1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Failover to USB mobile modem with limited access

Discussion in 'Asuswrt-Merlin' started by a8ree, Jun 25, 2019.

  1. a8ree

    a8ree New Around Here

    Joined:
    Jun 1, 2017
    Messages:
    4
    I've got a few devices that I'd like to route over 3G in the event that the wired line is unavailable. I wouldn't want devices accessing streaming services, downloads etc. (Cost prohibitive) but, for VOIP and home automation systems, I'd like to keep these online.

    Is there a way in which to do this?
     
  2. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,327
    Location:
    UK
    Here is a possible Dual-WAN Failover (FO) hack; with minimal scripting...i.e. one-liner! ;)

    If the Network Services Filter (NSF) GUI meets your needs to accommodate your desired 3G blacklists, you can quickly build the 3G blocking rules:

    e.g. 192.168.1.99 has no internet access, 192.168.1.88 can't access xxx.xxx.xxx.xxx and 192.168.1.77 cannot access any remote WEB pages etc.

    Code:
    iptables  --line -t filter -nvL NSFW
    
    Chain NSFW (1 references)
    num   pkts bytes target     prot opt in     out     source               destination       
    1        0     0 logdrop    tcp  --  br0    eth0    192.168.1.99         0.0.0.0/0         
    2        0     0 logdrop    tcp  --  br0    eth0    192.168.2.88         xxx.xxx.xxx.xxx          
    3        0     0 logdrop    tcp  --  br0    eth0    192.168.1.77         0.0.0.0/0     tcp dpt:80
    4       13   793 RETURN     all  --  br0    eth0    0.0.0.0/0            0.0.0.0/0           
    then whilst the primary WAN0 is ACTIVE, you would need to use firewall-start to insert a simple rule to disable the 3G-only NSFW rule table.
    i.e.
    Code:
    iptables -I NSFW -j RETURN
    
    iptables  --line -t filter -nvL NSFW
    
    Chain NSFW (1 references)
    num   pkts bytes target     prot opt in     out     source               destination       
    1       22   318 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    2        0     0 logdrop    tcp  --  br0    eth0    192.168.1.99         0.0.0.0/0         
    3        0     0 logdrop    tcp  --  br0    eth0    192.168.2.88         xxx.xxx.xxx.xxx           
    4        0     0 logdrop    tcp  --  br0    eth0    192.168.1.77         0.0.0.0/0     tcp dpt:80
    5       81  5432 RETURN     all  --  br0    eth0    0.0.0.0/0            0.0.0.0/0           
    so now the three '3G-blocking' rules are ignored.

    However,, when the primary WAN0 (e.g. eth0/vlan2 etc.) goes DOWN, the firmware will automatically rebuild the 3G blacklist rules but will now explicitly reference the ACTIVE 3G USB interface e.g. ppp0:
    Code:
    iptables  --line -t filter -nvL NSFW
    
    Chain NSFW (1 references)
    num   pkts bytes target     prot opt in     out     source               destination       
    1        0     0 logdrop    tcp  --  br0    ppp0    192.168.1.99         0.0.0.0/0         
    2        0     0 logdrop    tcp  --  br0    ppp0    192.168.2.88         xxx.xxx.xxx.xxx            
    3        0     0 logdrop    tcp  --  br0    ppp0    192.168.1.77         0.0.0.0/0     tcp dpt:80
    4        2   116 RETURN     all  --  br0    ppp0    0.0.0.0/0            0.0.0.0/0           
    so no futher firewall rule/action is required.

    Here is the one-line script.....

    /jffs/scripts/firewall-start
    Code:
    !#/bin/sh
    
    [ "$1" != "ppp0" ] && iptables -I NSFW -j RETURN # If WAN0 is UP, then disable the 3G blocking rules
    NOTE: If NSFW is already used, then you will simply need to manually insert the appropriate 3G blocking rules preferably in your own filter chain e.g. 'Block3G' which is called from the FORWARD chain.
     
    Last edited: Jun 25, 2019
  3. a8ree

    a8ree New Around Here

    Joined:
    Jun 1, 2017
    Messages:
    4
    Thanks for the solution. I'll give that a whirl!