It's the failover bit, combined with "Incoming VPN server" that's the squeaky, rusty part.

It's not enough to have just a router that has a couple of paths to the outside world, and contains a VPN capability. To be useful with most VPN clients, you've got to setup BGP and get ARIN AS number assignments. Effectively, you store those route assignments on your different ISP's routers, so that when your primary link goes down, the world knows that you've got a secondary link, and expect to handle traffic that way, until your main link comes back up. Ideally, you may also have DNS configured to switch over.

And still, you'll probably lose connected VPN sessions when a primary link goes tits up. Users may have to re-login, to pickup a VPN session on the backup link. Outgoing sessions from inside your LAN may or may not be noticeably affected, depending on how remote servers are handling any session layer stuff.

Cisco has a number of mid-range products with the capabilities you need. Most companies of your size, with these requirements, outsource the router support and configuration, permanently.
posted by paulsc at 11:58 AM on December 13, 2007

"I think that getting ARIN AS assignments or outsourcing really isn't realistic; we aren't that big, and the primary requirement here is continuity if one of the connections goes down."

If you are getting redundancy for your site, by operating two parallel links to the same ISP's routing infrastructure, you might not need BGP support. But if you're intending to use two different ISPs (as indicated by your choice of a cable modem link as your backup) and multi-home your router, you'll need different support from the ISPs involved, including BGP, etc.

Talk to your ISPs early, if you intend to multi-home, and with that, specifically, as a point of discussion. It affects your choice of replacement router hardware, significantly. And you might want to consider discussing the general issue of redundancy with an outsource vendor, and getting their thinking and recommendations, even if ultimately you don't go forward with implementation.
posted by paulsc at 12:49 PM on December 13, 2007

You can do this with Cisco gear without BGP with the caveat that your users won't be able to VPN in unless you have a failback profile with an alternate address configured on the client machines.

You basically control your next hop route by monitoring the reachability of the remote gateway.
posted by iamabot at 12:52 PM on December 13, 2007

What paulsc is saying is true, in the sense of live failover with little downtime. If you want the world to just automatically still see your sites and be able to reach you, then everything he's saying is correct.

You can fairly cheaply do a really lousy form of failover, by manually switching over to a secondary interface. This means a total loss of all incoming traffic -- any servers you run locally will be offline for the duration -- and a total disruption of all existing connections. If this is acceptable, you can definitely do something with one of the free OSes. You'd hook up two outbound connections, and use just one almost all the time. If it fails, you'd manually switch over to the other. Your VPN clients will have to manually reconnect to a secondary address... though getting a static address on a cablemodem can be a bit tricky. You could probably use one of the dynamic DNS services for that.

I don't think I've seen any of the free firmwares that had a feature like this. This is of intermediate difficulty if you have any Linux chops at all. Normally, you'd have to have two firewall configuration files, one that's normally used, and one that's coded for the secondary interface. Upon primary failure, you'd ifdown that interface, run the secondary firewall script to update all your rules, and then ifup your secondary interface. That would restore outbound connectivity; you'd have to switch back when you were done.

I don't think there are any cheapo/consumer level routers that will do this. You'll either need to spend a bunch on an appliance (and I'm not sure if any offer this feature), roll it yourself, or outsource it.
posted by Malor at 1:40 PM on December 13, 2007

And note that any piece of shit computer you have laying around that has three network interfaces would likely be just fine for this. Anything, say, P3/500 or faster should be just fine for this purpose.
posted by Malor at 1:41 PM on December 13, 2007

I should also note that OpenBSD's PF language is actually robust enough to share a link between two entirely disparate connections, in a way. This is very tricky, but you can have multiple outbound interfaces, and map different internal ranges onto them.

I don't know if you can do round-robin NAT to a pool of outside addresses. That might work, might not. But you can definitely -- and I know, because I'm doing this here at home -- have different internal networks that NAT to different external IP addresses on the same machine. I have a firewall with 4 network ports; 2 are external, with separate IP addresses (in entirely separate net ranges) and two internal ports (also in separate internal net ranges). So I have my DMZ and my main network running through the same firewall. I use 'route-to' clauses to direct all traffic coming from the DMZ out the DMZ port, and vice versa for the trusted network.

I think you would be hard-pressed to write this yourself from scratch; I was fiddling with it for a good couple days before I had it fully nailed down, and I'm pretty competent. You would probably need outside help to get something like this working.
posted by Malor at 1:59 PM on December 13, 2007

Hmm, I wasn't clear enough there. What that actually MEANS is this... you could probably have both networks live at the same time. If you partition your NAT ranges internally, you could have some of your people going out via cablemodem, and others via the T1, so you could be using both at the same time. You would need THREE firewall scripts... one for split use, one for all-T1, and one for all-cable, and you would still have to do a manual cutover. but you could use both links at once.
posted by Malor at 2:01 PM on December 13, 2007

Just a heads up, the price difference between the linksys and the snapgear is more of a support headache issue. I've setup both, I use a linksys for my parents house and for friends. For businesses I went with the snapgear because it just worked. Everything is well documented, and if / when you leave the company it is a bit easier to hang over to the next person. My friends don't care if the router gets borked and needs a restart and i can't get to it until tomorrow to fix it. Most businesses do.

I've gone into too many locations to find an old box sitting the corner that just dies when you try to do anything with it. Company's paying $150 an hour for me to fix their $30 router.

Also, look at a separate wifi access point (such as the linksys with tomato or dd-wrt, etc.) because it would have to do routing, dhcp, etc. just sharing the wireless network with a WPA2 password. You can set it up on its own vlan on the snapgear that would isolate it from your internal network unless you use the vpn client (so you have extra secure wireless) to get to your internal network. Also an easy way to provide free wifi to guests (they get a WPA key, but don't have VPN access to your internal network). If the linksys goes down in the firmware update or just playing with settings, your primary internet is still functional.
posted by mrzarquon at 8:58 PM on December 14, 2007

err, the linksys as an accesspoint would *NOT* have to do the routing.
posted by mrzarquon at 9:00 PM on December 14, 2007

This thread is closed to new comments.