Saturday, 29 June 2013

FortiGate with ZTE MF100 3G USB modem and T-Mobile for a backup Internet connection



Overview


I found an old O2 3G USB  broadband Internet dongle sitting around in a box and decided to put it to good use.  Here is how I've used it to act as a backup for my main wired broadband Internet connection at home.


Prerequisites


You will require the following:
  • Properly functioning broadband Internet connection and LAN/WLAN at home.
  • FortiGate firewall running FortiOS 5.0 (I've used v5.0,build0208 GA Patch 3).
  • A mobile broadband Internet dongle (USB) with a valid SIM (I used a ZTE MF100 from O2).
  • Mobile Internet APN, username and password (for T-Mobile APN=everywhere; username=eesecure; password=secure).
Note, your USB modem may be provider locked, like mine was to O2.  If it is, you will need to unlock it first, by either calling your provider and paying them some of your hard-earned cash, or using this software.

Configuration


Insert your 3G USB dongle with a SIM card into one of the spare USB ports on the FortiGate firewall and reboot it.  If you don't reboot the firewall, the USB modem may not get detected properly.

Custom Modem Definition


To enable modem settings, run the following commands on the console:
 config system modem   
  set status enable   
 end  

Unless your modem is on the supported list, you will need to add a custom entry.  Have a look through the list in the GUI first to see if your modem is listed and if it is, select it:
Network -> Modem -> Configure Modem

Otherwise, identify your modem via a USB bus scan:
 # fnsysctl cat /proc/bus/usb/devices    
 ...    
 T: Bus=01 Lev=02 Prnt=02 Port=01 Cnt=01 Dev#= 5 Spd=480 MxCh= 0    
 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1    
 P: Vendor=19d2 ProdID=0017 Rev= 0.00    
 S: Manufacturer=ZTE,Incorporated    
 S: Product=ZTE WCDMA Technologies MSM    
 S: SerialNumber=P671A1ZTED010000    
 C:* #Ifs= 5 Cfg#= 1 Atr=e0 MxPw r=500mA    
 I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=serial    
 E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms    
 E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms    
 ...   

Then, using the Vendor and ProdID from the output above, create a custom modem:
 config system 3g-modem custom   
  edit 1   
   set vendor "ZTE"   
   set model "MF100"   
   set vendor-id 19d2   
   set product-id 0017   
  next   
 end  

Next, you will need to find the serial port used by your modem, because your modem may actually appear on two different serial ports, possibly due to this related bug.

Scan through all available ports on your FortiGate as follows, by issuing a dial command:
 # diag sys modem com /dev/ttyusb0  
 Serial port: /dev/ttyusb0  
 Press Ctrl+W to exit.  
   
 # diag sys modem com /dev/ttyusb1  
 Serial port: /dev/ttyusb1  
 Press Ctrl+W to exit.    
 atdt*99#  
 NO CARRIER  
   
 # diag sys modem com /dev/ttyusb2  
 Serial port: /dev/ttyusb2  
 Press Ctrl+W to exit.   
 atdt*99#  
 CONNECT 3600000  
   
 # diag sys modem com /dev/ttyusb3  
 Serial port: /dev/ttyusb3  
 Press Ctrl+W to exit.  

In this case the port you want is /dev/ttyusb2, since there is a dial-tone.  Unfortunately I am not quite sure how to hang-up the line correctly after this test, so I end up power cycling the firewall at this point.


Modem Configuration


We can now configure our modem:
 config system modem  
   set status enable  
   set mode redundant  
   set dial-on-demand enable  
   set connect-timeout 30  
   set interface "external"  # your primary Internet interface
   set wireless-port 3  
   set phone1 "*99#"  
   set username1 "APN username"  
   set passwd1 "APN password"
   set extra-init1 "AT+CGDCONT=1,\"IP\",\"your.provider.APN\""  
   set distance 100  
 end

Note, see this Fortinet KB article regarding how to map ttyusbX to wireless-port, which is "3" in this case.


Check to make sure the system can tak to your modem now and there is a dial-tone:
 # diag sys modem detect  
 modem is attached.  
 dialtone is detected.  
   
