ports? Im still learning pfsense myself. Only problem then becomes does the XEP report out on ports 2101/2601 or also 80? If its 80 then it would be hard to kill traffic. One other thought put the netgear on a switch then use the ISY/XEP that way. Cant imagine you using a ton of data on the ISY normally. Just a thought.

[elvisimprsntr]

I wanted Elk, ISY, and cameras on backup. Elk and ISY can both send SMS email messages, and I use a number of third party apps which support push notifications. Scenario is someone cuts my primary WAN connection before breaking in, LTE allows those devices to send notifications, use cameras to confirm break in before getting medieval.

 

My physical equipment locations and LAN connection prohibit me from wiring it in such a way to put only those devices on LTE failover. Now that I have a working failover solution, I'm just looking to optimize it.

 

You can remap WAN facing ports to different ports on LAN side. I would not make any unencrypted ports outward facing. Very bad idea.

[apostolakisl]

I would consider it great if a dual WAN router existed with just 2 ports (or two banks of ports).  

 

Port 1 has access to both wan connections configured to have a primary wan and backup wan.

Port 2 has access to only the primary wan connection.

 

I'd put mutliport switches behind each of those two ports and plug in stuff as desired.

 

I'm not sure I have the time or interest to figure out how to do all this configuring your guys are talking about.  Maybe it isn't that hard, I just don't need another "hobby" right now.

[elvisimprsntr]

I would consider it great if a dual WAN router existed with just 2 ports (or two banks of ports).  

 

Port 1 has access to both wan connections configured to have a primary wan and backup wan.

Port 2 has access to only the primary wan connection.

 

I'd put mutliport switches behind each of those two ports and plug in stuff as desired.

 

I'm not sure I have the time or interest to figure out how to do all this configuring your guys are talking about.  Maybe it isn't that hard, I just don't need another "hobby" right now.

 

 

I didn't want a hobby managing pfSense or some other custom solution either, thus went with the drop in solution.  It seems to be working well for me.

[Scottmichaelj]

I would consider it great if a dual WAN router existed with just 2 ports (or two banks of ports).

 

Port 1 has access to both wan connections configured to have a primary wan and backup wan.

Port 2 has access to only the primary wan connection.

 

I'd put mutliport switches behind each of those two ports and plug in stuff as desired.

 

I'm not sure I have the time or interest to figure out how to do all this configuring your guys are talking about. Maybe it isn't that hard, I just don't need another "hobby" right now.

If you want simple there are routers out there with failsafe and dual wan ports. Some even have USB/LTE support built in. Downside is that if the ISP does go down the backup is cellular.

[apostolakisl]

If you want simple there are routers out there with failsafe and dual wan ports. Some even have USB/LTE support built in. Downside is that if the ISP does go down the backup is cellular.

I know, but they don't seem to have the ability to not switch everything over to backup.  I only want a select group to switch over.

[Scottmichaelj]

I know, but they don't seem to have the ability to not switch everything over to backup. I only want a select group to switch over.

Yeah then you need to do something more sophisticated like pfsense. Which probably will get hacked then u arm your Elk, which your insurance won't cover you because...sorry nevermind;)

 

I am still learning, but I am hoping it would allow certain IPs on "backup" and not others. Ill post my findings when I have/know something solid.

[apostolakisl]

Yeah then you need to do something more sophisticated like pfsense. Which probably will get hacked then u arm your Elk, which your insurance won't cover you because...sorry nevermind;)

 

I am still learning, but I am hoping it would allow certain IPs on "backup" and not others. Ill post my findings when I have/know something solid.

 

That would be might neighborly of you!

[jasont]

I'm really curious about the router below, in terms of being able to support dual WAN (where you can control what goes out when it's failed-over to cellular):

Ubiquiti Edgerouter ERLITE-3 

 

https://www.ubnt.com/edgemax/edgerouter-lite/

https://smile.amazon.com/Ubiquiti-Edgerouter-ERLITE-3-Desktop-Router/dp/B00HXT8EKE

 

It's inexpensive, the hardware looks powerful (up to 1M packets per second), and the OS (EdgeOS) is a derivative of Linux, and looks (well, first looks, anyway...) to be similar to pfSense in terms of capabilities.

 

 

This link below is to a config posted on their community site.  It's not 100% what I'm looking for, but it looks like it's got all of the bones for what I want.

 

https://community.ubnt.com/t5/EdgeMAX/Dual-WAN-with-some-hosts-using-only-one-WAN/td-p/703367

 

 

Was curious if anyone here had any experience with EdgeOS.  Using the example config in that thread, to make it work for me, I was thinking of this:

 

eth1 would be my cellular backup

eth2 would be my main Internet connection

 

The "minions" would be just my ELK and ISY.  They'd go out eth2, unless it fails, then they'd go out eth1.

