Fallback

Fallback configuration of the UTM

Last adaptation to the version: 12.6.0

New:

Multiple Ping check host IPs are possible
Ping-Check muss auf eine IP-Adresse zielen (v12.5.1)

notempty

This article refers to a Resellerpreview

12.5.1 11.6

Functionality

Procedure of a fallback

A regular ping check is used to test the availability of a connection. The target to be pinged (ping-check IP), the time interval (interval) and the number of attempts (threshold) can be specified individually.

If the ping-check IP is not reached in the set time, it is assumed that the line is down. The fallback is initiated:

The default route is changed to the fallback interface
The changed default route is not displayed in the network configuration.
However, in the Network Network Tools Area Routing Table menu you can see the updated default route.
The zones of the main line interface are moved to the fallback interface
The move of the zones is not displayed in the UI
If a DYNDNS is configured, it will now be executed on the fallback interface
A ping check will still be executed on the main line interface
A notification is sent by the Alerting Centre

Failback procedure

If the ping check on the main line interface is successful again, a failback is performed. The fallback is "unwound":

The default route is changed to the interface of the main line
The zones of the fallback interface are moved back to the interface of the main line
If a DYNDNS is configured, it will now be executed on the main line interface again.
A notification is sent by the Alerting Centre

Incoming connections

If certain services are available from the Internet, they may not be available after a switch to the fallback.
This can be circumvented to a certain extent by using DynDNS, but there are limits - depending on the type of fallback line:

The IP of the fallback line must not be a private IP (usually happens with LTE connections)

The connection to the Unified Security Console (USC) is also possible with a private IP
Incoming connections must use a DynDNS name.
Applications particularly affected:
- Mailrelay
- IPSec and SSL VPN connections
- Sharing for administrative access
- Port forwarding (network objects are not moved as well)
- Reverse Proxy

Outgoing connections

Outgoing connections, from applications on the UTM or local network, that are bound to an IP should be configured to a private IP that is still available on fallback.
Particularly affected applications:
- HTTP proxy
- Mailrelay

Preparations

Connection of the UTM in the local network

The gateway for the default Internet connection must use its own interface.
In the event of a fallback, all zones of the interface over which the ping-check IP is checked are moved.
If there is a network on the same interface over which this check takes place, this entire network is also no longer accessible in the event of a fallback.

Faulty network setup

The UTM is on a local network behind a router that provides default Internet access
The UTM serves as a cloud connector only for certain applications, for example
The LTE interface of the UTM is to serve as a fallback
The UTM now checks the ping-check IP via the default Internet access and determines that it cannot be reached
All zones of the UTM that are located on the interface to the router of the default Internet access are then moved to the LTE interface
However, the UTM is then no longer accessible, since this was also the access to the local network.

The solution here is a separate connection between the UTM and the router for the default Internet access.

Different connections to the Internet

PPPoE (wan) interfaces

Direct link of two connections via PPPoE

Access is via PPPoE (wan) interfaces.

Fallback with the same provider

If the fallback line is provided by the same provider with the same access technology, both lines could end up receiving an IP from the same network.
In this case, network IPs and router IPs could overlap.
The solution here is the use of a router between the network access and the UTM, which sets up a transfer network and natts the connection in the process.

Ethernet (LAN) interfaces

Connection via router or router/modem combination

The default line and / or the fallback line is accessed via another router (e.g. a Fritzbox or a Speedport).

The UTM should have a fixed IP and not receive it via DHCP

notempty

On these interfaces a RouteHint must be entered (the Nexthop, in this case the respective gateway)

This configuration would not be necessary if the UTM received its IP address and with that, information about the default gateway via DHCP. However, this causes numerous problems with services and network objects. Therefore, this is strongly discouraged!

Edit Ethernet interfaces

Caption	Value	Description
Network Network configuration Area Network Interfaces Button of the respective interface, section Settings
Route Hint IPv4:	/---	IP address of the router that allows the interface to access the Internet

UTM v12.6 Netzwerkschnittstellen wan0-1 Fallback-en.png

Section Network interfaces

Configuration network interfaces

Netzwerkschnittstellen

Configuration under Network Network configuration Area Network interfaces

The network should be configured in such a way that the external zones (external, firewall-external and the VPN zones) are located on the primary interface.
On the fallback interface (in the example wan3) no zones are allowed to be present.

The address of the network object used to nat the connection towards the Internet must be set to 0.0.0.0/0.

If necessary, under Firewall Packetfilter Area Network Objects button change the interface name from e.g. LAN1 or eth0 to 0.0.0/0.

UTM v12.6 Firewall Netzwerkobjekte bearbeiten Default-IP.png

UTM v12.6 Fallback Netzwerkobjekte-en.png

Routing

Exactly one Default route over the default line is on the Firewall required .
In the example wan0

An interface must always be given as the gateway for the default route during fallback, not a gateway IP.

UTM v12.6 Fallback Routing Gateway-en.png

Defaultroute hinzufügen

Menü Area Network interfaces Button Add default-route

UTM v12.6 Fallback Routing Default-en.png

Default route via wan0

Configuration of the fallback

Fallback

Configuration under Network Network Configuration Area Network Interface Button edit the relevant interface, section Fallback
Configure the interface of the default line

Caption	Value	Description
Fallback interface:	wan1 LAN2	Interface to switch to in case of malfunction. If an Ethernet LAN interface (connection to another router) is used as fallback interface a RouteHint must be entered there (see above).
Ping-check IP:	» ✕203.0.2.203 » ✕192.0.2.192 Example IPs must be replacednotempty Neu: Mehrere IP-Adressen möglich	Up to 4 hosts of your choice that are to be pinged in order to confirm the availability of the network. If a ping check host does not respond, the following IP address is tried immediately. If none of the ping-check hosts responds, this is considered a failed attempt and checked again after the ping-check interval.
Ping-check Intervall:	5 Seconds	The "break" between pings.
Ping-check Threshold	4 Versuche	Number of consecutive pings allowed without a response before the fallback is triggered.

Notes on the application

A restriction regarding hostnames in the list of the administration in connection to fallback no longer exists.