 # diag sys modem query  
 USB status: Connected  
 manufacturer: ZTE INCORPORATED  
 model: MF100  
 IMEI number: XXXX  
 SIM state: Unknown  
 service status: Unknown  
 signal level: 1/4  
 network name: Orange  
 network type: UTRAN  
 location area code:   
 active profile(AT&V):  
 &C: 2; &D: 2; &E: 0; &F: 0; &S: 0; &W: 0; E: 1; L: 0; M: 0; Q: 0; V: 1;  
 X: 1; Z: 0; \Q: 3; \S: 0; \V: 0; S0: 0; S2: 43; S3: 13; S4: 10; S5: 8;  
 S6: 2; S7: 50; S8: 2; S9: 6; S10: 14; S11: 95; S30: 60; S103: 1; S104: 1;  
 +FCLASS: 0; +ICF: 3,3; +IFC: 2,2; +IPR: 115200; +DR: 0; +DS: 0,0,2048,6;  
 +WS46: 12; +CBST: 0,0,1;  
 +CRLP: (61,61,48,6,0),(61,61,48,6,1),(240,240,52,6,2);  
 +CV120: 1,1,1,0,0,0; +CHSN: 0,0,0,0; +CSSN: 0,0; +CREG: 0; +CGREG: 0;  
 +CFUN:; +CSCS: "IRA"; +CSTA: 129; +CR: 0; +CRC: 0; +CMEE: 2; +CGDCONT: (1,"IP","everywhere","0.0.0.0",0,0)  
 ; +CGDSCONT: ; +CGTFT: ; +CGEQREQ: ; +CGEQMIN: ; +CGQREQ: ; +CGQMIN: ;  
 ...


Dead Gateway Detection


You need to re-configure your primary "external" interface to detect a failed interface condition.  Find your next-hop router first:


 $ traceroute -m 2 -d 1.1.1.1  
 traceroute to 1.1.1.1 (1.1.1.1), 2 hops max, 52 byte packets  
  1 192.168.67.254 (192.168.67.254) 282.554 ms 1.091 ms 0.977 ms  
  2 217.33.154.151 (217.33.154.151) 13.737 ms 15.177 ms 324.736 ms  


Then, configure the gateway detect settings on your primary external interface:
 config router gwdetect  
   edit 1  
     set interface "external"  
     set server "217.33.154.151"  
   next  
 end  
    
 config system interface  
   edit "external"  
     set fail-detect enable  
     set fail-detect-option detectserver  
     ...
   next  
 end  


Finally, adjust the modem interface with some important additional parameters:
 config system interface  
   edit "modem"  
     set distance 100  
     set defaultgw enable  
     set dns-server-override disable  
     ...  
   next  
 end  

Firewall Policy


You need to allow access from your internal network to your backup external interface (i.e. modem).  the best way to do this, is to group your primary external interface and modem into an interface zone as follows:
 config system zone  
   edit "external_zone"  
     set interface "external" "modem"  
   next  
 end  


Then, you can update your existing outbound firewall policy to use the zone as the destination interface:
 config firewall policy  
   edit 1  
     set srcintf "internal"  
     set dstintf "external_zone"  
     set srcaddr "net_192.168.67.0_24"  
     set dstaddr "all"  
     set action accept  
     set schedule "always"  
     set service "ALL"   
     set nat enable  
   next  
 end  


Dynamic DNS (Optional)


You may want to configure DDNS on your 3G interface, if you are planning to connect to services on your internal network during fail-over:
 config system ddns  
   edit 1  
     set ddns-server dyndns.org
     set ddns-domain "yourhostname.dyndns.org"  
     set ddns-username "your username"  
     set ddns-password "your password"  
     set monitor-interface "modem"  
   next  
 end  


Testing


While your monitor an external IP with a ping session from a host on your local network, drop your primary external interface and observe the modem interface take over.

Note, if you have a tunnelled IPv6 configuration on your primary interface, be prepared for network instability once you fail-over to the modem interface.  Since there is no way to specify the modem interface on your sit-tunnel, the tunnel is effectively broken for the duration of the fail-over.

References


I've used the following reference material to prepare the solution described in this article.  Many thanks to the respective authors.


Post a Comment