In the olden days of the internet, we used to called theses solutions a " dialup backup", or " dial around the cloud"
These where commonly used when critical access was required or for dialing around a failure in the service-provider main delivery. They typically backed up the primary WAN path with a low-cost, affordable, and a slower solution.
(e.g dial backup for any of the following )
- frame-relay
- x.25
- lease-line
- ADSL line
The ole school method, was to purchase a business 2wire phone-line or isdn-line. Now with 3/4G services commonly available, cheap, and easily obtainable, the Opportunities are much simpler and quicker.
1st the topology
So the components that are required;
- router/firewall
- existing WAN uplink device
- usb-external modem
Now for the configuration and tip/tricks
1:
First you need a compatible external usb-modem. Fortinet is always changing and adding new devices based on the software-release, but most huawei modems have a good track record for working.
note: Read the release notes from Fortinet before purchasing a modem. I will not list modems here, do some research is all that I'm telling you.
I'm using a E352 , the service provider is Orange-GETESA. You need to execute the enabling of the modem from the cli
config sys modem
set status enable
end
2:
You need to identify the model . You have a few methods for the execution of this. The diag sys modem command is the trick. I will show you 2 ways;
method one ( issuing a "ati" command diag sys modem cmd ati )
method two ( diag sys modem commands diag sys modem exeternal-modem )
method three ( looking at the WebGUI )
3:
Next, you will probably need to identify some service-provider specific. This will be a YMMV & will depend on the ServiceProvider specifics ( example....... dialup#, APN,phone#, pin-lockout ,etc.... )
For the provider Orange, I only need to provide a single dialup#. The card-sim in this case, does not use a PUK ( pin unlock code ) code or any type of pin insertion before initialization.
note: If you have any PIN or PUK code requirements, make sure you confirm the numbers. You don't want to lockout the modem :)
Can't get any easier than that :)
4th
Since the modem is a interface, you will need a firewall policy. Make sure you apply the correct policy to allow traffic and sNAT.
Note: You can apply traffic-shaper to preference critical stuff like VoIP over this interface, the above fwpolicy is for my wireless clients to access the internet via the 3g UPLINK.
5th:
If this path is not to be used for the primary access, you might need to adjust the route preferences
So that's how you do a dialup around the cloud using a basic configuration , with a fortigate and huawei-modem. You can use this interface for VIP terminations, VPNs, or anything else as far as that goes.
Things to keep in mind;
- review if your modem is compatible and supported
- gather all dialup requirement from the provider
- keep in the back of your mind, that data usage charges could apply based on your service plan
- adjust route by increasing distance of the routes available by this interface
- by using policy-based-routing you can throw some traffic down the slower path if required
add June 12 2014
Ken Felix
Consulting Engineer Network & Security ( Cisco, Juniper, Fortinet )
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( ~ ~ )=
o
/ \
I add the modem firmware screenshot, some one contacted me about modem problems with huawei 3g-modems
ReplyDelete