WinGate Forums

[dsantachiara]

Our wingate server connects to the internet via an internal ADSL PCI card. In the company we have a completely separate wireless router (with 3G connection but this is just to say it is separate from the ADSL one) for guests.

This internet connection is not meant to be used by the main LAN however it could be useful if wingate could exploit it as a backup internet connection in case the ADSL connection would go down for any reason.

The problem is how to implement such configuration. Wingate server is set as 192.168.1.1 - the 3G router is set as 192.168.0.1 - the connection to the 3G router could be done either via a second ethernet card or a USB wireless dongle. However the internet connection shall be established only in case the ADSL one fails and the two LANs shall be kept completely separate (i.e. I do not want a guest on the wireless LAN will have access to the main LAN)

Hope I explained the issue

Best regards

Davide - DTM Italy

[adrien]

hi Davide

You can prevent the wireless users from accessing your LAN if the wireless router accesses WinGate over its own interface.

But there could be problem with failover, since WinGate doesn't know it's dialup, so won't try to dial it, and if you turn on gateway monitoring, the monitoring will either (more likely) cause the 3G router to connect to the internet, or fail (in which case WinGate will think it's dead, and won't fail over to it).

What OS is WinGate running on? I believe there's some support for failover connections in later OSes, such as 2008. Not 100% sure.

Adrien

[dsantachiara]

Hi Adrien,

The situation is like this. We have:

- Netgear 3G wireless router with UMTS connection (always on) - wireless LAN is available for guests - the router has also 4 LAN ethernet ports

Wingate 6.6.4 server (W2000) with
- ADSL PCI card (connection via dial-up) always connected - ADSL connection is provided for all workstation in the companies
- Ethernet card #1 192.168.1.1 to which is connected all the company LAN
- Ethernet card #2 which could be used to connect to the 3G router. Currently the 3G router is set with 192.168.0.1 and DHCP server. The Wingate Server secondary ethernet card hence would get the IP address from the 3G router (hence it would be something like 192.168.0.*) but I could also set it with static IP if required.

What I would like to get is that in case the ADSL line would fail for any reason (i.e. disconnect) the Wingate server will connect to the internet via the 3G router which is normally available only to guests. However I wonder how this can be technically done as the ethernet card #2 would be always connected to the router (i.e no dial-up).

Best regards

Davide

[adrien]

Hi Davide

So the ADSL is seen by the OS as dialup. So does it show up as disconnected when it fails? If the OS sees the connection go down, you may be able to achieve what you need just by setting metric.

e.g. set the metric for the gateway to the 3G modem as larger than the dialup one will be. Then don't set any auto dial anywhere, just manually dial. when the ADSL disconnects, the OS etc will start using the next default gateway with the higher metric (the 3G modem).

Or do you want something to keep trying the ADSL?

[dsantachiara]

Hi Davide

So the ADSL is seen by the OS as dialup. So does it show up as disconnected when it fails? If the OS sees the connection go down, you may be able to achieve what you need just by setting metric.

e.g. set the metric for the gateway to the 3G modem as larger than the dialup one will be. Then don't set any auto dial anywhere, just manually dial. when the ADSL disconnects, the OS etc will start using the next default gateway with the higher metric (the 3G modem).

Or do you want something to keep trying the ADSL?

Hi Adrien,

You fully understood the point, i.e. the ADSL is seen by the OS as a dialup connection. Of course it would be nice when the ADSL is up again that it would be used instead of the 3G connection but it is not mandatory as in any case every 24h the Wingate server is restarted hence the ADSL connection would be tried within 24h.

However the next question is how to setup the metric as you suggested?

thanks

Davide

[adrien]

when you assign the default gateway to the adapter connected to the 3G modem, click the advanced button, you should then be able to set a metric.

Adrien

[dsantachiara]

when you assign the default gateway to the adapter connected to the 3G modem, click the advanced button, you should then be able to set a metric.

Adrien

While it is clear how to set the metric on the LAN adapter connect to the 3G modem (it is currently set to 1 - the same also for the LAN adapter connected to the workstation), it is not clear how it is set for the dial-up connection (ADSL) - if I look through the network properties of the ADSL dial-up connection, TCP/IP, properties, advanced I only get a windows which says (italian translation!):

this option is selectable only when you are connected to a local LAN and a remote LAN at the same time. When the option is selected, data which cannot be sent to the local LAN will be sent to the remote LAN:

TICKED Use predefined gateway on the remote LAN

PPP connection
TICKED use compressione IP header

so there is no way to set the metric

Best regards

Davide

[adrien]

Hi

yes, I meant set in on the LAN adapter to the 3g modem. metric of 1 will mean it is always used, you need to increase the metric to make it larger than the value for the ADSL so that the ADSL is then preferred.

Adrien

[dsantachiara]

Hi

yes, I meant set in on the LAN adapter to the 3g modem. metric of 1 will mean it is always used, you need to increase the metric to make it larger than the value for the ADSL so that the ADSL is then preferred.

