Backup of WAN by the GSM Network

Print version

3. Backup of WAN by the GSM Network

Under typical circumstances, VPN tunnels between central M!DGE and other routers are established over the WAN network. When the WAN fails, traffic to/from the respective remote router is automatically redirected to the cellular network.

3.1. Basic Backup Example

Basic Backup Example

Fig. 3.1: Basic Backup Example

3.1.1. M!DGE Configuration

Central M!DGE HOME menu

Fig. 3.2: Central M!DGE HOME menu

M!DGE is connected via the WAN network using its LAN2 interface. The WWAN1 link (cellular network) is down and the IPsec VPN connection is already established. To achieve this, several steps must be performed.

Ethernet Ports

In the example, the first port (LAN1) is used for the local subnet and the WAN port (LAN2) is configured with an IP address See the following pictures for the details.

Central M!DGE LAN1 configuration

Fig. 3.3: Central M!DGE LAN1 configuration

Central M!DGE WAN configuration

Fig. 3.4: Central M!DGE WAN configuration

Cellular Network

For the backup link, you need to configure your SIM card and APN accordingly. The configuration is made in the INTERFACES – Mobile menu. Configure it to meet your APN configuration.

Mobile interface configuration

Fig. 3.5: Mobile interface configuration

Use manual for more details about the mobile interface configuration.

VPN Tunnel

Configure and enable the IPsec (or OpenVPN) tunnel to the remote peer. In the example, the local network is and remote network is

IPsec configuration

Fig. 3.6: IPsec configuration

Keep in mind that you need to configure Peer IP address to be reachable via both connections (WAN and WWAN) so it may establish IPsec connection.

See the VPN examples in Chapter 2, VPN Configuration Options or the manual for more details.

WAN Link Management

In the Link Management menu, configure the LAN2 interface as the permanent and primary option. Set the WWAN interface as its backup. The Establishment mode can be either set to „on switchover“ (to be connected only when the permanent link is not active) or „permanent“ (to be connected all the time – it is used for the faster link switching).

WAN Link Management

Fig. 3.7: WAN Link Management

Another step is configuring the Supervision feature.


Fig. 3.8: Supervision

The Supervision enables M!DGE to control the link switching procedure. In our example, M!DGE checks the connection by executing the ping packets to the host on the IP address If five consecutive ping packets are unsuccessful, the link is considered down and is switched. If there is no connectivity for 30 minutes, the unit is rebooted as a result of the Emergency action.

Both links are checked when they are up (Link – ANY), otherwise you could choose just one link to be checked or create two different Supervision for each link (e.g. lower timeouts and more frequent checks on the WAN link).

3.1.2. Practical Test

Now you should be connected via the primary WAN link (LAN2). The easiest way to test the switching is to unplug the ETH cable from the LAN2 interface. M!DGE almost immediately recognizes the unplugged cable and it switches to the cellular network. The VPN tunnel should also be reestablished.

WWAN link is UP

Fig. 3.9: WWAN link is UP


You can test the connectivity by issuing a ping to any desired IP address (e.g. behind the VPN tunnel) in the SYSTEM – Troubleshooting – Network debugging menu.

Plug the cable back into the LAN2 interface and wait a moment for the M!DGE to reestablish the primary connection again.

You can also check the correct functioning of the Supervision feature.

Fill in both host IP addresses in the Supervision menu. One needs to be reachable only via the cellular network and the other one only via the WAN network. Turn off the server with an IP address reachable via the WAN network. The active connection should be changed to the cellular network. Turn on the server again and see the link switch back to the primary one.

3.2. Mobile IP together with VPN tunnels

If the primary link fails in the previous example, our M!DGE has to dial up the mobile connection and reestablish the VPN tunnel which can take more time than your application can handle. With Mobile IP and permanent backup link availability, we can shorten this time to several seconds…

MobileIP with VPN tunnel example topology

Fig. 3.10: MobileIP with VPN tunnel example topology

The diagram depicts an example in which the M!DGE unit is the VPN and MobileIP server. The server has just one connection option and it needs to communicate with the device behind the remote MG102i unit.

The remote MG102i unit has two possible connection types. The primary link is via faster leased line to the provider’s network and the cellular connection is the backup option. Both will be “up” permanently.


