I found an old O2 3G USB broadband Internet dongle sitting around in a box and decided to put it to good use. Here is how I've used it to act as a backup for my main wired broadband Internet connection at home.
You will require the following:
- Properly functioning broadband Internet connection and LAN/WLAN at home.
- FortiGate firewall running FortiOS 5.0 (I've used v5.0,build0208 GA Patch 3).
- A mobile broadband Internet dongle (USB) with a valid SIM (I used a ZTE MF100 from O2).
- Mobile Internet APN, username and password (for T-Mobile APN=everywhere; username=eesecure; password=secure).
Insert your 3G USB dongle with a SIM card into one of the spare USB ports on the FortiGate firewall and reboot it. If you don't reboot the firewall, the USB modem may not get detected properly.
Custom Modem Definition
To enable modem settings, run the following commands on the console:
config system modem set status enable end
Unless your modem is on the supported list, you will need to add a custom entry. Have a look through the list in the GUI first to see if your modem is listed and if it is, select it:
Network -> Modem -> Configure Modem
Otherwise, identify your modem via a USB bus scan:
# fnsysctl cat /proc/bus/usb/devices ... T: Bus=01 Lev=02 Prnt=02 Port=01 Cnt=01 Dev#= 5 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(&gt;ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=19d2 ProdID=0017 Rev= 0.00 S: Manufacturer=ZTE,Incorporated S: Product=ZTE WCDMA Technologies MSM S: SerialNumber=P671A1ZTED010000 C:* #Ifs= 5 Cfg#= 1 Atr=e0 MxPw r=500mA I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=serial E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms ...
Then, using the Vendor and ProdID from the output above, create a custom modem:
config system 3g-modem custom edit 1 set vendor "ZTE" set model "MF100" set vendor-id 19d2 set product-id 0017 next end
Next, you will need to find the serial port used by your modem, because your modem may actually appear on two different serial ports, possibly due to this related bug.
Scan through all available ports on your FortiGate as follows, by issuing a dial command:
# diag sys modem com /dev/ttyusb0 Serial port: /dev/ttyusb0 Press Ctrl+W to exit. # diag sys modem com /dev/ttyusb1 Serial port: /dev/ttyusb1 Press Ctrl+W to exit. atdt*99# NO CARRIER # diag sys modem com /dev/ttyusb2 Serial port: /dev/ttyusb2 Press Ctrl+W to exit. atdt*99# CONNECT 3600000 # diag sys modem com /dev/ttyusb3 Serial port: /dev/ttyusb3 Press Ctrl+W to exit.
In this case the port you want is /dev/ttyusb2, since there is a dial-tone. Unfortunately I am not quite sure how to hang-up the line correctly after this test, so I end up power cycling the firewall at this point.
We can now configure our modem:
config system modem set status enable set mode redundant set dial-on-demand enable set connect-timeout 30 set interface "external" # your primary Internet interface set wireless-port 3 set phone1 "*99#" set username1 "APN username" set passwd1 "APN password" set extra-init1 "AT+CGDCONT=1,\"IP\",\"your.provider.APN\"" set distance 100 end
Note, see this Fortinet KB article regarding how to map ttyusbX to wireless-port, which is "3" in this case.
Check to make sure the system can tak to your modem now and there is a dial-tone:
# diag sys modem detect modem is attached. dialtone is detected. # diag sys modem query USB status: Connected manufacturer: ZTE INCORPORATED model: MF100 IMEI number: XXXX SIM state: Unknown service status: Unknown signal level: 1/4 network name: Orange network type: UTRAN location area code: active profile(AT&V): &C: 2; &D: 2; &E: 0; &F: 0; &S: 0; &W: 0; E: 1; L: 0; M: 0; Q: 0; V: 1; X: 1; Z: 0; \Q: 3; \S: 0; \V: 0; S0: 0; S2: 43; S3: 13; S4: 10; S5: 8; S6: 2; S7: 50; S8: 2; S9: 6; S10: 14; S11: 95; S30: 60; S103: 1; S104: 1; +FCLASS: 0; +ICF: 3,3; +IFC: 2,2; +IPR: 115200; +DR: 0; +DS: 0,0,2048,6; +WS46: 12; +CBST: 0,0,1; +CRLP: (61,61,48,6,0),(61,61,48,6,1),(240,240,52,6,2); +CV120: 1,1,1,0,0,0; +CHSN: 0,0,0,0; +CSSN: 0,0; +CREG: 0; +CGREG: 0; +CFUN:; +CSCS: "IRA"; +CSTA: 129; +CR: 0; +CRC: 0; +CMEE: 2; +CGDCONT: (1,"IP","everywhere","0.0.0.0",0,0) ; +CGDSCONT: ; +CGTFT: ; +CGEQREQ: ; +CGEQMIN: ; +CGQREQ: ; +CGQMIN: ; ...
Dead Gateway Detection
$ traceroute -m 2 -d 22.214.171.124 traceroute to 126.96.36.199 (188.8.131.52), 2 hops max, 52 byte packets 1 192.168.67.254 (192.168.67.254) 282.554 ms 1.091 ms 0.977 ms 2 184.108.40.206 (220.127.116.11) 13.737 ms 15.177 ms 324.736 ms
Then, configure the gateway detect settings on your primary external interface:
config router gwdetect edit 1 set interface "external" set server "18.104.22.168" next end config system interface edit "external" set fail-detect enable set fail-detect-option detectserver ... next end
Finally, adjust the modem interface with some important additional parameters:
config system interface edit "modem" set distance 100 set defaultgw enable set dns-server-override disable ... next end
config system zone edit "external_zone" set interface "external" "modem" next end
Then, you can update your existing outbound firewall policy to use the zone as the destination interface:
config firewall policy edit 1 set srcintf "internal" set dstintf "external_zone" set srcaddr "net_192.168.67.0_24" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end
Dynamic DNS (Optional)
config system ddns edit 1 set ddns-server dyndns.org set ddns-domain "yourhostname.dyndns.org" set ddns-username "your username" set ddns-password "your password" set monitor-interface "modem" next end
While your monitor an external IP with a ping session from a host on your local network, drop your primary external interface and observe the modem interface take over.
Note, if you have a tunnelled IPv6 configuration on your primary interface, be prepared for network instability once you fail-over to the modem interface. Since there is no way to specify the modem interface on your sit-tunnel, the tunnel is effectively broken for the duration of the fail-over.
I've used the following reference material to prepare the solution described in this article. Many thanks to the respective authors.