Adrien

Hi Adrien,

It seems your suggestion worked ok. The only thing I had to fix was to unbind the ethernet adapter connected to the 3G router from DHCP services as sometimes the IP was provided by Wingate instead of the router and the internet traffic was re-routed on Wingate (also it looked like I was able to access on the main LAN from the wireless connection as the gateway pointed to the IP of this ethernet adapter on the wingate machine)! On this matter I was wondering whether I shall unbind this ethernet adapter connected to 3G router from other services (www proxy etc.) - or is there a simpler way to do this?

Regards

DAvide

[adrien]

Hi

the simpler way to do it might be to just mark that interface as external. Then services won't bind to it by default, and it will be firewalled on that interface.

Regards

Adrien

[dsantachiara]

the simpler way to do it might be to just mark that interface as external. Then services won't bind to it by default, and it will be firewalled on that interface.

Hi Adrien,

That seems quite straightforward. The only drawback I find (regardless of the above setting) is that Wingate VPN from a remote workstation does not work anymore when the connection is via the 3G router even if I managed to get the dynamic IP address (via dyndns) - I always get "connection to remote hose timed out" (ping is ok - i.e. the IP is correct). I disabled all the router firewall features and activated port 809 but it looks like VPN service via the external router does not work. It is a Netgear MBRN3000. Am I missing something?

[adrien]

Hi

where are these client computers - on the same interface as the 3G modem?

If so, may need to check that routes for it are being published by the VPN - by default it doesn't publish routes for external adapters.

Regards

Adrien

[dsantachiara]

Hi

where are these client computers - on the same interface as the 3G modem?

If so, may need to check that routes for it are being published by the VPN - by default it doesn't publish routes for external adapters.

Configuration is the following

Wingate server:

LAN card #1 192.168.1.1 provides DHCP to all client computers on the LAN with address 192.168.1.* (unless they are static)
LAN card #2 connected to 3G router - address of the LAN card is got via DHCP by the 3G router and in general is 192.168.0.2 - 3G router address is 192.168.0.1 (internal) - 3G router external IP address is dynamic (can be retrieved via dyndns)

For the time being I set both LAN cards as internal to ease troubleshooting.

Published routes on wingate server are the following
151.58.9.34 / 255.255.255.255
192.168.0.0 / 255.255.255.0
192.168.0.2 / 255.255.255.255
192.168.1.0 / 255.255.255.0
192.168.1.1 /255.255.255.255

Regards

Davide

[dsantachiara]

Hi

the simpler way to do it might be to just mark that interface as external. Then services won't bind to it by default, and it will be firewalled on that interface.

Dear Adrien,

While resuming the tests on this 3G backup modem I came across a nasty behaviour. In case the ADSL connection drops everything works through the 3G connection as expected, however in case the 3G connection drops with ADSL connected everything is not routed via the ADSL connection but every internet access goes to the 3G router which gives the message of "modem disconnected". That is quite strange as it is clear that when the 3G connection is UP all Wingate accesses goes through ADSL, but as soon as it goes down it seems that for strange reasons everything is routed via the 3G router (i.e. through the second LAN card and not the internal ADSL modem)

Best regards

DAvide

[adrien]

something must be resetting the metric on the ADSL, or the NIC for that 3G modem.

Did you check the OS route table again when this happens?

Regards

Adrien

[dsantachiara]

something must be resetting the metric on the ADSL, or the NIC for that 3G modem.

Did you check the OS route table again when this happens?

Hi Adrien,

I solved the problem by adding a third NIC connected to an external ADSL modem and removing the internal ADSL modem. The configuration is as follows:

NIC #1 connected to internal LAN (i.e. workstation) - metric 1
NIC #2 connected to ADSL modem/router - metric 2
NIC #3 connecto to 3G modem/router - metric 3

This basically works quite well (though sometimes by making some experiments switching on/off the ADSL or 3G modem it looks like the metric is not always met but this for sure depends on windows).

Hopefully as very last question I noticed that to allow the Wingate VPN to work with the new ADSL modem/router (Netgear DGNB2000) I had to allow all incoming services (ports 1 to 65535) on the modem/router firewall. This basically means to disable its firewall, unfortunately this router firewall allows only to disable either all ports or some predefined ports (80, 113, 443, 500, 1701...)and 809 is not listed. As Wingate as already his own firewall I would not care about disabling the ADSL router firewall, or would you suggest to change Wingate VPN port to one of the port listed in the Netgear modem/router?

Thanks a lot for you help

Regards

Davide

[adrien]

Hi Davide

You can actually forward other ports, but you need to define services first. On page 3-12 of your device's user manual, it shows how to add a new service, so you should be able to define a service for VPN control and data, then assign it in your port forwarding rules.

ftp://downloads.netgear.com/files/DGN20 ... 4Aug08.pdf

Regards

Adrien

[dsantachiara]

You can actually forward other ports, but you need to define services first. On page 3-12 of your device's user manual, it shows how to add a new service, so you should be able to define a service for VPN control and data, then assign it in your port forwarding rules.

ftp://downloads.netgear.com/files/DGN20 ... 4Aug08.pdf

Hi Adrien,

Great hint, it worked well (service definition which then appeared in the list of firewall rules). I couldn't have spotted it on my own. Now only port 809 is open. Thanks a lot

Best regards

Davide