Jump to:navigation, search
Wiki

Fallback

From Securepoint Wiki













































































De.png
En.png
Fr.png









Fallback configuration of the UTM

Last adaptation to the version: 12.6.0

New:
notempty
This article refers to a Resellerpreview
Access: Network Network Configuration

Functionality

Procedure of a fallback

A regular ping check is used to test the availability of a connection. The target to be pinged (ping-check IP), the time interval (interval) and the number of attempts (threshold) can be specified individually.

If the ping-check IP is not reached in the set time, it is assumed that the line is down. The fallback is initiated:

  • The default route is changed to the fallback interface
  • The changed default route is not displayed in the network configuration.
    However, in the Network Network Tools  Area Routing Table menu you can see the updated default route.
  • The zones of the main line interface are moved to the fallback interface
  • If a DYNDNS is configured, it will now be executed on the fallback interface
  • A ping check will still be executed on the main line interface
  • A notification is sent by the Alerting Centre


Failback procedure

If the ping check on the main line interface is successful again, a failback is performed. The fallback is "unwound":

  • The default route is changed to the interface of the main line
  • The zones of the fallback interface are moved back to the interface of the main line
  • If a DYNDNS is configured, it will now be executed on the main line interface again.
  • A notification is sent by the Alerting Centre


Incoming connections

If certain services are available from the Internet, they may not be available after a switch to the fallback.
This can be circumvented to a certain extent by using DynDNS, but there are limits - depending on the type of fallback line:

  • The IP of the fallback line must not be a private IP (usually happens with LTE connections)
     The connection to the Unified Security Console (USC) is also possible with a private IP
  • Incoming connections must use a DynDNS name.
  • Applications particularly affected:
    • Mailrelay
    • IPSec and SSL VPN connections
    • Sharing for administrative access
    • Port forwarding (network objects are not moved as well)
    • Reverse Proxy


Outgoing connections

  • Outgoing connections, from applications on the UTM or local network, that are bound to an IP should be configured to a private IP that is still available on fallback.
  • Particularly affected applications:
    • HTTP proxy
    • Mailrelay



Preparations

Connection of the UTM in the local network

  • The gateway for the default Internet connection must use its own interface.
    In the event of a fallback, all zones of the interface over which the ping-check IP is checked are moved.
    If there is a network on the same interface over which this check takes place, this entire network is also no longer accessible in the event of a fallback.


    • Different connections to the Internet

    PPPoE (wan) interfaces

    UTM v12 Fallback PPPoE.png
    Direct link of two connections via PPPoE

    Access is via PPPoE (wan) interfaces.

    Fallback with the same provider
  • If the fallback line is provided by the same provider with the same access technology, both lines could end up receiving an IP from the same network.
    In this case, network IPs and router IPs could overlap.
    The solution here is the use of a router between the network access and the UTM, which sets up a transfer network and natts the connection in the process.


    • Ethernet (LAN) interfaces

    UTM v12 Fallback Ethernet.png
    Connection via router or router/modem combination

    The default line and / or the fallback line is accessed via another router (e.g. a Fritzbox or a Speedport).

  • The UTM should have a fixed IP and not receive it via DHCP
    • notempty
    On these interfaces a RouteHint must be entered (the Nexthop, in this case the respective gateway)
    Edit Ethernet interfaces
    Network Network configuration  Area Network Interfaces Button of the respective interface, section Settings
    Caption Value Description Edit interface UTMuser@firewall.name.fqdnNetworkNetwork configuration UTM v12.2 Netzwerkschnittstellen Einstellungen RouteHint-en.pngInterface of the fallback line
    Route Hint IPv4:    /--- IP address of the router that allows the interface to access the Internet



    Network configuration UTMuser@firewall.name.fqdnNetwork UTM v12.6 Netzwerkschnittstellen wan0-1 Fallback-en.png
    Section Network interfaces

    Configuration network interfaces

    Netzwerkschnittstellen

    Configuration under Network Network configuration  Area Network interfaces

    • The network should be configured in such a way that the external zones (external, firewall-external and the VPN zones) are located on the primary interface.
    • On the fallback interface (in the example World.svg wan3) no zones are allowed to be present.
  • The address of the network object used to nat the connection towards the Internet must be set to 0.0.0.0/0.

    If necessary, under Firewall Packetfilter  Area Network Objects button change the interface name from e.g. LAN1 or eth0 to 0.0.0/0.

    • Edit network object UTMuser@firewall.name.fqdnFirewallNetwork objects UTM v12.6 Firewall Netzwerkobjekte bearbeiten Default-IP.png
     Network objects UTMuser@firewall.name.fqdnFirewall Update rules UTM v12.6 Fallback Netzwerkobjekte-en.png


    Routing

    Routing

    Exactly one Default route over the default line is on the Firewall required .
    In the example wan0

  • An interface must always be given as the gateway for the default route during fallback, not a gateway IP.
    • Add default-route UTMuser@firewall.name.fqdnNetworkNetwork configuration UTM v12.6 Fallback Routing Gateway-en.png
    Defaultroute hinzufügen
    Menü Network Network configuration  Area Network interfaces Button Add default-route     Network UTMuser@firewall.name.fqdnNetwork configuration UTM v12.6 Fallback Routing Default-en.png
    Default route via wan0


    Configuration of the fallback

    Fallback

    Fallback

    Configuration under Network Network Configuration  Area Network Interface Button edit the relevant interface, section Fallback
    Configure the interface of the default line

    Caption Value Description Edit interface UTMuser@firewall.name.fqdn Network Network configuration UTM v12.6 Fallback Netzwerkschnittstellen bearbeiten-en.pngFallback settings
    Fallback interface: wan1

    LAN2    		 Interface to switch to in case of malfunction.
  • If an Ethernet LAN interface (connection to another router) is used as fallback interface a RouteHint must be entered there (see above).
    • Ping-check IP: »203.0.2.203 »192.0.2.192
    Example IPs must be replacednotempty
    Neu: Mehrere IP-Adressen möglich
    		 Up to 4 hosts of your choice that are to be pinged in order to confirm the availability of the network.
    If a ping check host does not respond, the following IP address is tried immediately. If none of the ping-check hosts responds, this is considered a failed attempt and checked again after the ping-check interval.
    Ping-check Intervall: 5Link= Seconds The "break" between pings.
    Ping-check Threshold 4Link= Versuche Number of consecutive pings allowed without a response before the fallback is triggered.



    Notes on the application

    A restriction regarding hostnames in the list of the administration in connection to fallback no longer exists.

    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/NET/Fallback&oldid=88840"