Late to this, but codrus has got the right idea. At a very minimum you need a decent router in front of the machine that can do WAN failover.

Here's a nice little guide for using a Ubiquiti router like this: https://xenappblog.com/2016/cheapest...-for-failover/

Even cheaper (if you have some hardware to host it), you can probably roll your own pfSense or OPNsense box and do WAN failover. I run OPNsense on these great little HP T620 Plus thin clients that you can find on eBay for $80 or so (plus the cost of an Intel NIC), but if size and power consumption aren't big concerns, you could easily run it on a $40 SFF PC.

https://www.cyberciti.biz/faq/howto-...fsense-router/
https://wiki.opnsense.org/manual/multiwan.html

 

This actually turned out to be easy. I just plugged the second network into the PC, and it worked.

I have no idea why it worked, but nothing scary happened, and the routing table looks fine. I can make outbound connections from the machine, and I can VNC into it via ether address.

So that's nice.

 

Aside from service binds, I don't think any of us doubted it would work with multiple nics - but it's when your primary gateway stops passing traffic ****'ll hit the fan.

 

Why?

I've simulated outages on both networks by putting small ethernet switches in between the PC and both networks. This was I can kill the network while keeping the link on the PC up. It worked fine with either link gone.

 

Hmm, with a little more digging I found this in the Win 10 Creator's Update.

https://techcommunity.microsoft.com/...ws/ba-p/339676

The info in the "Multi-homing improvements" is mostly concerning WAN failover in a WLAN to cellular failover scenario, but I'm wondering if this feature set would include logic such that failed connections to public destinations might trigger a failover to the next adapter. It at least hints at some capability there. Probably something going on there with comparing routing metrics and selecting the best adapter.

 

You're connecting to the mach from the same subnet, right? Probably won't matter then.

 

Negative.

Two different VLANs, two different gateways, two different physical paths.

Path redundancy is the real key here. Router / gateway / DNS / etc services are already handled in a redundant fashion at the main site. This is a remote site (specifically, a room on the 98th floor of Sears Tower), which history has shown to experience link interruptions about once a year. That's unacceptable (from an FCC compliance standpoint), so the goal is to have two separate physical paths to communicate with critical machines at the site.

I'm going to let this one machine (the site controller) simmer for a week or two. If nothing weird happens, I'll dual-NIC the transmitter itself.

Thus far, this seems way too simple, given the huge amount of forum content I've come across which proposes extremely complicated solutions to a problem which, when I first learned the basics of TCP/IP, seemed insurmountable.

 

So - here's my concern - charlie don't surf, windows don't failover. It looks like for windows7 they "improved" a dead gateway detection (DGD) algorithm that works as a sort of failover - if it can't communicate with the gateway, it fails over to the next one that's prioritized by link speed(?) and device number. But I fear that in your failure mode - your gateway will be alive but your traffic will timeout - your experiment earlier, if I understand it properly - would hit DGD as designed. But an actual outage would just result in timeouts being returned from the gateway, so not triggering DGD.

Keep in mind a lot of us are approaching this problem from a 5(or 6) 9's site reliability perspective - and that if this box needs to be up, the entire internet needs to be able to connect to it. There's also questions of route table cache and expiry and how windows will deal with it. Windows will still try and use interface1 if DGD isn't triggered - so if it has other data it's trying to send, it's going to send them to a dead pipe.

But if it's connecting through VLAN's - relying on straight ARP it's not needing to route through the gateway if your querying machine is close enough.

 

That's an interesting point. And I will admit that I don't actually know if the VLAN145 gateway is in this building or not. For the 147 (the one extended over the microwave radio) I know it's not. But for the 145, which is the primary, you're probably correct in that it's in the local Juniper SRX550. And I'm not taking that down for a simulation.

I might move to Plan C. Since I can technically control the transmitter from two different PCs (albeit in a limited capacity on one of them), I might connect that second machine only to 147.

 

Wait a sec...

I don't care about outbound connections from the PC in question. I only care that I can VNC into it remotely.

Let's go back to the scenario in which it has two network connections, with VLAN 145 (fiber) being the primary, and 147 (radio) being the secondary. The 145 router is local to the site, the 147 router is five miles away in another building.

Assume that the fiber connection fails. Ok, so DGD won't go into effect (since the local Juniper SRX550 router is still apparently providing gateway service at 10.180.145.1), but why does that matter? If I initiate an inbound VNC connection on VLAN 147, won't all communication for that session flow over the 147 link?

 

That's the crux of the question - if you're connecting to it from a local net, it won't hit the gateway. You might not care about outbound connections - but are you sure you can authenticate without one?

 

If you need a laugh, read the reviews on this:


I am not responsible for any lunatic who uses these in an inappropriate manner.

 

Been an interesting week already at work. Wolters Kluwer seems to have suffered some manor of major catastrophe, so we haven't been able to use most of the software or access any client documents or contact information because everything is cloud-based. This outage has apparently impacted pretty much everything they offer/host, including educational resources. If memory serves, they are the #1 software provider for our industry (Public Accounting) so this is a HUGE disruption. Millions of dollars in lost productivity. Still have some work I can do using locally hosted software, but much of my office is on hold. Fun times.

 

Did anybody end up getting their cheap laptop?

 

My friend and I received packages from Estonia today. I bit of junk. I think that is what we will get. Additionally, BoA voluntarily initiated a card change last week due to suspicious accounts having my number.

 

That's good to hear, though i'm sorry about the trouble.

BoA has had me sorted out a few times. They have taken care of me pretty well for the last 15ish years.

 

I haven’t but then there’s no charge on my account either although I have an email with shipment but no tracking info. If scammers they sure suck at it...

 

Charge came in under "Fancy Beauty LLC" to my account.

 

Ahhh there it is. Had to go back into a prior billing cycle but yep. Oh well just initiated the Amex dispute and the credit was applied.

Thanks!

 

Delete