 

Where I'd deviate from the example is that everything else on the network (called LB-LAN in their example) would only go out via eth2.  If eth2 is down, do NOT failover.  My TiVos can gather their guide data later.  

 

I'm hoping that'd be as simple as removing the reference to eth1 when setting up LB-LAN:

 

ORIGINAL EXAMPLE:

 

ubnt@wlb# show load-balance
group LB-LAN {
     interface eth1 {
     }
     interface eth2 {
     }
}

 

MODIFIED:

 

ubnt@wlb# show load-balance
group LB-LAN {
     interface eth2 {
     }
}

 

 

 

[kohai]

I have the edgerouter lite but I don't do anything fancy with it... just nat.  I bought it for the gigabit interfaces since I have fiber to the home.  It's basically a 3 port router that you configure how you want.  The pfsense UI is more extensive to work with and there's probably more how-to walk throughs out there.

 

After about 3 years I had to replace the usb stick in my edgerouter lite as the old one was slowly going bad.  Luckily there are how-tos online for that.

[Scottmichaelj]

I have the edgerouter lite but I don't do anything fancy with it... just nat. I bought it for the gigabit interfaces since I have fiber to the home. It's basically a 3 port router that you configure how you want. The pfsense UI is more extensive to work with and there's probably more how-to walk throughs out there.

 

After about 3 years I had to replace the usb stick in my edgerouter lite as the old one was slowly going bad. Luckily there are how-tos online for that.

I found the edgerouters to be a bit cumbersome and as stated the only help is via UBNT forums. It seems more people are using pfsense and active on their forums plus tons of Youtube videos. There is also a Homelabs Discord chat channel where there's a good group of people willing to help you.

 

I have been able to route specific traffic now via my ISP and other traffic through my VPN. I still plan on posting my findings and configuration when I have everything dialed in. It just takes time to config and test. I also was away last weekend and haven't gotten back into it. I am waiting for my Netgear cellular backup router to get here. In the meantime my next thing to tackle is VPN server or SSL certificate.

 

I am really happy with my choice so far to go this route.

 

Oh and you can revert to last steps/configs if you screw something up which is helpful!

[cyberk]

I would stay away from edgedouter. EdgeOS is based on Vyatta (https://en.m.wikipedia.org/wiki/Vyatta) and is customized by UBNT. The product is buggy and like @scottmichaelj said, it's cumbersome.

 

 

Sent from my iPhone using Tapatalk

[jasont]

Well, crap.

 

I don't have the space for a dedicated PC to run pfSence, and I don't really like the idea of a PC using that much power 24x7 just to route. 

 

I also need something that can handle gigabit speeds on the WAN port (Cox Gigablast fiber), which I think makes the cheapest official pfSense appliance the SG-2440, which seems to be 5-6x more expensive than an EdgeRouter Lite 3.

 

Edit:

Looks like there are some third-party appliances out there in the ~$200 range that have gigabit ports and run pfSense, but the reviews are all over the board for them.  Ergh

[kohai]

Well, crap.

 

I don't have the space for a dedicated PC to run pfSence, and I don't really like the idea of a box using that much power 24x7 just to route. 

 

I also need something that can handle gigabit speeds on the WAN port (Cox Gigablast fiber), which I think makes the cheapest official pfSense appliance the SG-2440, which seems to be 5-6x more expensive than an EdgeRouter Lite 3.

 

Edit:

Looks like there are some third-party appliances out there in the ~$200 range that have gigabit ports and run pfSense, but the reviews are all over the board for them.  Ergh

 

I'm not totally negative about the Edgerouter lite like cyberk.  It's worked for me and it may work for you and the product has been around quite awhile so it has some maturity and they are still releasing firmware updates.  I've setup a pfsense appliance at a small school and agree that they are expensive for what they are.  You can buy the hardware they use for the appliance separately and add the free pfsense to it for about $100 less than buying them bundled (but you don't get any support).  It's annoying that the price jump for the multi port sg-2440 is so big.  The sg-2220 is essentially the same thing but with less ports.  You can setup virtual IPs on it if you want to get into using the cheaper device and jumping through hoops (which is what I did for the school and it was doable but a hassle).

