WAN backup routing via LTE

wan_bachup_via_lte.sh

### WAN backup routing via LTE ###

# A Linux device, such as PC Engines APU, can be equipped with an LTE modem, but 
# sometimes it's desirable to use the mobile connection only if the wired 
# connection is unavailable.

# The following scenario is for Debian 9 on an APU box, but it's also 
# applicable to any other Linux device.

# The DHCP client is tweaked to ignore the DNS server addresses that are 
# coming with  DCHP offer. Otherwise, the LTE provider may provide DNS addresses 
# that are not usable via the ethernet WAN link.

# The "ifmetric" package allows setting metrics in interface definitions 
# in Debian. This way we can have two default routes with a preferred metric 
# over LAN interface. The default route with lower metric is chosen for 
# outbound traffic.

# The watchdog process checks availability of a well-known public IP address 
# over each of the uplinks, and shuts down and brings up again the corresponding 
# interface. It only protects from next-hop failures. If you want to protect 
# from failures in the whole WAN service, you need to increase the Ethernet port
# metric if it fails, and then start checking the connectivity, and lower the
# metric when it's stable again.

# Also the second NIC on the box is configured to provide DHCP address
# and to NAT all outbound traffic.


# enable IP routing
cat >/etc/sysctl.d/local.conf <<'EOT'
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
EOT

apt-get update && apt-get install -y ifmetric iptables-persistent  

# configure two uplinks with corresponding metrics  
# The LTE modem setup scripts are taken from  
# https://github.com/ssinyagin/wwan_udev_rules/blob/master/Huawei_ME909s-120.sh 

cat >/etc/network/interfaces <<'EOT'
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
EOT

# Primary Ethernet uplink
cat >/etc/network/interfaces.d/enp1s0 <<'EOT'
auto enp1s0
iface enp1s0 inet dhcp
  metric 10
EOT

# Secondary LTE uplink
cat >/etc/network/interfaces.d/lte0 <<'EOT'
allow-hotplug lte0
iface lte0 inet dhcp
  metric 20  
  pre-up /usr/sbin/chat -v -f /etc/chatscripts/sunrise.HUAWEI >/dev/ttyWWAN02 </dev/ttyWWAN02
  post-down /usr/sbin/chat -v -f /etc/chatscripts/gsm_off.HUAWEI >/dev/ttyWWAN02 </dev/ttyWWAN02
EOT

# This prevents dhclient from updating /etc/resolver.conf
cat >/etc/dhcp/dhclient-enter-hooks.d/nodnsupdate <<'EOT'
make_resolv_conf() {
: 
}
EOT

# Public DNS resolvers
cat >/etc/resolv.conf <<'EOT'
nameserver 8.8.8.8
nameserver 1.1.1.1
EOT


# LAN port providing DHCP, DNS, and default route
cat >/etc/network/interfaces.d/enp2s0 <<'EOT'
auto enp2s0
iface enp2s0 inet static
  address 172.30.30.1
  netmask 255.255.255.0
EOT

cat >/etc/dnsmasq.d/enp2s0 <<'EOT'
dhcp-range=172.30.30.50,172.30.30.150,1h
EOT

# NAT rules for outbound traffic
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o lte0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE
iptables-save >/etc/iptables/rules.v4 


### Watchdog script ###

apt-get install -y fping

echo 'DEVS="enp1s0 lte0"' >/usr/local/etc/wireless_watchdog

cat >/usr/local/sbin/wireless_watchdog <<'EOT'
#!/bin/sh

LOGFILE=/var/log/wireless_watchdog
. /usr/local/etc/wireless_watchdog
if [ x"$DEVS" = x ]; then
    echo missing DEVS variable 1>&2
    exit 1
fi

for dev in ${DEVS}; do
  if ! fping -I ${dev} -q 8.8.8.8 ; then
    logger -p user.notice -t wireless_watchdog \
           Internet is unreachable on ${dev}, restarting ${dev}
    date >>$LOGFILE
    echo restarting ${dev} >>$LOGFILE
    /sbin/ifdown ${dev} >>$LOGFILE 2>&1
    sleep 5
    /sbin/ifup ${dev} >>$LOGFILE 2>&1
  fi
done
EOT

chmod u+x /usr/local/sbin/wireless_watchdog

cat >/etc/cron.d/wireless_watchdog <<'EOT'
*/2 * * * * root /usr/local/sbin/wireless_watchdog
EOT

cat >/etc/logrotate.d/wireless_watchdog <<'EOT'
/var/log/wireless_watchdog {
  rotate 6
  monthly
  compress
  missingok
  notifempty
}
EOT