Low Cost 24/7 LTE Failover/Failback Solution

E

elvisimprsntr

Active Member
I posted this on UDI forum, but thought it might be of interest here as well.  
 
BACKGROUND

Initially, I looked at adding a USB LTE modem to a DD-WRT router, configure it for dual WAN, add scripts to do the failover/failback, change the IPTABLE to limit what IPs and throttle the BW over the LTE WWAN. While all technically possible, it seemed like a PITA.

So, here is the lowest non-recurring and recurring cost, minimal effort solution I am implementing.

NETGEAR LTE MODEMS

Netgear announced at CES 2017 a new line of LTE modems, ranging in price from $120 to $160. The LB1120 (Bridge) and LB1121 (Bridge w/PoE) will be released on Feb 20th, and the LB2120 (LTE Failover) on March 20th. https://netgear.com/home/products/mobile-broadband/lte-modems/ These are basically the same models as the UK versions (LB1110, LB1111) which have been available since June 2016, presumably with different LTE bands. There was a UK version (LB2110) of the US LB2120, but for some reason the product was either never introduced or pulled from the market. http://www.downloads.netgear.com/files/DoC/204-10950-01_CE_LB2110_EN-EP-FR-IT_20JUN16.pdf
  • LTE Bridge - US LB1120 - UK LB1110
  • LTE Bridge w/PoE - US LB1121 - UK LB1111
  • LTE Failover - US LB2120 - UK LB2110 (never released)
ORDER NOW

You can pre-order all three devices on Amazon. https://www.amazon.com/NETGEAR-LTE-Modem-Network-Ready-LB1120-100NAS/dp/B01N5ASNTE/ref=sr_1_1?ie=UTF8&qid=1486853740&sr=8-1&keywords=netgear%2Bmodem%2Blb1120&th=1
I was able to find one distributor who already has the first two in stock and is shipping now. Mine will be delivered Feb 17th. http://www.provantage.com/service/searchsvcs?QUERY=netgear+lte+modem&SUBMIT.x=15&SUBMIT.y=15

These units are significantly lower in price than any of the LTE failover products and services on the market (Cradlepoint, Cisco, Sierra, Peplink, etc.) I've looked at them all.

HOW IT WORKS

The first two units, you still need a dual WAN router with failover/failback.. The third model is installed between your WAN router and WAN ISP hardware, it does the failover/failback. There are no US model User's Manuals yet, but you can look at the UK equivalent for the first two. http://www.downloads.netgear.com/files/GDC/LB1110/LB111X_UM_EN.pdf. The product support page for the third UK model was never published.

Not knowing why Netgear never released the UK version of the unit with LTE failover and skeptical how mature the firmware will be, I ended up getting the LB1120 (LTE Bridge). For the dual WAN failover, I purchased a well proven Linksys LRT224 (Dual WAN VPN Router). https://www.amazon.com/Linksys-Business-Gigabit-Router-LRT224/dp/B00GK640D6/ref=sr_1_1?ie=UTF8&qid=1486855892&sr=8-1&keywords=linksys+dual+vpn. It meets all of my requirements, including dual DyDNS. A secondary benefit of the LRT224 is all the complex LAN configuration is now in a dedicated appliance, which reduces my DD-WRT router to simple WLAN APs. Much easier to manage after a firmware upgrade or factory reset.
 
LTEfailover.jpg

LTE SERVICE OPTIONS

Now that I have a low cost hardware solution, time to look for low cost LTE service. Since the failover WWAN is a very infrequent use scenario for temporary primary WAN service outages, I really don't need a lot of data. One option was to add a SIM to my existing cell phone data plan for an additional $25 per month, but I wanted to find an even lower cost solution.

IOT PLANS TO THE RESCUE

In the US, both ATT and T-Mobile have announced IoT data plans for companies who want to build products which use very little data and sell the products with services to consumers. I briefly looked at T-Mobile. ATT seemed to offer a lower cost option. With ATT, for as little as $25 you get 1 GB/year. ATT has plans with higher amounts, but if you reach the data bucket limit it simply charges for another data bucket. You can have up to 1000 SIMs under the same plan. Each SIM costs $1 per month. So I registered with ATT as a developer, linking my GitHub account. https://m2x.att.com I bought and already received my 1 GB IoT SIM card. https://iotdataplans.att.com I just have to activate it once my LB1120 arrives on Feb 17th and configure the APN in the LTE modem for ATT IoT (m2m.com.attz) https://developer.att.com/technical-library/apns/apn-descriptions-and-characteristics

CONCLUSION

So for basically a few hundred bucks and $3/month, I will have 24/7 LTE failover/failback for my whole house. My ISY/Elk can continue to send SMS notifications and receive push notifications from third party mobile apps. Another benefit is the next time Comcast raises my internet access rates, I can simply pop in a higher data bucket LTE SIM and tell Comcast to pound sand.
 
