Automatic IP switching when internet connection is lost.

[StrikedOut]

Hi All.

We are looking at setting up a system where if our main connection to the internet is lost, router fails, line faults etc then our network would automatically switch to a second backup line. The data it would need to change is the gateway and DNS servers as all PWAN traffic uses internal IP addresses to access company websites (intranet, accounts and management tools). If we switched over to the backup line then we would like it to use the public IP address.

What I am looking for is something like this.

Normal details

IP range 192.168.11.0

Gateway 192..168.11.250

DNS 192.168.11.1

In the event that an internet connection is not available

Switch too

Gateway 192.168.11.254

DNS 192.168.11.10

If there is an automatic solution that uses a trigger of some sort then perfect as I would prefer it to not need an administrators input (we do sometimes need to travel to other sites plus one of our offices works shifts) but at this time I am open to all suggestions.

[xendrome]

You would do this typically at the router level, the router would handle some type of dual WAN/failover connection. Not the clients.

What is your router/network setup?

[+BudMan MVC]

You would not switch the clients, you would just run HA routers with multiple wan connections. What routers do you use now?

So if running say pfsense, this is how you would do it

http://doc.pfsense.o...ancy_%28CARP%29

Your not going to want to change clients to different dns and gateway -- and I don't know of a automated way of doing that if you did.. What you could do as simple manual way would be to change your dhcp scope, and then have users either renew the dhcp lease to get the new info or reboot.

But a better solution would be to setup HA on your routers so the IP never changes.. With different internet connections you now get hardware redundancy along with connection - and you could even load balance your connections across both your internet connections in this sort of setup.

edit: Curious what sort of location is this? Guessing not a Windows AD environment if your pointing directly at the routers for dns? Oh wait your dns is not your gateway IP. Why would you need to change the dns if the gateway failed?

[Roger H. Veteran]

We use the Cisco RV082 now for this, the RV016 is also an option if you have more than 2 WANs.

Not saying these are the only options, just that they work well for us in that it auto switches when in backup mode (1 is used as main and the other is backup) or balance the load over both networks automatically using only 1 if 1 goes down.

[+BudMan MVC]

^ but I think he mentioned if the router went down as well, not just the internet connection. I was not aware that the RV line could do HA with another RV router? if so - then yeah that would be a low priced solution.

[Roger H. Veteran]

OOps, yeah, guess I missed that last part.

If you set multiple gateways in a DHCP scope would it confuse the clients or would they just use the first on the list till it's not available (sorta like DNS servers)?

[StrikedOut]

We are currently using Cisco 1921 routers that are managed by the ISP. We have 2 lines that were going to be bonded but issues with one of the lines brought both down meaning in this case the router was active and the line was showing as connected but there was no activity being past on either line. We have also had a instance when another Cisco 1921 was potentially the issue but ideally we are looking for a solution that covers both line connection issues and hardware failure. We also have a second ADSL line which I would like to use as the backup and the line the server use to upload our backups to (which I currently do with a persistent route) which is managed by a Draytek 2930 router.

If I use multiple gateways wouldn't the client always use the primary until the router wasn't available regardless of line status? Also how can I switch DNS? When the users are connected via the primary line they use private IP's which are set in our DNS servers, the backup will breakout to the internet with no link to the datacentre so they would need to switch to using public IP's. I have spoken to the provider about this as I wanted to remove all manually added zones from our DNS server and just leave the AD integrated zones.

The initial requirement is to use an automated system where the switchover is taken care of with no user input, should a fault happen out of normal business hours when it is only the night people working then the time it would take us to manually switch them could cost us financially. However as a back up to the backup, I would also like a way for them to easily switch themselves over should the automated system fail.

Going to take a look at pfsense, budman. I know you have recommended it several times before.

[+BudMan MVC]

I am fairly sure a 1921 can do HSRP.. how you would tie in your dual internet connections not sure.

But still thinking about it the wrong way.. You don't change your lan IP scope just because your internet connection changes, or the hardware to the connection fails.

You setup a ha pair with hsrp or virtual IP, lots of different terms for pretty much the same thing. You have 2 routers, and then either 1 or more internet connections on the wan side connected to these routers. You then route traffic to the connection you want, be it using 1 and other as fallback, or load balancing, etc. from the lan side nothing changes if one of the routers fail. Since the router that is currently active will hold that gateway IP your clients use.

And I still at a loss to why you should have to change your dns if your internet connection changes? Your local dns would still work, or use a non isp based external dns, etc.

[Mando]

  On 15/05/2013 at 18:20, BudMan said:

I am fairly sure a 1921 can do HSRP.. how you would tie in your dual internet connections not sure.

But still thinking about it the wrong way.. You don't change your lan IP scope just because your internet connection changes, or the hardware to the connection fails.

You setup a ha pair with hsrp or virtual IP, lots of different terms for pretty much the same thing. You have 2 routers, and then either 1 or more internet connections on the wan side connected to these routers. You then route traffic to the connection you want, be it using 1 and other as fallback, or load balancing, etc. from the lan side nothing changes if one of the routers fail. Since the router that is currently active will hold that gateway IP your clients use.

And I still at a loss to why you should have to change your dns if your internet connection changes? Your local dns would still work, or use a non isp based external dns, etc.

As the norm budman is correct :) 1921s do HRSP. You require a 1921 for each net conn and you pair them for Ha/hrsp. 3 LAN IPS are required. 1 for each 1921 and one for hrsp. I have a pair of fibre 100mb converted/presented as cat6 entering the premises main conn into first 1921 and backup fibre into 2nd 1921. The hrsp IP becomes your DG and the 1921s manage failover with out any connectivity loss to clients.

[+BudMan MVC]

^ yup! I didn't got into the internet side of it because not very clear on what exact sort of connections you have or want to use, etc. Be it a board on your 1921, be it just plain jane ethernet connected to it, etc.

We can for sure get into details if you want, its just the whole idea of changing your whole lan IP space on a loss of internet, or switch to different one makes no sense at all.

Now if you want to discuss the DNS side if more - you mention AD.. So would assume you have some AD box doing your AD dns, this should be the ONLY dns for your AD members. This server would then forward all requests it is not authoritative to some other box.. Now if your forwarding to an ISP dns, it might not allow you to use that one if your not coming from their network.. Which is why you could have both internet connections isps dns setup, or your local dns could go directly too roots for stuff it doesn't know, or it could use one of the many other public dns out there that does not care what network you come from.