Firebrick using 3rd party as main connection

From AAISP Support Site

Scenario

We have a:

  • 3rd party 100mbit BT fibre link with locked down router plugged into port 3 of the FireBrick.
  • ADSL backup from AAISP
  • FireBrick router
  • L2TP from AAISP to retain IP allocation

Some customers may now have another provider (BT, for example) for their main link, whilst then retiring their existing ADSL with us to become backup lines. In this scenario, we can perform failover to the ADSL using route overrides and wrap everything in an L2TP tunnel to retain the IPs that they have with us at all times.

Creating the interface

Going back to the scenario, we will be using port 3 for the fibre link. Make sure you have created a suitable port for this if you have not already:

   <port name="fibre" ports="3"/>

You will then need to create the interface for this port. You will need to set the IPs under its 'subnet' to be the IPs used by the fibre service, and the gateway to be the fibre links own router. It is important to set a table for this interface to be used by our tunnel later on. Here we will be using table 10:

   <interface name="FibreLink" port="fibre" table="10">
      <subnet name="Fibre" ip="xx.xxx.xxx.xx/29" gateway="xx.xxx.xxx.xx"/>
   </interface>

Creating our L2TP tunnel

We will need an L2TP tunnel that connects to us so that we can retain our IP space at all times. Below is a snippet of configuration for our tunnel. Be sure to set a dummy route under route="" (0.0.0.1/2/3 is conventional for AAISP staff) and make sure you set the table="" to match our new interface. 90.155.53.19 is the AAISP L2TP endpoint:

   <l2tp accounting-interval="1:00:00">
      <outgoing name="AAISP" hostname="AAISP" ip="90.155.53.19" graph="Tunnel" table="10" username="xxx@a.x" password="xxxxxxxxxx" routes="0.0.0.1" tcp-mss-fix="true" comment="To AAISP"/>
   </l2tp>

Once implemented it is a good idea to check if the tunnel is now up. You can see if the tunnel is up under Status > L2TP. If you are encountering issues, you can enable logging under the L2TP Tunnel section of Config. You will also want to make sure that traffic is going down our tunnel as expected. You can use Ping under Diagnostics to check this. Make sure you set the gateway to be our dummy route.

Creating a profile to check if our tunnel is up

We will want a profile that checks if our link is up before we route traffic down our tunnel. The best way to do this would be to create a profile that pings l2tp.aa.net.uk (90.155.53.19) via our new L2TP dummy route (0.0.0.1, for example). If the ping is successful, the profile will become enabled. It is a good idea to set the ttl to 1 just to make sure that the tunnel is totally down:

   <profile name="dol2tp"/>
   <profile name="L2TPPing">
      <ping ip="90.155.53.19" ttl="1" gateway="0.0.0.1"/>

Adding our route override

Next we will want to create our route override so that we can route traffic down our new tunnel. We will apply our new ping profile to it so that it only enabled if our tunnel is up. You will need to set the source-ip="" to be our LAN IPs in its CIDR format. You will also want to set the gateway to be our dummy route so that all traffic goes down our tunnel. Make sure you also apply our new profile that we made earlier:

   <route-override name="Override">
      <rule name="Override" source-ip="xxx.xxx.xxx.xxx/29" set-gateway="0.0.0.1" profile="dol2tp"/>
   </route-override>

Conclusion

Make sure you finally set the 1st priority routing on Clueless to be the new tunnel, with 2nd priority routing being the ADSL link(s). If all goes well, hit test and confirm that all is working as expected.