Dual Wan Failover (when hosting webservices)

[Vis1/0N]

I need WAN failover and trying to devise an approach using Vodacom Business Wireless as the main, and the ISP G as the failover. ISP G is the previous ISP and we have their equipment in place and are on a month to month contract. They are CGNat and cannot provide a static IP address.

As I host services various ports (443/80 & more) need to be allowed. It is working with Vodacom, they have provided static IPs and I am reachable with my A records pointed to the Vodacom static IP. As is I cannot failover to ISP G. I have setup a Wireguard VPS on AWS and with my A records pointing to the AWS elastic IP, I can also have it working using ISP G, with the WG client installed on the webserver. If possible I would prefer to move the WG client onto the router, from searching I see that Mikrotik hAP AC2 has WG support and wan failover. The alternative to using a VPS and WG would be to investigate Tailscale/Zerotier - and if it can be supported on the chosen router.

WAN failover may be a solved problem but looking at my use case I am looking for a recommended approach. I need to select hardware and wondering about the choice of Mikrotik hAP AC2, Edgerouter X, or some other router / solution. Incoming connections will be very low impact - maybe 10 clients for a couple of minutes over a day to my webserver. Budget is low, I won't get much out of from management. I am also a bit of a networking noob.

 

[ubercal]

Use a firewall that has SD Wan functionality.

 

[PsyWulf]

Get a free Oracle Cloud VM
Use FRP to expose your Webservices through the Oracle VM

GitHub - fatedier/frp: A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.

A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet. - GitHub - fatedier/frp: A fast reverse proxy to help you expose a local server behind a NAT or fire...

github.com

No need to poke holes,do failovers or anything else too interesting

 

[Vis1/0N]

Not sure if I understand fully use of frp. I think I am doing something similar using AWS/WG to tunnel the traffic. Really need to setup a lab and find the time to try these things to compare.

WAN Failover is critical though. Vodacom Business has been giving 90% connectivity throughout most of the month according to pingplotter, and have been down for 33 hours at the moment. Installed about 35 days ago and I have been struggling to get support for intermittent downtime, and now the solid downtime. Very poor show.

 

[PsyWulf]

Not sure if I understand fully use of frp. I think I am doing something similar using AWS/WG to tunnel the traffic. Really need to setup a lab and find the time to try these things to compare.

WAN Failover is critical though. Vodacom Business has been giving 90% connectivity throughout most of the month according to pingplotter, and have been down for 33 hours at the moment. Installed about 35 days ago and I have been struggling to get support for intermittent downtime, and now the solid downtime. Very poor show.

frp is a reverse proxy,so you bypass the NATs and publish your endpoints at the Oracle Cloud VM in this instance,it acts as an external load balancer. Traditionally you'd enable incoming ports on both connections and have the load balancer do a healthcheck to failover,but frp can just establish its endpoint proxy through whichever connection is active

 

[linear]

a Cloudflare tunnel would also work without the complexity of self hosting a proxy of sorts

 

[deweyzeph]

a Cloudflare tunnel would also work without the complexity of self hosting a proxy of sorts

This. Don't muck about with static IP's and opening up ports. Cloudflare Tunnels are all you need to securely host services behind a dynamic IP address.

 

[Vis1/0N]

Cloudflare tunnel $200/month for required partial DNS support - not available to free/pro. Not feasible.

Vodacom back online with 80% uptime.

 

[PsyWulf]

Cloudflare tunnel $200/month for required partial DNS support - not available to free/pro. Not feasible.

Vodacom back online with 80% uptime.

FRP to a cheap/free VM = samesame

 

[linear]

Cloudflare tunnel $200/month for required partial DNS support - not available to free/pro. Not feasible.

Vodacom back online with 80% uptime.

not true - cloudflare tunnel is free to use

 

[Vis1/0N]

not true - cloudflare tunnel is free to use

Free but you have to change nameservers to the Cloudflare nameservers - and I can't do this for a few reasons, mainly because of some other services. Partial DNS support (which I need) starts at $200/month.

 

[SauRoNZA]

Cloudflare tunnel $200/month for required partial DNS support - not available to free/pro. Not feasible.

Vodacom back online with 80% uptime.

Huh?

I’ve run it free for years. All you need is a paid for domain.

Look at CloudFlare Zero Trust, previously called Teams.

You are likely looking at the wrong product.

 

[SauRoNZA]

Free but you have to change nameservers to the Cloudflare nameservers - and I can't do this for a few reasons, mainly because of some other services. Partial DNS support (which I need) starts at $200/month.

What are those reasons?

There may be ways around them.

 

[Vis1/0N]

I could change nameservers to CF and give myself some more work. Hoping for suggestions more towards hardware choice esp if someone has installed WG on one or the other.

I have the Hap AC2 at home, powerbrick failed. May have to test with that, it is rather overwhelming and need some dedicated time to learn the features. The Edgerouter X looks simple though. Both are around the same price - around R1300. https://mybroadband.co.za/forum/threads/mikrotik-wan-failover-bonding.1083945/