Topic: Dual WAN failover in server-gateway mode?

[smiit]

Problem: Frequent ISP outages affecting company need for 24/7 internet uptime

Environment: SME 9.1 in server-gateway mode hosting email and website with external static IP via cable modem (1 of 5 usable addresses in .248 netmask)

There have been several discussions about this over the years and a feature request for > 1 WAN interface but I'm curious about current recommendations and working configurations for Dual WAN failover for SME servers.

How do people here accomplish ISP redundancy and minimize downtime for their companies and clients?  Server-only mode behind pfsense or a dual wan router?  Other solutions?

[guest22]

SME Server currently does not facilitate WAN failover. A dual WAN router would be the way to go at this point in time.

[janet]

smiit

Otherwise get a better ISP with reliable connection.

[mmccarn]

I've done this two different ways.

The easy way is to get a dual wan router and switch the SME server to server-only mode - there a (tiny) bit more info here: https://forums.contribs.org/index.php/topic,47556.msg234899.html#msg234899

The difficult way, which requires a script or manual intervention if the primary wan connection fails, is to put a SME in server-gateway mode on each ISP and play with the proxypass, internal mail server, and port forwarding settings until you're happy: https://forums.contribs.org/index.php/topic,47556.msg234897.html#msg234897

The second method would allow you to have one SME setup as a 'warm spare' for the other if Affa still works...

[smiit]

I've done this two different ways.

The easy way is to get a dual wan router and switch the SME server to server-only mode - there a (tiny) bit more info here: https://forums.contribs.org/index.php/topic,47556.msg234899.html#msg234899

The difficult way, which requires a script or manual intervention if the primary wan connection fails, is to put a SME in server-gateway mode on each ISP and play with the proxypass, internal mail server, and port forwarding settings until you're happy: https://forums.contribs.org/index.php/topic,47556.msg234897.html#msg234897

The second method would allow you to have one SME setup as a 'warm spare' for the other if Affa still works...

Thank you for the information.

Yes, I've avoided server-only behind a dual wan router since posts over the years have stated that Email functionality/filtering works best in server-gateway mode with a direct connection between SME and modem.  And, as we know, SME just works so well out of the box as server-gateway.

I'll experiment with your 2nd approach.  I found info suggesting Win 7 clients on the LAN can be assigned a 2nd gateway route with a higher metric that should redirect traffic out the 2nd SME server-gateway if the primary gateway WAN route is down:

http://blog.palehorse.net/2009/08/24/using-windows-7-with-multiple-gateways-and-dhcp/

[mmccarn]

... I found info suggesting Win 7 clients on the LAN can be assigned a 2nd gateway route with a higher metric that should redirect traffic out the 2nd SME server-gateway if the primary gateway WAN route is down:

I have a vague memory that using multiple gateway IPs on my workstations didn't work - the primary route was not going "down" as far as the workstations could tell -- it just stopped working (if you see what I mean).  Since the primary SME continued to accept packets from workstations the workstations never used the secondary route.  But this was using Windows XP...

When the primary WAN went down I would ssh into the secondary SME, ssh from there to the primary SME, and do something to send traffic over to the secondary SME. I can't remember if I was manually setting a default route or if I was configuring the secondary SME as an upstream proxy for the first sme.

[craig]

I've had good success with Draytek routers and multi-WAN links including USB 3G dongles. A few vendors offer this functionality nowadays.

The requirements that I work with don't usually need restricted Internet so the SME Server is typically in server only mode sat behind the router. At one site the firewall rules were changed to only allow the SME Server to access the Internet, and then the proxy enabled on the SME Server and SARG reports ran from there.

Hope this helps.

[ReetP]

I have a couple of sites with SME boxes in server only sitting behind a 4 port Draytek 3300 WAN router. I just forward the required ports and nothing more. Usually the ssh port (whatever, keys only), smtp (25), ssmtp (465), imaps (993), https (443) and possibly http (80)

On one I have a proxy running with SARG with browers all pointed at it just to keep an eye on surfing habits. Has worked well for me for years.

As an aside what I have done with a couple of VMs on my cloud server is run them in gateway server with a 'dummy' internal adaptor to help with firewalling where there is no router/firewall in front of it.

As long as you have firewalling SOMEWHERE you should be OK.

B. Rgds
John

[zatnikatel]

just my 2 cents i use to have a router years ago that had a fall over to a dailup modem the the wan failed it would switch to the dail but one good thing you did not have to change the setting on the clients it was auto done in the router so same dhcp same ipaddress but never tested it with mail but web and https and all the normal stuff worked the same so the port forwarding was still the same inside the router

no days there should be a modem router that does the same with wireless fall and the router does the changes

[Marco Hess]

I have a Dratec and played a bit with the 3g dongle fall over. While that works quite well for outgoing traffic, you quickly run into trouble for incoming connection like SMTP as you have the issue of DNS changeover. On top of that not all 3g data connections allow for public IP addresses so you have to watch out for that too.

[ReetP]

I have a Dratec and played a bit with the 3g dongle fall over. While that works quite well for outgoing traffic, you quickly run into trouble for incoming connection like SMTP as you have the issue of DNS changeover. On top of that not all 3g data connections allow for public IP addresses so you have to watch out for that too.

Yup - even worse when they are double natted like the a lot of telcos do now.