 

Has anybody ever tried a Mikrotik system?  Mikrotik RB951G-2HND 5-Port Gigabit Wireless AP 1000mW

[apostolakisl]

I'm not totally negative about the Edgerouter lite like cyberk.  It's worked for me and it may work for you and the product has been around quite awhile so it has some maturity and they are still releasing firmware updates.  I've setup a pfsense appliance at a small school and agree that they are expensive for what they are.  You can buy the hardware they use for the appliance separately and add the free pfsense to it for about $100 less than buying them bundled (but you don't get any support).  It's annoying that the price jump for the multi port sg-2440 is so big.  The sg-2220 is essentially the same thing but with less ports.  You can setup virtual IPs on it if you want to get into using the cheaper device and jumping through hoops (which is what I did for the school and it was doable but a hassle).

 

Has anybody ever tried a Mikrotik system?  Mikrotik RB951G-2HND 5-Port Gigabit Wireless AP 1000mW

The Edge router looks interesting to me.  I don't have a great deal of complexity here.  I have 2 goals plus normal stuff.

 

1) router to router vpn to merge my home and office network (so I would have one of these routers at each end)

2) dual WAN with WAN port 2 being failover that only a few things have access to should WAN connection 1 go down.

3) And then just run of the mill router stuff like assigned dhcp addresses and port forwarding.

[kohai]

One note about the edgerouter lite that I did run into.  While the firmware supports bridging two ports, in doing so it disables the offloaded acceleration (to the chips) and runs slow because it is doing it in software.  So, don't bridge ports on an edgerouter lite.

[Scottmichaelj]

Well, crap.

 

I don't have the space for a dedicated PC to run pfSence, and I don't really like the idea of a PC using that much power 24x7 just to route.

 

I also need something that can handle gigabit speeds on the WAN port (Cox Gigablast fiber), which I think makes the cheapest official pfSense appliance the SG-2440, which seems to be 5-6x more expensive than an EdgeRouter Lite 3.

 

Edit:

Looks like there are some third-party appliances out there in the ~$200 range that have gigabit ports and run pfSense, but the reviews are all over the board for them. Ergh

All pfsense is, is software. You can run it on any low power PC that you like. Maybe an old one sitting around? Mine is pulling about 50W - while that's not low its not too high either. My specs are in the first post.

 

I had a Mikrotik RB3011 before going this route. Same things I posted about the UBNTs is what I found on the Tik. Also OpenVPN was not working for me, mangle and masquerade rules were hard for me to understand. The pfsense seems to be a nice middle ground for me at least. More advanced than a consumer router but not full enterprise (even though its could be). The only thing thats a requirement is at least an Intel dual port networking card, or quad port for backup WAN.

 

I am not trying to convince or push pfsense on anyone, just sharing what I found. I am using a Ruckus unleashed R600 AP for wireless and a 48 port TP-Link Gigabit switch and my speeds are all where they should be. My ISP speeds are 200D/25U and when I am connected to the VPN via OpenVPN I am getting no speed loss. Now all my devices behind the router are on the VPN. Once I am able to connect to the router via VPN I will be able to use local IPs (192.168.x.x) to connect to my other devices remotely just as if I was home and don't have the security risk of port forwarding. Also UPnP is OFF.

 

So far I am happy. Like I said still very much a WIP. Everyone has their own needs and wants, which is understandable. I am glad this thread has had a good discussion. I was hoping for people would share so other could use this as a reference.

 

Edit: BTW forgot to add the Intel I340 network card (which I have) supports gigabit.

 

http://www.intel.com/content/www/us/en/ethernet-products/gigabit-server-adapters/ethernet-server-adapter-i340.html

[MWareman]

Well, crap.

 

I don't have the space for a dedicated PC to run pfSence, and I don't really like the idea of a PC using that much power 24x7 just to route.

 

I also need something that can handle gigabit speeds on the WAN port (Cox Gigablast fiber), which I think makes the cheapest official pfSense appliance the SG-2440, which seems to be 5-6x more expensive than an EdgeRouter Lite 3.

 

Edit:

Looks like there are some third-party appliances out there in the ~$200 range that have gigabit ports and run pfSense, but the reviews are all over the board for them. Ergh

Look at Soekris. They make small devices for running things like pfSense. Small, like a Linksys router small - both in power and physical size.

 

They only have 100mb interfaces though. If you need GB, I have a device at home, not much bigger in either size or power that works well for me. I'll post later...

[jasont]

They only have 100mb interfaces though. If you need GB, I have a device at home, not much bigger in either size or power that works well for me. I'll post later...

 

 

I do need GB.  We have Cox's Gigablast service, which is symmetrical gigabit.  It'd be cool to see your device when you have a chance!

[MWareman]

This is the device I have:

 

http://protectli.com/

 

I got the 'Essential' one - with 4GB RAM ($279) and it runs pfSense like a dream.

