Overview
I found an old O2 3G USB broadband Internet dongle sitting around in a box and decided to put it to good use. Here is how I've used it to act as a backup for my main wired broadband Internet connection at home.
Prerequisites
You will require the following:
- Properly functioning broadband Internet connection and LAN/WLAN at home.
- FortiGate firewall running FortiOS 5.0 (I've used v5.0,build0208 GA Patch 3).
- A mobile broadband Internet dongle (USB) with a valid SIM (I used a ZTE MF100 from O2).
- Mobile Internet APN, username and password (for T-Mobile APN=everywhere; username=eesecure; password=secure).
Note, your USB modem may be provider locked, like mine was to O2. If it is, you will need to unlock it first, by either calling your provider and paying them some of your hard-earned cash, or using this software.
Configuration
Insert your 3G USB dongle with a SIM card into one of the spare USB ports on the FortiGate firewall and reboot it. If you don't reboot the firewall, the USB modem may not get detected properly.
Custom Modem Definition
To enable modem settings, run the following commands on the console:
config system modem
set status enable
end
Unless your modem is on the supported list, you will need to add a custom entry. Have a look through the list in the GUI first to see if your modem is listed and if it is, select it:
Network -> Modem -> Configure Modem
Otherwise, identify your modem via a USB bus scan:
# fnsysctl cat /proc/bus/usb/devices
...
T: Bus=01 Lev=02 Prnt=02 Port=01 Cnt=01 Dev#= 5 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=19d2 ProdID=0017 Rev= 0.00
S: Manufacturer=ZTE,Incorporated
S: Product=ZTE WCDMA Technologies MSM
S: SerialNumber=P671A1ZTED010000
C:* #Ifs= 5 Cfg#= 1 Atr=e0 MxPw r=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=serial
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
...
Then, using the Vendor and ProdID from the output above, create a custom modem:
config system 3g-modem custom
edit 1
set vendor "ZTE"
set model "MF100"
set vendor-id 19d2
set product-id 0017
next
end
Next, you will need to find the serial port used by your modem, because your modem may actually appear on two different serial ports, possibly due to this related bug.
Scan through all available ports on your FortiGate as follows, by issuing a dial command:
# diag sys modem com /dev/ttyusb0
Serial port: /dev/ttyusb0
Press Ctrl+W to exit.
# diag sys modem com /dev/ttyusb1
Serial port: /dev/ttyusb1
Press Ctrl+W to exit.
atdt*99#
NO CARRIER
# diag sys modem com /dev/ttyusb2
Serial port: /dev/ttyusb2
Press Ctrl+W to exit.
atdt*99#
CONNECT 3600000
# diag sys modem com /dev/ttyusb3
Serial port: /dev/ttyusb3
Press Ctrl+W to exit.
In this case the port you want is /dev/ttyusb2, since there is a dial-tone. Unfortunately I am not quite sure how to hang-up the line correctly after this test, so I end up power cycling the firewall at this point.
Modem Configuration
We can now configure our modem:
config system modem
set status enable
set mode redundant
set dial-on-demand enable
set connect-timeout 30
set interface "external" # your primary Internet interface
set wireless-port 3
set phone1 "*99#"
set username1 "APN username"
set passwd1 "APN password"
set extra-init1 "AT+CGDCONT=1,\"IP\",\"your.provider.APN\""
set distance 100
end
Note, see this Fortinet KB article regarding how to map ttyusbX to wireless-port, which is "3" in this case.
Check to make sure the system can tak to your modem now and there is a dial-tone:
# diag sys modem detect
modem is attached.
dialtone is detected.
# diag sys modem query
USB status: Connected
manufacturer: ZTE INCORPORATED
model: MF100
IMEI number: XXXX
SIM state: Unknown
service status: Unknown
signal level: 1/4
network name: Orange
network type: UTRAN
location area code:
active profile(AT&V):
&C: 2; &D: 2; &E: 0; &F: 0; &S: 0; &W: 0; E: 1; L: 0; M: 0; Q: 0; V: 1;
X: 1; Z: 0; \Q: 3; \S: 0; \V: 0; S0: 0; S2: 43; S3: 13; S4: 10; S5: 8;
S6: 2; S7: 50; S8: 2; S9: 6; S10: 14; S11: 95; S30: 60; S103: 1; S104: 1;
+FCLASS: 0; +ICF: 3,3; +IFC: 2,2; +IPR: 115200; +DR: 0; +DS: 0,0,2048,6;
+WS46: 12; +CBST: 0,0,1;
+CRLP: (61,61,48,6,0),(61,61,48,6,1),(240,240,52,6,2);
+CV120: 1,1,1,0,0,0; +CHSN: 0,0,0,0; +CSSN: 0,0; +CREG: 0; +CGREG: 0;
+CFUN:; +CSCS: "IRA"; +CSTA: 129; +CR: 0; +CRC: 0; +CMEE: 2; +CGDCONT: (1,"IP","everywhere","0.0.0.0",0,0)
; +CGDSCONT: ; +CGTFT: ; +CGEQREQ: ; +CGEQMIN: ; +CGQREQ: ; +CGQMIN: ;
...
Dead Gateway Detection
You need to re-configure your primary "external" interface to detect a failed interface condition. Find your next-hop router first:
$ traceroute -m 2 -d 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 2 hops max, 52 byte packets
1 192.168.67.254 (192.168.67.254) 282.554 ms 1.091 ms 0.977 ms
2 217.33.154.151 (217.33.154.151) 13.737 ms 15.177 ms 324.736 ms
Then, configure the gateway detect settings on your primary external interface:
config router gwdetect
edit 1
set interface "external"
set server "217.33.154.151"
next
end
config system interface
edit "external"
set fail-detect enable
set fail-detect-option detectserver
...
next
end
Finally, adjust the modem interface with some important additional parameters:
config system interface
edit "modem"
set distance 100
set defaultgw enable
set dns-server-override disable
...
next
end
Firewall Policy
You need to allow access from your internal network to your backup external interface (i.e. modem). the best way to do this, is to group your primary external interface and modem into an interface zone as follows:
config system zone
edit "external_zone"
set interface "external" "modem"
next
end
Then, you can update your existing outbound firewall policy to use the zone as the destination interface:
config firewall policy
edit 1
set srcintf "internal"
set dstintf "external_zone"
set srcaddr "net_192.168.67.0_24"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
Dynamic DNS (Optional)
You may want to configure DDNS on your 3G interface, if you are planning to connect to services on your internal network during fail-over:
config system ddns
edit 1
set ddns-server dyndns.org
set ddns-domain "yourhostname.dyndns.org"
set ddns-username "your username"
set ddns-password "your password"
set monitor-interface "modem"
next
end
Testing
While your monitor an external IP with a ping session from a host on your local network, drop your primary external interface and observe the modem interface take over.
Note, if you have a tunnelled IPv6 configuration on your primary interface, be prepared for network instability once you fail-over to the modem interface. Since there is no way to specify the modem interface on your sit-tunnel, the tunnel is effectively broken for the duration of the fail-over.
References
I've used the following reference material to prepare the solution described in this article. Many thanks to the respective authors.