LTE WAN Failover with Sophos XG

Living in the land of moose and trees, power outages are a way of life. Either you’re fortunate enough to have an automatic standby generator, like a Generac, or you have a portable generator with the beloved “widowmaker” cobbled extension cord.

The problem with power outages here as opposed to somewhere like Texas is the outages up here are often due to trees coming down on the lines – which also takes down cable internet.

Of course we can tether our mobile phones to our laptops but that doesn’t do anything for the RokuTV, aka “The Babysitter”. And anyone who has let a 3 year old use their laptop understands why using my Macbook Pro 2013 nor my wife’s i7 Asus Zenbook are not options. We could also just let her use her Amazon Fire tablet, aka “The Other Babysitter”, but that’s just too easy, ok!?

On our Generac I am running a DIY-project that monitors and controls the outage and exercise cycles. While the exercise cycles are of little importance, I do want to know if the power goes out while I’m away from the house. The notification is controlled by a small box that is roughly 50 feet away from the house so no amount of tethering will work there.

Running a Sophos XG135w gives me a few options. If this were the XG135, and not the -w version with integrated wireless, I could get an LTE add-on card that just needs a SIM card and some minor setup. Alas, because I have built-in wireless, an all-one-box is not an option. Truthfully, even if it were an option, those add-on cards are very expensive.

Apparently prices have gone up…I blame COVID…they used to be around $80 but now around $100, the Netgear LB1120 is an LTE modem that outputs via ethernet as opposed to many of the other modem options that are basically fancy hotspots.

So you put your activated SIM card into the LB1120. I’ve used this model with Google Fi which runs on US Cellular, T-Mobile, and Sprint. We don’t have Sprint up here in the North Pole but USC and TMo are decent enough. I’m now running it with a VZW SIM and holy cow! The signal strength is so much better. I was getting about 2 bars with any carrier on Google Fi and I now get 4 bars on VZW.

Once the activated SIM card is inserted, plug in the power and plug in the ethernet cable to your computer. Power on the device. Navigate to http://192.168.5.1 (default) and login using the password printed on the bottom of the modem (varies by device).

The only required change is to set the LB1120 as Bridge as Router is default. If you’re running Google Fi, you’ll need to set the APN to h2g2. Next time I’m doing maintenance, I’ll take screenshots since I need to either remove the modem from the network or let a failover occur.

Once your changes are made, shutdown the LB1120. Plug in an ethernet cable from the LB1120 to a port on the XG135w. I used Port 8 for no real reason. Port 1 is screen-printed LAN, Port 2 WAN and Port 3 DMZ. Since these are only screen-prints and we can configure these ports however we want, it’s really only my OCD that keeps me from using Port 3. So yes, Port 8. Could I have used Port 4? Sure. But it’s Port 8.

Port 1 – LAN
Port 2 – WAN
Port 3 – DMZ
Port 8 – LTE

Ok, so once you have the physical connections made, login to the XG. https://172.16.16.16:4444, default.

Network> Interfaces> Select the port that is connected to the LB1120. In my case, Port 8.

XG_Interfaces

I changed the name to LTE, again, OCD. Name the interface whatever you want.
Network Zone: WAN
IP assignment: DHCP
Gateway Name: DHCP_LTE_GW Name this whatever you want. I chose to keep with the default naming convention for the gateway.
Save.

Network> WAN Link Manager> Because we selected WAN as the Network Zone previously, we will notice the new Gateway shown.

Click on the new IPv4 Gateway. Mine is named DHCP_LTE_GW.

Set the Interface Type. This will be a Backup connection so I will unsurprisingly select “Backup”

Set the Interface Details according to your needs. The verbiage is nice and simple so you can tune this to your usage.
Activate this Gateway: If DHCP_Port2_GW fails.
Action on Activation: Inherit the weight of failed active gateway.
Action on Fallback: Serve all connections through restored gateway.
Save.