Very nice!  
 
Doing similar but different here.  Purchased an old Ericsson W.25 combo modem and connected it to the failover WAN on the PFSense firewall, phone system (for backup) and do SMS with it (via SSH/Telnet).  It is not LTE today rather it is a 3G connection which is suffice for my needs.   I also found the programmers manual for my W.25 as I had purchased it for Australia use and thus the device was configured for that.  I didn't like the dial tone stuff so changed the modem to US use.   
 
EricssonW25.jpg
 
Also have one of these but it is only wireless and I cannot connect to the internet via the USB connection.
 
LTE-T-Mobile.jpg
 
Have a couple of the Nexus Hawk devices which are nice and include a point of presence with a built in GPS and dual sim card connectivity, WLAN and Wired NIC but no VOIP is built in. 
 
nexushawk.jpg
 
A while back got a deal on purchasing multiple SIMs/ multiple accounts with T-Moble after getting slammed by AT&T (grandfathered accounts for 25 years).    Recently too T-Mobile shut down LTE smart phone tethering such that it only works these days with 3G.  They are massaging the internet access though through their network now and noticed per a service ticket they the LTE is oversubscribed in my area. I did see a public notice of more fiber / new fiber going to some local cellular towers. I also noticed that the DNS can be anywhere in the country such that I utilize only the PFSense DNS stuff these days.   
 
So on one hand they are mentioning more data and faster connections while what is happening now is bucket charging on the data (slick willy style) and massaging what data you get and what speed it comes to you at. I cannot do flash videos anymore with Firefox on certain web sites but I can see them fine via the tethered connection to my smart phone.
 
Did a failover test shutting down primary gateway.  These results though look way off for T-Mobile.
 
t-mobile.jpg
 
Redid the T-Mobile failover test and these numbers are more accurate.
 
tmobile2.jpg
 
My Netgear LB1120 arrived today, 5 days before official release.  I did some basic failover/back testing to confirm it works seemlessly with my Linksys LRT224.   I'll do some more failover/back stress testing this weekend.  Otherwise, it works "Like a boss!"  
 
LB1120.JPG
 
 
I bought the external Netgear low gain LTE antenna, but I think I could do without it.  
 
BACKGROUND

After reading thru the Linksys LRT224 manual and some help from @chadster766 on the Linksys forum, I was able to figure out how to limit which LAN IP/services have access to the WAN2 LTE failover interface. Actually, it was quite easy once I knew how. I tested the firewall rules applied to my WAN1 interface to confirm it all works before applying it to just the WAN2 interface.

SUMMARY

So now my Elk, ISY, ZoneMinder (http://zoneminder.com) NVR Server, and other security related devices will be the only devices with access to the WAN2 LTE failover interface. I am now 100% satisfied with my solution for 24/7 LTE failover.

FIREWALL ACCESS RULES EXAMPLE


lrt224_firewall_rules.jpg
 
So in Linksys rules, if you allow some traffic on an interface by a rule with higher priority than a rule that denies all traffic to the same interface, it works the way you want it to?  I'm not sure I would have guessed that, either.
 
-Tom
 
elvisimprsntr said:
My Netgear LB1120 arrived today, 5 days before official release.  I did some basic failover/back testing to confirm it works seemlessly with my Linksys LRT224.   I'll do some more failover/back stress testing this weekend.  Otherwise, it works "Like a boss!"  
 
attachicon.gif
LB1120.JPG
 
 
I bought the external Netgear low gain LTE antenna, but I think I could do without it.  
Click to expand...
 
If you lose your internet connection (e.g. unplug the cable from your cable modem, and not from the Linksys), how long does it take for the path to fail over to the cellular path?
 
Default is 150 seconds (5 retries X 30 seconds each), but you can tweak as you like provided your ISP/DNS server you are continuously pinging doesn't label your IP as a DoS attack.
 
Well it seems as if the LRT224 can't properly apply custom firewall rules. I've tried various versions of firewall rules on the LTE backup WAN2 interface, even reversing WAN1/2 connections/rules, and get the same results. While everything seems to work initially, I keep loosing my primary WAN connection. I have to either disable the rules or reset rules to defaults. @chadster766 on Linksys forum was also stumped. At this point I have two options. Live with it or buy a Cisco RV042G
 
Use PFSense.  
 
T-Mobile fail over here tickle the interface Internet connection.  Before I did this it would just shut down until I connected to it.   It is an T-Mobile LTE SIM card.   
 