The remote connection types can be various, e.g. using WLAN or dualSIM unit with two cellular providers.

On both units, we configure the Mobile IP feature so the VPN tunnel can resist switching the links.

3.2.1. M!DGE Configuration

On the central M!DGE unit, we need to configure Ethernet IP addresses, mobile connection, VPN tunnel, correct time and of course Mobile IP.


The Ethernet IP address of the server is with mask.

Server's Ethernet configuration

Fig. 3.11: Server’s Ethernet configuration

The server is utilizing only the first port so you do not need change the LAN2 IP address. Another step is to define the mobile connection. Configure the SIM card, APN and username/password in the INTERFACES – Mobile menu and check whether it is enabled afterwards.

Server mobile connection is activated

Fig. 3.12: Server mobile connection is activated

In case you will use OpenVPN tunnel, it’s necessary to have a correct time in the unit. This can be achieved by setting the NTP server to synchronize the internal time. Go to the SYSTEM – Time & Region menu and fill in the reachable NTP server of your choice. Also set the correct time zone and Daylight saving option.


If using IPsec tunnel, it is not necessary to have a correct time our routers, but it is still useful for troubleshooting.

NTP Configuration

Fig. 3.13: NTP Configuration

Mobile IP

Now we need to configure the MobileIP functionality. With Mobile IP, the client (mobile node) can be connected to the network anywhere and if the server’s (home agent) cellular IP address is reachable from the client, you can always communicate via new pair of IP addresses. See the details in the example.

Mobile IP Home agent configuration

Fig. 3.14: Mobile IP Home agent configuration

The configuration itself is very easy. Just choose the “home agent” status and fill in the agent’s IP address and mask – in our example it is

The Mobile IP is automatically enabled afterwards.

Another step is to configure the clients (mobile nodes). For each client, define a specific SPI (36 in our example), authentication type (prefix-suffix-md5) and shared secret (ASCII password).

Mobile nodes

Fig. 3.15: Mobile nodes

The last step is to configure the VPN tunnel. It can either be OpenVPN or IPsec, the functionality is the same in this example.


Configure the OpenVPN server in routed mode.

OpenVPN server, Mobile IP

Fig. 3.16: OpenVPN server, Mobile IP

Configure one client (MG102i). Configure the correct IP subnets.

OpenVPN server – Networking

Fig. 3.17: OpenVPN server – Networking

OpenVPN server – Routes

Fig. 3.18: OpenVPN server – Routes

The only difference to the basic VPN configuration is when downloading the Expert file for the client. You must configure the Mobile IP address ( in our example) so the remote unit connects via Mobile IP network.

OpenVPN server – Downloading expert file

Fig. 3.19: OpenVPN server – Downloading expert file

Enable OpenVPN server and uncheck the box for “Restart on link change”. This is very important step, do not forget to uncheck this box. If the box is checked, everytime any link changes the status, the tunnel is restarted and we do not want this. This is mainly important on the client’s side.

Enabling OpenVPN server

Fig. 3.20: Enabling OpenVPN server

When we finish all configuration steps, we should see the following state in the HOME menu.

OpenVPN server and Mobile IP are running

Fig. 3.21: OpenVPN server and Mobile IP are running


If you want to use IPsec, the situation is very similar. Just configure the correct IP subnets, set Peer IP address to the Mobile IP address ( and uncheck the “Restart on link change” box as with OpenVPN.

IPsec – M!DGE configuration

Fig. 3.22: IPsec – M!DGE configuration

Enabling IPsec – M!DGE

Fig. 3.23: Enabling IPsec – M!DGE

3.2.2. MG102i Configuration

The client’s configuration is more complex due to two connectivity options. The unit needs to be connected to both options simultaneously (permanently).

WAN Configuration

MG102i WAN configuration

Fig. 3.24: MG102i WAN configuration

The LAN5 interface is configured as the primary WAN link. LAN1 subnet should be set to

MG102i LAN configuration

Fig. 3.25: MG102i LAN configuration

Configure the mobile connection and set both links to be permanently “up”.

