ADSL with ISDN fallback


 
Internet Router LAN LAN PC ADSL non-NAT installation
ISDN dialup router, NAT
Internal machines on private addresses
Port mapped incoming SMTP email
Internet Router LAN FireBrick LAN PC
LAN LAN PC

In this configuration there is a routed non-NAT internet feed (e.g. ADSL) and also a backup ISDN dialup router. The dialup router is using a conventional dialup which provides NAT from a single internet address. In this example we will assume that the ADSL router has address 123.4.5.1 and the subnet is a block of 16 (/28 or 255.255.255.240).

The FireBrick provides a conventional NAT configuration :-

  1. Allocate a private network address for the internal machines, e.g. 10.0.0.0/24
  2. Allocate the FireBrick a private address, e.g. 10.0.0.1 creating a LAN subnet for the FireBrick on this address and subnet 24 (255.255.255.0), set NAT
  3. Optionally, include DHCP allocation range on the private addresses to allocate addresses to machines on the LAN
  4. Allocate the FireBrick one of the public addresses, e.g. 123.4.5.2 and create the WAN subnet with this address, subnet 28 (255.255.255.240)
  5. Set the gateway on the FireBrick to the router on the WAN (i.e. 123.4.5.1)
  6. PCs are set with the FireBrick as their gateway (i.e. 10.0.0.1) and subnet 24 (255.255.255.0)
  7. You may want to set the FireBrick with an ISP allocated DNS server address, and set the PCs to use the FireBrick for DNS
  8. Adjust filters as required
The ISDN router needs to be configured to allow access whenever it is used :-
  1. Allocate a public address for the ISDN router, e.g. 123.4.5.3, and set with subnet 28 (255.255.255.240)
  2. Set the default incoming address translation/NAT-mapping to the FireBrick 123.4.5.2 allowing incoming mail, etc.
  3. Set up dial on demand internet connection with NAT
The FireBrick needs to monitor the ADSL link :-
  1. Find the next hop address on the ADSL (see below)
  2. Create a profile called ADSL, set for ping scanning on interface WAN with gateway 123.4.5.1 to the next hop address, set Alert if inactive
  3. Ensure the profile is set for all day every day (click the right hand box for each day, marked "24")
  4. Confirm by reloading the profile index page, after 1 minute, that the profile is active
The normal FireBrick routing will need to be replaced with explicit routing rules allowing for a change to ISDN when required :-
  1. Move the Subnets route up, and add a new route below it to the ISDN router, target Any (blank), from Any, to LAN, gateway 123.4.5.3 (the ISDN router), select NAT, Profile No-ADSL
If you need specific port maps for incoming mail :-
  1. Create a port map, from WAN, to FireBrick, addresses Any, port 25 (may left blank), map target to your mail server, e.g. 10.0.0.2
Incoming email :-
  1. Incoming email for SMTP could be set with MX records to go to your FireBrick, e.g. 123.4.5.2
  2. The FireBrick would need to allow WAN->Any port 25 TCP traffic in its filters and have the port map as specified
  3. If you want email when in ISDN backup, then ensure you have a fixed IP ISDN dialup and set this address as the secondary MX record (via an A record).
Testing :-
  1. Confirm by viewing the profile index that the ADSL profile is active (ALERT LED off)
  2. Traceroute to confirm routing via ADSL
  3. Remove connection to ADSL, and up to wait 1 minute for ALERT LED to come on
  4. Confirm by viewing the profile index that the ADSL profile is not active
  5. Traceroute to confirm, routing via ISDN
  6. Reconnect ADSL and reconfirm that the filter becomes inactive and ALERT LED off with 1 minute
Emailing to tell you the backup has happened :-
  1. Set the log/filter options so that Email is selected for ping-scanning
  2. Fill in target email address (and optionally, source email address)
  3. Enter mail server address, e.g. 10.0.0.2
  4. Click "test" to confirm email can be delivered.
  5. If test fails, check Status Log for error message and configure mail server accordingly
  6. Adjust email delay/timeouts if required
Next hop :-
    Monitoring the ADSL link requires that a specific address is checked regularly using a ping. The ping-scanning and ping-failure features of the FireBrick allow for this, and change a profile accordingly. One issue is what address to monitor.

    Using traceroute to some address on the internet (your favourite web site for example), you will see the FireBrick, your ADSL router and a next hop. This is a good candidate for monitoring, and means if your ADSL line goes down, the you will switch to ISDN. However, if your ISP has problems (e.g. their upstream fails) and your ADSL line is actually OK, you may lose internet access and not fall back to ISDN.

    Using a later address or an address on the internet would allow you to protect against failures within your ISP, and switch to ISDN. Going too far can be a problem, e.g. picking some web site. If you do this, you would find you switch to ISDN simply because the one site you were monitoring was down, even though the rest of the internet was fine.

    Your ISP may be able to suggest an address to be monitored like this, and this is the best one to use.
     

  1. Check the address you pick answers a ping
  2. Make sure nobody minds you monitoring the address - if it is the router next hop, then this is likely to be fine, but some address on the net may upset the owner of that machine. The pings are very light load, but that can be detected.
  3. Bear in mind the address could go away. Again, the router next hop is unlikely to, but any other address could be removed or changed without warning. So check you are not using backup routing when you don't want to - we suggest the email alerts are used but keep an eye on the ISDN router just in case.
This example equally applies to :-
  1. Any installation with a router and a single subnet
  2. e.g. BT net start lines