 

I'm just implementing the failover WAN where only a couple of devices can use the failover (my Alarm and ISY) - but nothing else.. since the failover is a FreedomPOP SIM in a Huawei H5770s-320. It's VERY limited free data, so I don't want most clients on the LAN to failover..  pfSense does this quite nicely...

 

Michael.

[MWareman]

Woot!  I have backup Internet via FreedomPOP for my Elk and ISY...    Complete with policy-routing to ensure that in a WAN-fail state only my Elk and ISY will use the FreedomPOP data...

 

Pretty sweet!

 

Michael.

[jtara92101]

Good find by MWareman, much more affordable than the equivalent NetGate product.

 

AsusWRT-Merlin (alternative firmware for Asus routers) apparently can do this! (WAN backup with selective routing.)

 

    https://www.snbforums.com/threads/specific-routes-in-dual-wan-routing-failover-mode.29682/

 

pfSense is a better solution, as it separates the firewall and WAN-routing tasks from WiFi access. WiFi is always subject to the WiFi standard/non-standard du jour. (I used to use Netscreen boxes when I had a need for a secure VPN over cable with DSL backup, but those boxes are long obsolete now. For now, an Asus RT-88U with AsysWRT-Merlin suits my needs).

[Scottmichaelj]

This is the device I have:

 

http://protectli.com/

 

I got the 'Essential' one - with 4GB RAM ($279) and it runs pfSense like a dream.

 

I'm just implementing the failover WAN where only a couple of devices can use the failover (my Alarm and ISY) - but nothing else.. since the failover is a FreedomPOP SIM in a Huawei H5770s-320. It's VERY limited free data, so I don't want most clients on the LAN to failover..  pfSense does this quite nicely...

 

Michael.

 

 

Thanks for posting that device. Since this device is only 10W I would love to get something lower powered than a full PC. The drawback is VPN encryption/speeds but willing to get it a try.

 

Woot!  I have backup Internet via FreedomPOP for my Elk and ISY...    Complete with policy-routing to ensure that in a WAN-fail state only my Elk and ISY will use the FreedomPOP data...

 

Pretty sweet!

 

Michael.

 

You mind sharing how you configured this or a link to the guide you used? I was able to get specific PORTS routing direct to the WAN rather than the VPN but would love to separate even more traffic based on the failover.

 

On another note, I was able to install OpenVPN on pfsense today and get my iphone to connect. Now I don't have any open forwarded ports and can use my local IP in Mobilinc etc. Pretty cool stuff. Still waiting for the Netgear router to get here for the cellular backup. Now off to try my luck on installing an SSL cert! Wish me luck!

 

Good find by MWareman, much more affordable than the equivalent NetGate product.

 

AsusWRT-Merlin (alternative firmware for Asus routers) apparently can do this! (WAN backup with selective routing.)

 

    https://www.snbforums.com/threads/specific-routes-in-dual-wan-routing-failover-mode.29682/

 

pfSense is a better solution, as it separates the firewall and WAN-routing tasks from WiFi access. WiFi is always subject to the WiFi standard/non-standard du jour. (I used to use Netscreen boxes when I had a need for a secure VPN over cable with DSL backup, but those boxes are long obsolete now. For now, an Asus AC3100 with AsysWRT-Merlin suits my needs).

Thats what its all about right? Finding what works for you as a individual user/household. Everyone may want to do the "same thing" but there are many ways to cook a hamburger. I like Merlin FW on ASUS. You still get the stock feel with advanced settings. I just didn't feel like it handled the VPN encryption well due to the lower processor/memory on the consumer side.

 

EDIT: Ordered one from Amazon. It will be here in two days. Nice thing is I can export my config and easily transfer it to the new device.

[jtara92101]

Note that if your home Internet service has asymmetrical bandwidth, it's quite likely your ultimate bandwidth limitation will be your internet connection, rather than encryption overhead.

 

Asymmetrical home Internet connections (typically cable, due to limitations of cable technology) provide a large bandwidth in/down, and a much smaller bandwidth out/up. For example, I'm on the highest-bandwidth plan from Cox (outside of fibre, which I do not have available). 300 mbit/sec down/20 mbit/sec up. But, more typically, these types of connections offer no more than 10mbit/sec up.

 

Unfortunately, it is exactly the opposite of what you need when VPNing in to your home network, or VPNing through your home network to reach the Internet.

 

It is not that difficult to achieve 10mbit/sec VPN encryption. My old Asus RT-66 managed that, and newer RT-88 is faster.

 

Only if you have symmetrical bandwidth  or large up bandwidth will the encryption capability of the router or security appliance start to be a limiting factor.