MG102i Link Management

Fig. 3.26: MG102i Link Management

We need to recognize that LAN5 is not available for us and switch to WWAN interface. This is recognized if the Ethernet cable is disconnected, but with Supervision feature, we can check the IP host reachability with ping probes and if this host is not reachable, switch to the backup profile.

In our example, we configure this for each link separately.

LAN5 Supervision

Fig. 3.27: LAN5 Supervision

The primary link is checked every 10 seconds by pinging the host. If the ping is lost 5 times, the link is considered down and the mechanism switches to the WWAN option.

WWAN1 Supervision

Fig. 3.28: WWAN1 Supervision

The WWAN1 interface is also checked, but we increased the ping timeout (mobile latency can be high) and we check the reachability (of IP less frequently.


In this example, if we switch off the host, the Supervision feature will switch the active link to WWAN. It is good to have a similar option for your own testing.

Configure the NTP server in the SYSTEM – Time & Region menu so we have the correct time.

MG102i NTP configuration

Fig. 3.29: MG102i NTP configuration

Mobile IP

Our MG102i unit needs to be configured as a mobile node for the Mobile IP functionality. Go to the Routing – Mobile IP menu.

MG102i Mobile IP – Mobile node

Fig. 3.30: MG102i Mobile IP – Mobile node

Set the Primary home agent address to the cellular IP address of the M!DGE (server) unit, in our example. The home address must fall into the subnet. Set the correct SPI which was configured on the server and fill in the correct secret. Keep the rest in the defaults.

Another step is to define the server’s Mobile IP address ( via MobileIP1 interface) in the Routing menu.

MG102i Routing menu

Fig. 3.31: MG102i Routing menu

Without this option, MG102i unit would not know the server’s Mobile IP address which is essential for the proper functionality of Mobile IP.


MG102i is a client in the OpenVPN configuration so just upload the Expert file and set the mode to “Routed”.

MG102i OpenVPN – Expert file

Fig. 3.32: MG102i OpenVPN – Expert file

Enable the tunnel and uncheck the “Restart on link change”. This is essential for fast switching of active link, do not forget to uncheck this option.

Enabling OpenVPN – MG102i

Fig. 3.33: Enabling OpenVPN – MG102i

The tunnel should be established quickly and the HOME menu should be similar to the following example.

OpenVPN and Mobile IP running – MG102i

Fig. 3.34: OpenVPN and Mobile IP running – MG102i


If you choose IPsec, configure the tunnel as on the server (credentials, IDs switched, networks switched, …) and set the Peer IP to (Mobile IP address of M!DGE unit).

IPsec configuration – MG102i

Fig. 3.35: IPsec configuration – MG102i

Enable the tunnel and uncheck the “Restart on link change” box again.

Enabling IPsec – MG102i

Fig. 3.36: Enabling IPsec – MG102i

If configured correctly, check the HOME menu.

Ipsec and Mobile IP running – MG102i

Fig. 3.37: Ipsec and Mobile IP running – MG102i

3.2.3. Practical Test

After all required configuration steps are done, the reachability of devices in the M!DGE and MG102i subnets should be achieved. The encrypted data should pass through the LAN5 (WAN) interface on MG102i unit. If you do not have any attached devices, you can check the reachability from the CLI menu of either M!DGE or MG102i.

Ping probe from MG102i to M!DGE

Fig. 3.38: Ping probe from MG102i to M!DGE

If you are using Windows to access the unit, run Putty for accessing the unit via SSH. Set the user to “root” and use the same password as for the admin account for the web interface. Running the command “ping” must be defined with “-I” parameter so the source address would fall into the VPN routed subnet.

To force the link of MG102i to switch to backup option, you can either unplug the Ethernet cable or switch off the host set in the Supervision menu. The result will be that the WWAN interface will be used.

Using the backup interface

Fig. 3.39: Using the backup interface

During the switchover, run the ping command continuously from the Server to the Client (pinging IP address with a source address within subnet). You will see that several packets are lost, but the time needed for the switchover is within seconds. You can compare it without using Mobile IP functionality.

You can also run your target application and see what happens during switching the links.


Using the web interface’s Network debugging tool would not work, because the source IP address/interface cannot be set and the reply would not be forwarded to the VPN tunnel.

See the manual for more details.