Dialup Around the cloud with a Huawei usb-modem and Fortigate

In this blog posting, we will explore a simple dial backup solution based on a 3G  celluar provider usb-modem

In the olden days of the internet,  we used to called theses solutions a " dialup backup", or  " dial around the cloud"

These where commonly used when critical access was required or for dialing around a failure in the service-provider main delivery. They typically backed up the primary WAN path with a low-cost, affordable,  and a slower solution.

(e.g dial backup for any of the following )

• frame-relay
• x.25
• lease-line
• ADSL line

The ole school method, was to purchase a business 2wire phone-line or isdn-line. Now with  3/4G services commonly available, cheap, and easily obtainable, the Opportunities are much simpler and quicker.

1st the topology

 

So the components that are required;

•  router/firewall
•  existing WAN uplink device
•  usb-external modem

In this case we are using a FWF60D for this example. The FWF60D fortigate appliance provides the direct lan clients wire and wireless access. The primary path would be our ADSL link , but we will also use the 3G modem as  a WAN link. Routes would be adjusted to be less preferred over the WAN modem link.


Now for the configuration and tip/tricks

1:

First you need a compatible  external usb-modem. Fortinet is always changing and adding new devices based on the software-release, but most huawei modems have a good track record for working.

note: Read the release notes from Fortinet before purchasing a modem. I will not list modems here, do some research is all that I'm telling you.


I'm using a E352 , the service  provider is Orange-GETESA. You need to execute the enabling of the modem from the cli

config sys modem
   set status enable
end


2:

You need to identify the model . You have a few methods for the execution of this. The diag sys modem command is the trick. I will show you 2 ways;

method one  ( issuing a "ati" command  diag sys modem  cmd ati   )

method two ( diag sys modem commands   diag sys modem  exeternal-modem  )

method three  ( looking at the WebGUI )

3:

Next, you will probably need to identify some service-provider specific. This will  be a YMMV & will depend on the  ServiceProvider  specifics (  example....... dialup#, APN,phone#, pin-lockout ,etc.... )

For the provider  Orange, I only need to provide a single dialup#. The card-sim in this case, does not use a PUK ( pin unlock code ) code or any type of pin  insertion before initialization.

note: If you have any PIN or PUK code requirements, make sure you confirm the numbers. You don't want to lockout the modem :)

Can't get any easier than that :)

4th

Since the modem is a interface, you will need a firewall policy. Make sure you apply the correct policy to allow traffic and sNAT.

Note: You can apply traffic-shaper to preference critical stuff like VoIP over this interface, the above fwpolicy is for my wireless clients to access the internet via the  3g UPLINK.

5th:

If this path is not to be used for the primary access, you might need to adjust the route preferences

So that's how you do a dialup around the cloud using a basic configuration , with a fortigate and huawei-modem. You can use this interface for VIP terminations, VPNs, or anything else as far as that goes.

Things to keep in mind;

1. review if your modem is compatible and supported
2. gather all dialup requirement from the provider
3. keep in the back of your mind, that data usage charges could apply based on your service plan
4. adjust route by increasing distance of the routes  available by this interface
5. by using policy-based-routing you can throw some traffic down the slower path if required

add June 12 2014

Ken Felix
Consulting Engineer Network & Security  ( Cisco, Juniper, Fortinet )

kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^

=(   ~   ~ )=

         o

      /     \