Jump to content

This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!

FireBrick How to: L2TP-Failover

From AAISP Support Site
Revision as of 13:56, 15 January 2026 by Stuarth (talk | contribs) (Created page with "'''Firebrick Failover''' '''AIM:''' To provide a seamless fail-over from one wan to another, on a firebrick using an AAISP internet service and another Internet service. '''Description:''' If your AAISP Internet connection should fail for any reason, perhaps damage to cabling etc., and you have the benefit of another route to the internet, then your connection to AAISP can remain connected. '''Firebrick features used:''' * Interfaces: To connect another Internet sou...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Firebrick Failover

AIM: To provide a seamless fail-over from one wan to another, on a firebrick using an AAISP internet service and another Internet service.

Description:

If your AAISP Internet connection should fail for any reason, perhaps damage to cabling etc., and you have the benefit of another route to the internet, then your connection to AAISP can remain connected.

Firebrick features used:

  • Interfaces: To connect another Internet source to the Firebrick.
  • Firewall: A default ruleset to protect the local LAN(s) from the additional internet service.
  • Profiles: To monitor and command changes to links.
  • Tables: Routing and Payload: To direct routes to the internet and what traffic should go where.
  • L2TP (Layer Two Tunnelling Profile): To make a connection with AAISP, and present the Firebrick as your normal login.

In this example we will use FTTP as the normal internet connection to AAISP, and Starlink as the backup internet connection

Interfaces:

Assuming you have already successfully connected your Firebrick to the Internet, you will want to connect the Starlink to the Firebrick. This can be achieved by simply dedicating a port and interface as a direct connection to the Starlink router. The important thing to note is tables. The Firebrick by default uses Tables of ‘0’ for routing and ‘0’ for payload. As we only want the Starlink connection to take over when the FTTP fails we will pick another routing table, in this case ‘10’

Note there is also a subnet created simply to collect an IP address from the Starlink Router, as ‘DHCP-client’.

In XML:

 <port name="WANSTAR"
       ports="2"
       comment="Starlink WAN"/>

 <interface name="Starlink"
            port="WANSTAR"
            table="10"
            profile="StarlinkWAN"
            comment="Starlink">
  <subnet name="DHCP Client"/>
 </interface>

Firewall:

The additional Firewall rule is setup exactly as the default firewall, but with a routing table of ‘10’ selected:

 <rule-set name="Firewal 10 Table"
           table="10"
           target-interface="LAN"
           no-match-action="reject"
           comment="Firewall for 10 Table">
  <rule source-interface="self"
        comment="Allow from the FireBrick though"/>
 </rule-set>

Profile:

Profiles are very powerful on the Firebrick, and in this example, we will use one to monitor the status of the FTTP connection. If the Firebrick detects that FTTP connection no longer functions it changes state: we can use this functionality.

Note the use of inversion. This is important. The Profile checks if the PPP (normal AAISP internet connection) connection is ‘Up’. If it is the profile is enabled, but we want to know when the PPP connection is down, so we invert it. Result: When the PPP connection goes down, the profile is enabled or true, and we can use this to trigger our next step.


 <profile name="FTTPWANFailure"
          ppp="WANFTTP"
          invert="true"
          comment="Check WAN FTTP and dial L2TP Starlink if required"/>

L2TP:

The use of the L2TP is to connect to AAISP and present a connection from your Firebrick that is exactly the same as the one you would normally use. In effect your Internet connection (and Ips) operate the same, but over a different route. We use the Interface we created for Starlink to route the traffic – Routing Table ‘10’, the traffic from the Firebrick ‘Payload Table ‘0’, the profile we created to ‘dial’ the L2TP connection from the profile above.

Note it is important to use a profile, as AAISP will not allow multiple connections to their systems from the same login credentials. Here we are culminating everything we have done, with the addition of your normal AAISP login credentials:

  <outgoing name="example@a.1Starlink"
            local-hostname="example@a.1"
            secret="password"
            server="l2tp.aa.net.uk"
            table="10"
            payload-table="0"
            username="example@a.1"
            password="password"
            nat="false"
            profile="FTTPWANFailure"
            comment="example@a.1 FTTP Starlink"/>

Summary:

  • Connected the Starlink via a new Port and Interface with a Routing table of 10, instead of the default normal internet connection of ‘0’.
  • Firewalled the LAN on the new routing table of ‘10’ by a new firewall rule.
  • Created a profile to watch the normal AAISP FTTP PPP connection state and dial a L2TP connection when the PPP session fails for any reason. Conversely should the connection come back up, the profile will change state, and the unnecessary L2TP connection will be released.
  • Created a L2TP connection to connect to AAISP, over Starlink, using (in this case) it’s routing table of ‘10’, sending traffic from the default payload table of ‘0’ on the Firebrick, logging into the AAISP servers with our normal Internet service credentials.

Result:

  • Automatic and seamless AAISP internet connection maintained by the Firebrick when your normal internet connection fails, using another Internet service.
Retrieved from "http://support.aa.net.uk/index.php?title=FireBrick_How_to:_L2TP-Failover&oldid=17972"