MX64 and PPPoA for second WAN

SOLVED
starbuck
Here to help

MX64 and PPPoA for second WAN

Trying to test and install the MX64 in our network.  We are connected via rural WISP using PPPoE so we can get the MX64 working for main connection.  However, we often lose service and have to switch to a slower ADSL connection.  I would like to configure this connection using LAN4 as a secondary Internet / WAN port.

 

However, New Zealand uses PPPoA for their ADSL authentication.  I tried using a Draytek Vigor 130 which can do a half-bridge scenario essentially converting a PPPoA connection to PPPoE.  However, the Draytek chipset is very conservative and only will sync at 3.5mbps whereas our regular Broadcom based ADSL modem connects at 6mbps.  I don't want to sacrifice all the bandwidth just to have load-balancing or fail-over via the MX64.

 

Since our connections only tend to go down for short periods of time, is there any solution to configure the MX64's 2nd WAN port directly for PPPoA?  Or what about doing something like a double-NAT?  I hate double-NAT, but maybe that is my only option here?

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

Yes, I am suggesting a double NAT.  So your xDSL router might have 192.168.1.0/24 on its internal LAN.  You plug the MX's WAN port into that, and you might have 192.168.10.0/24 on the LAN side of the MX.

 

Yes, you can port forward from the xDSL router to the MX, and then from the MX to your internal servers.  I have done this exact arrangement before.

However, for the amount of time that you'll failover you might want to consider if it is worth going to that much trouble.  Most of your services you describe connect "out" and will work anyway, so if you didn't bother with inbound NAT you would still be mostly functional.

View solution in original post

13 REPLIES 13
PhilipDAth
Kind of a big deal
Kind of a big deal

The MX does not have a DSL port, so it can not do PPPoA.

 

The best option is to use the ISP modem (or any standard DSL modem) configured in "normal" NAT mode, and giving out DHCP addresses on its LAN side.  Then plug the MX WAN port into that router (where the MX wan port is configured for DHCP [the default]).  I know it is using two devices - but this approach works best.

No RBI option for us.

 

Already tried that approach 😉

 

So basically, what you are suggesting is a double-NAT, right?

 

The ADSL modem get's the connection and serves up an internal address to the MX64 (e.g. 192.168.1.100) and then shares that connection on it's own internal LAN to the rest of the clients? And this will work...mostly?

 

I feel like there are a few tips & tricks I need to employ to avoid any issues.

 

Should I try to DMZ the internal IP getting assigned to the MX64? Should I setup port range forwarding to blast every port from the ADSL WAN to the MX64's issued LAN IP?

 

In this situation there won't be any clients ever using the ADSL connection.

 

I have a few servers and port forwarding setup on the MX64 so is there anyway to make that work in this double-nat arrangement? Or to make it 'mostly' work?

 

Honestly, if I can have auto fail-over working and keep slack,skype, gmail, browsing, email, and dropbox running while we wait for the main WISP to come back online, that probably will be enough.

No RBI option for us. Already tried that approach 😉

 

So basically, what you are suggesting is a double-NAT, right?

 

The ADSL modem get's the connection and serves up an internal address to the MX64 (e.g. 192.168.1.100) and then shares that connection on it's own internal LAN to the rest of the clients? And this will work...mostly?  I feel like there are a few tips & tricks I need to employ to avoid any issues.

 

Should I try to DMZ the internal IP getting assigned to the MX64? Should I setup port range forwarding to blast every port from the ADSL WAN to the MX64's issued LAN IP?  In this situation there won't be any clients ever using the ADSL connection.  I have a few servers and port forwarding setup on the MX64 so is there anyway to make that work in this double-nat arrangement? Or to make it 'mostly' work?

 

Honestly, if I can have auto fail-over working and keep slack,skype, gmail, browsing, email, and dropbox running while we wait for the main WISP to come back online, that probably will be enough

No RBI option for us. Already tried that approach 😉

So basically, what you are suggesting is a double-NAT, right?

The ADSL modem get's the connection and serves up an internal address to the MX64 (e.g. 192.168.1.100) and then shares that connection on it's own internal LAN to the rest of the clients? And this will work...mostly? I feel like there are a few tips & tricks I need to employ to avoid any issues.

Should I try to DMZ the internal IP getting assigned to the MX64? Should I setup port range forwarding to blast every port from the ADSL WAN to the MX64's issued LAN IP? In this situation there won't be any clients ever using the ADSL connection. I have a few servers and port forwarding setup on the MX64 so is there anyway to make that work in this double-nat arrangement? Or to make it 'mostly' work?