Thought you found a combination network, voice and SMS modem to use a while ago from Canada?  
 
Tested this morning shutting down the primary gateway.  Secondary was up in a few seconds.
 
Did a what is my ip.  
 
ISP: T-Mobile Region: California Country: USA   Speeds are slow this morning though.  Still would like to find an LTE combo modem which lets me do voice, internet and SMS.  
 
WAN-2.jpg
 
Tested a tethered connection to my mobile phone.
 
tethering.jpg
 
Direct testing with mobile phone:
 
direct.jpg
 
If you could get this one to work here the price is great at around $60.
 
HUAWEI E5172
E5172s-515
4G LTE
150Mbps Cat4
Band 2/5/7 (850/1900/2600MHz)
CPE Mobile Wireless Gateway
 
HUAWEI E5172 .jpg
 
 
I called Linksys customer service to open a ticket to hopefully get some resolution.  I had them review my Linksys forum thread, who confirmed my FW access rules should work and not affect WAN1.   Unfortunately, they will not elevate this as a firmware issue until they swap out my currently unit.  They are sending me an advance RMA replacement unit.   Once I swap out the unit and confirm the issue, hopefully it will get elevated to the firmware group.  
 
Linksys official info and how to create FW access rules:  http://www.linksys.com/us/support-article?articleNum=164489
 
As am I...
 
And since I started playing around with pfSense a month or so ago (not yet live), I'm intrigued by Pete's suggestion above and might try using it without the need for the Linksys...
 
Keep us posted.
 
BACKGROUND
 
Good news, bad news...
 
Good news is I received my advance RMA replacement LRT224.
 
Bad news is I was able to duplicate the problem on the replacement LRT224 hardware.   
 
CISCO RV042G
 
For the fun of it I ordered a Cisco RV042G, which is basically the same hardware (lights, ports, features, wall transformer, packaging, and bet money it is the exact same circuit board), except it has slightly different firmware.     I suspect this is a carry over from when Cisco owned Linksys before selling to Belkin.   I was able to sugessfully get everything to work, including firewall rules.  There were a few quirks with the RV042G in order to get local DNS and DNSMasq (DNS Proxy) working together.  A problem that apparently has plaged the RV042(G) models for some time, which no one seemed to have dicovered a solution.  You have to add the local DNS IP address to the list of WAN facing DNS servers.  Also, the IPSec server is not a full implementation, thus one cannot connect using iOS/macOS (others?) devices.  Sadly, the RV042 also does not support no-ip.com DyDNS.  Consequently, I returned the RV042G for a full refund from Amazon.  
 
LINKSYS LRT224
 
There are basically two scenerios under which the LRT224 will drop the primay WAN connection and/or DNS servers.  
 
1. If I enable DyDNS on the failover WAN2 (using a completely different hostname), the LRT224 will not resolve DNS requests over the WAN1 connection.  Or,
2. I confiure custom firewall access rules (see previous posts) applied ONLY to WAN2.   
 
In either of these situations, WAN DNS requests will sometimes not work initially, or not at all, or work for a short period of time before it stops working.   
 
CONCLUSION
 
It appears there is a fundimental problem with the firmware with the LRT224.   Hopefully, I can now get Linksys to recognise there is a problem and fix it.  
 
Just an FYI there elvisimprsntr relating to your endeavor.
 
It's been a few years now that I have purchased a few cheapo imports here.
 
They were combo routers with one WAN port, one USB cellular stick port, 5 LAN port and included Wifi.
 
Most I spent on these combo routers at the time was around $20.
 
They did have WAN failover built in to the OS's and it worked just fine as I would play with them.  They were just too big.
 
I always stayed away from Linksys, LinksysCisco crap.  (except for the linux based Linksys WRT-54G).  That is me.
 
I have been writing about tinkering with the tiny travel routers with two network ports and USB an Openwrt on them.
 
These do the same in a 3" square box with OpenWRT.  Last endeavor was using a modded GL-iNet travel router.  Here added an RTC clock and 1 wire network, plus VPN. 
 
I have not goofed around with the little ZTE wireless device.  I did find some firmware for it that would enable the USB port access which would then provide me with both wireless and USB access to the internet. 
 
You must log in or register to reply here.

Similar threads

pete_c
Securing the Smart Home Network: The Risks of the IoT
Replies
3
Views
276
sic0048
S
electron
Chat Transcript - Securifi (Almond+) - 02/22/2013
Replies
0
Views
3K
electron
electron
electron
MSN Q & A : Windows Media Center 2005
Replies
2
Views
13K
electron
electron
Back
Top