I left the Failover Rules at default.

That should do it. I tested my setup by unplugging my cable modem and it did, indeed, fail over appropriately. It happened fast enough that Netflix didn’t buffer and my beloved, possessed offspring didn’t even notice! The speedtest showed 14Mbps which isn’t amazing by cable standards but when you consider this is Verizon going through trees, to my cellular booster on my metal roof, to and out my indoor dome cellular booster antenna, and into my LTE modem in my basement.

Managing Sophos XG – Create VLANs

Pre-setup disclaimers:
– Some steps will vary depending on exact deployment. For this particular lab, a single trunk port is used between the XG Port 2 and the Switch (SW) Port 1. To maximize network throughput, this setup could split trunk ports between multiple 1Gbe ports on the XG to multiple 1Gbe ports on the SW. But that’s a project for another day.
– The switch used is a now-deprecated Linksys switch, SGE-2000P. It’s a faithful old steed and provides good PoE to the devices still tolerant of -at standards in an -af world.

Create the Interfaces

The first step is to create the interfaces needed for each VLAN. You’ll need to know which port(s) you’re trunking from the XG.

XG> Configure> Network> Interfaces> Add New Interface> Add VLAN>
– Give it an appropriate name.
– Select the appropriate trunk port.
– Select the desired zone. For the scope of this walkthrough, all VLANs will be “LAN”.
– Set the desired VLAN ID. It’s personal preference but I set the VLAN ID to the IP range of
that VLAN. It helps keeps my mind straight.
– Set your static IP range applicable to the VLAN. IE: 10.10.160.1/24 for the VLAN 160.
– Save the changes.

Setup DHCP

Each VLAN will need it’s own DHCP range to work properly.

XG> Configure> Network> DHCP> Server> Add>
– Give it a descriptive name. I tend to keep everything named with a convention similar to the VLAN itself.
– Select the interface for the VLAN.
– Set the dynamic IP lease range. I will typically set this smaller than the total to leave me some room for static assignments. IE: 10.10.160.100 – 10.10.160.200
– Set your static IP maps, if applicable. This is easy enough to do later, too.
– Leave “Use Interface IP as Gateway” checked.
– Leave all else default and Save changes.

XG Setup Complete!

That really is it – in the simplest sense. The default firewall rule will allow all traffic out so, unless otherwise specified, every VLAN should provide an IP via the DHCP server specified for that VLAN, provide DNS via the gateway IP for that VLAN, and allow all outbound.

Of course, this is useless without a properly configured switch. This is where things get tricky because unless you’re on the Cisco train, everything is done just a bit differently across all vendors. The next set of steps will apply to my switch as more of a “so I don’t forget” set of instructions to my future, post-annual-lab-nuke self but the overall concepts and lingo will hopefully help others conceptualize what they need to do in their labs.

Bring on the Switching

We first need to tell the switch what VLANs to expect from the XG.
VLAN Management> Properties> Add:
– Set the VLAN ID to a value set within the XG VLAN Interface.
– Give it a descriptive name.
– Do this for each VLAN set in the XG.

We then need to set the SW ports to the appropriate VLAN Mode.
VLAN Management> Interface Settings:
– Set Port 1 to Trunk (Access to XG)

Almost lastly, we need to tell the SW which VLANs to expect over the trunk Port 1.
VLAN Management> VLAN to Port> g1> Join VLAN:
– There will be one untagged VLAN and the rest tagged.
– The untagged VLAN will be the default VLAN assigned to non-VLAN-aware devices. This can be the admin VLAN (not recommended) or a guest VLAN or anything you choose.
– The tagged VLANs will be the remaining VLANs available to be assigned elsewhere in the switch. So we can tag VLAN 100 to Port 8 or VLAN 200 to Port 16.

I still need to go over the difference between “General” and “Access” ports as they relate to my schema but that’ll be an update for another night. As will screenshots.