Honestly, if I can have auto fail-over working and keep slack,skype, gmail, browsing, email, and dropbox running while we wait for the main WISP to come back online, that probably will be enough

No RBI option for us. Already tried that approach 😉

So basically, what you are suggesting is a double-NAT, right?

The ADSL modem get's the connection and serves up an internal address to the MX64 (e.g. 192.168.1.100) and then shares that connection on it's own internal LAN to the rest of the clients? And this will work...mostly? I feel like there are a few tips & tricks I need to employ to avoid any issues.

Should I try to DMZ the internal IP getting assigned to the MX64? Should I setup port range forwarding to blast every port from the ADSL WAN to the MX64's issued LAN IP? In this situation there won't be any clients ever using the ADSL connection. I have a few servers and port forwarding setup on the MX64 so is there anyway to make that work in this double-nat arrangement? Or to make it 'mostly' work?

Honestly, if I can have auto fail-over working and keep slack,skype, gmail, browsing, email, and dropbox running while we wait for the main WISP to come back online, that probably will be enough

PhilipDAth
Kind of a big deal
Kind of a big deal

Yes, I am suggesting a double NAT.  So your xDSL router might have 192.168.1.0/24 on its internal LAN.  You plug the MX's WAN port into that, and you might have 192.168.10.0/24 on the LAN side of the MX.

 

Yes, you can port forward from the xDSL router to the MX, and then from the MX to your internal servers.  I have done this exact arrangement before.

However, for the amount of time that you'll failover you might want to consider if it is worth going to that much trouble.  Most of your services you describe connect "out" and will work anyway, so if you didn't bother with inbound NAT you would still be mostly functional.

We are using this dble NAT solution on PPPoA lines in the UK but are having great difficulties getting the MX64 to fail over from the Internet port (which is connected to one PPPoA DSL modem) to LAN4 port (configured as an internet port and which is connected to another PPPoA DSL modem).  Both the Internet port and the LAN4 port are configured for Direct connection and DHCP from their respective PPPoA DSL routers.  Problem is, we can't get a 'soft failover' to occur (ie. we unplug the dsl cable from the modem connected to the Internet port - to simulate an ISP issue) from the Internet port to the still up-and-working port4.  The only way we find we can get the failover to occur is by simulating a 'hard failover' where we unplug the DSL modem from the Internet port so that the Internet port drops.  This is not an ideal situation - any ideas or thoughts?

I would DMZ the IP being given to the mx64. I've had to set up VPN routers behind NATs before and putting them in the DMZ eliminates a lot of the headaches and other road blocks that may not be obvious.

I have my Vigor 130 configured to do PPPoA over PPPoE. Check the documentation on the Draytek UK website. This works best for multicast . https://www.draytek.co.uk/support/guides/kb-vigor-130-bridge?return=8567559 - you may like to check with your local Draytek distributor. Mostly the 130 figures out the ISP and configures accordingly.
Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Yeah, the Draytek's are awesome for that feature, but they are the only modem on the market that does that as best I can tell. The problem is they don't use Broadcom modem chipsets so they tend to have MUCH lower sync rates with ADSL in 'last-mile' / rural deployments.  I tried a Vigor 130 and it only synced at 4.5mbps whereas a TP-Link modem using a Broadcom chipset syncs at 6.2mbps.  So pretty big performance difference.

 

That said, the TP-Link feeding DHCP to the MX64 seems to be working fine with no issues. I did put the internal IP for the MX64 in as the DMZ host on the modem and all my port forwards continue to work even when our primary WAN fails.

I guess it also depends on the ISP. I am getting 75/22 using VDSL2. It does pay to check for the latest firmware.
If you are getting poor performance, it is worth asking the ISP to check that they have latency correctly configured in the exchange.
Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
PhilipDAth
Kind of a big deal
Kind of a big deal

You should see if RBI is available at your site.  For some sites that are a bit "rough" we sometimes deploy dual RBI circuits from different carriers (such as Spark and Vodafone).  It is not uncommon for one to not perform that well - but unusual for two at the same time to have an issue.

https://broadbandmap.nz/

PhilipDAth
Kind of a big deal
Kind of a big deal

Here are some links to the relevant ISP pages for RBI.

https://www.vodafone.co.nz/broadband/rural/

https://www.spark.co.nz/shop/internet/wirelessbroadband/

 

And before anyone asks - I don't work for an ISP and have no financial interest in promoting any particular ISP.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels