We help IT Professionals succeed at work.

Redundant Cellular/wireless backup

swcrook used Ask the Experts™
Hello experts. I would like to pick your brains for a solution that will achieve what I am in need of.

I currently have a MPLS network connecting our branch offices. When one of these sites goes down, I am able to take a wireless device onsite, change some routing, and have the site back up and running through the wireless device (Fortigate 60B).

This is achieved through IPSEC VPN on the Fortigate. This solution works well, but I would like to extend this a bit in order to achieve a truly redundant connection.

Currently, when the Cisco 2821 goes down, I replace it with the Fortigate device and the Fortigate becomes, for example, where the 2821 would normally be

This works well assuming I change the routing and that once the MPLS network connection is restored I have to change the routing back.

However, is there a way for both to be running at the same time? Say, the Cisco 2821 is and the Fortigate is If the 1.1 goes down, is it possible for the routing to simply take over and the traffic then flows through

Again, is MPLS - is IPSEC VPN.

Any suggestions? Is this possible?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
luc_roySystem Admin

Here is a link to something I wrote a while back,  I would not replace I would make it redundant with a celular backup.  Below is how I have done it in the past.



Thanks for the info. I looked at this page and you suggested this setup:
The simplest way is to
1) Move your Comcast connection to the wan port on the cradlepoint
2)  Plug in the 3G device into the cradlepoint
3) Log into the device and make the cellular port enabled for failover redundancy

You should already have this on your router but in case you do not
  Set the router interface to obtain IP via DHCP
  Setup NAT on the interface

On the Fortigate I will be using, there is an option to make the wireless "modem" port act as redundant. However, what I am not sure of is, when it acts redundant for the wan1 port, will it takes on the IP of wan1 when the MPLS goes down for me...i.e. will be WAN1 for the Fortigate? is actually the LAN port on the MPLS router at the branch.
So, it is the static gateway for the branch machines normally.  I ask about this because you say, "Set the router interface to obtain IP via DHCP" and I assume that means on the Fortigate wireless device and NOT the MPLS router's LAN port?
You also say, "Setup NAT on the interface".  This interface is on the router interface of which router?
I am going to try this on my own, but I dont want to take a branch down just to see if I have it configured right, lol. So, I ask this questions just to make sure.
System Admin
ok well that's why I used a CTR500 in situations like yours (http://www.cradlepoint.com/products/ctr500-mobile-broadband-router).  The CTR works on a WAN port, it hands the public IP to the WAN interface and acts like a gateway.

The interface will have a public IP and you can NAT your to it so it becomes transparent to the network/user.


Okay. I'll say this another way then. The scenario you are describing doesn't help because in your scenario all that really changes when you add the cradlepoint to the picture is the WAN "provider" or "ISP". Since you are using VPN anyways, this works perfectly for that scenario.
However, I have our branches connected via MPLS. The routing for that is something like this:
[A] (LAN IP on MPLS router at store) -> [B] MPLS cloud (BGP address) -> [C] Corp MPLS router -> [D] DMZ -> [E] Firewall -> [F] Corp Network
A > B > C > D > E > F is the traffic flow above. However, when the stores MPLS goes down, we currently replace the LAN cable on the MPLS router ( and use the a wireless device to basically replace the MPLS router _BUT_ with the MPLS router goes the MPLS route. See below.
Currently, when I replace the MPLS router and place the wireless in it's place, that replacement has the same IP except it provides a VPN connection.
[A] (LAN IP on MPLS router at store) -> [B] VPN IPSEC TUNNEL-> [C] Corp VPN router -> [D] DMZ -> [E] Firewall -> [F] Corp Network
Since this route is now changed, I have to go into various devices and change the routing table to reflect the new VPn route. Obviously, this is getting very tedious with as many branches as I manage.
So, I was hoping there is a way to provide a redundant connection without all the router changes; thus, a TRUE REDUNDANT connection.
Your previous solution works great for that situation, but I am not sure how to make it work with what I have due to what I mentioned above. I also have a few IPSEC VPN cradlepoint devices I can use that basically do the same thing, but the core routing issue is my concern.
Any thoughts?


The provided solution did not fix my issue.