Competitive Internet Access on the Cheap

For most businesses, Internet access is as important as telephone and fax services. And when small businesses compete against larger enterprises, the pressure is on to perform. Failing to promptly reply to an important client because your Internet connection is down doesn't cut it. Reliable Internet access is even more crucial when you run your own email server, provide remote access to remote users, or host other servers that must be accessible to the outside world. Unfortunately, the business broadband Internet services that small businesses can afford often resemble consumer services, with a higher price tag but with somewhat unreliable service and unpredictable speed.

If you work for a small-to-midsized business (SMB), you might think keeping up with your larger competitors is impossible. But advances in hardware and software, plummeting prices, and the Internet let you leverage technology opportunities to compete without losing the responsiveness that comes with being smaller. The trick is that you must be aware of available services and innovations and do some out-of-the-box thinking. By using dual-WAN routers, you can get highly reliable Internet access for dollars a month—and even connect multiple locations in one WAN.

Dual-WAN Routers
Thanks to the deregulation of the telecommunications market, most companies have several choices of Internet providers and at least two technologies—cable and DSL. Suppose you could subscribe to both cable and DSL, connect them to a small box, then connect the box to your LAN? What if the box functioned like a consumer Internet gateway—but with a few added features? This box would let you use both Internet connections for higher bandwidth when both services were functional; however, if either Internet service failed, the box would transparently route traffic over the remaining connection. This scenario might sound too good to be true, but it isn't.

Several vendors offer dual-WAN routers that provide this type of fault-tolerant Internet access, and the best part is the price: $250 to $500 per router. Figure 1 shows a dual-WAN router and two ISP connections connecting an internal LAN to the Internet. Although the figure shows the use of two-way satellite technology, if two land-based Internet providers are available, I recommend that you use them. They'll provide greater speed and reliability.

My firm is an SMB that competes with much larger firms for audits and related security services, and I could go without telephone service more easily than without my Internet connection. Over the years, I've tried both cable and DSL; both work most of the time. Before I tried a dual-WAN router, I had decided to subscribe to both cable and DSL. However, that meant manually switching between the two services, and one service is basically wasted when both are functioning. I've now used a dual-WAN router for about a year. After a few initial bumps in the road, this solution has provided smooth sailing.

I contacted several companies, explaining that I wanted to test their dual-WAN routers for this article. XiNCOM sent both its XC-DPG502 and XCDPG603 routers. I used the XC-DPG502 because it was less expensive and had the basic features to provide highly reliable Internet access. Although I discuss the dual-WAN solution from the standpoint of the XiNCOM router, the setup and considerations apply to other vendor offerings, including routers in the XiNCOM DPG500 and DPG600 series, the Symantec Gateway Security 300 Series, Linksys RV082, and the HotBrick VPN 800/2.

Setting Up a Dual-WAN Router
The first step after choosing a router is to configure its LAN port and one of its WAN ports with the appropriate IP settings. When you first bring up the XC-DPG502, it (like most gateways) defaults to being a DHCP server and leases out addresses from the 192.168.1.0 subnet. Your dual-WAN router will replace your current firewall/router and take the place of your current default gateway in the IP configuration of systems on your network.

Configure the router. Before you connect your dual router to your internal network, log on to your current gateway and record the configuration for both its Internet connection and the internal network. You'll need to know the username and password that the gateway uses to connect to your ISP and whether the Internet address is static or provided dynamically by the ISP through DHCP. If you have a static IP address, record the subnet mask, default gateway, and DNS server addresses so that you can easily get connectivity going on one port of your new dual gateway. For the internal-network configuration, record the gateway's local network address and subnet mask. If your gateway is also your DHCP server, note the range of addresses from which the server currently leases.

Also before you connect the dual gateway to the network, connect a PC to an internal LAN port on the gateway. (The XC-DPG502 and most other models have four internal ports.) After your PC gets an address from the gateway, open a browser and log on to the gateway with that address. Configure one of the gateway's two WAN connections with the parameters of your current gateway's Internet connection. Figure 2 shows the configuration of both ISP connections on my XCDPG502. (The IP addresses have been changed to local 10.*.*.* range addresses, but in the real world the addresses would correspond to the actual public Internet addresses that your ISP assigns.) Configure the internal LAN interface of the new router with the same IP address as the old router. Figure 3 shows the internal LAN configuration.

This approach lets clients continue to access the Internet without changing their default gateway. If your old router provided DHCP services, configure the dual router to be a DHCP server. (Doing so gives you access to other devices on your network even if your Windows server goes down.) However, you might consider leasing from a different range of addresses so that the new router doesn't inadvertently lease out addresses that other clients already use. As current leases run out, computers will automatically obtain a new address from the new range. Just make sure your DHCP range and the internal address of the router don't conflict with any servers or other devices on your network that have static addresses (e.g., printers, wireless access points—APs).

If some other device or server on your network serves as your DHCP server, you might need to adjust the options that the DHCP server configures for new clients. As long as the old and new routers share the same internal LAN IP address, you don't need to change the default gateway that the DHCP server assigned. Regarding DNS server addresses, your DHCP server probably assigned the router's internal address as the DNS server. If so, no change is required to your DHCP server. Or, if you run your own DNS server on your internal network, your DHCP server might have specified the address of a local DNS server. (If you have an Active Directory—AD—domain, you run your own DNS server.) A third possibility is that your DNS server configures clients to use DNS servers on the Internet (usually your ISP's DNS server). In this case, you need to change the setup because you now have two ISPs. If one ISP connection goes down, your clients won't have access to Web sites because they won't be able to resolve domain names to IP addresses. To solve this problem, configure your DHCP server to instruct clients to use the router as their DNS server. The router then forwards DNS requests to either ISP's DNS server.

Install the router. When your network isn't busy, remove your old router and install the dual router. Log on to the router from a PC connected to the internal LAN and recycle your DHCP lease. (You can either run the command

followed by

or simply disable and re-enable your network connection.) After you have a valid IP address with the default gateway pointing to the new router, log on to the router through a Web browser. Verify that the router connects to your current ISP. You might need to reset the cable or DSL modem to help establish connectivity.

After you verify that the router is functioning on the internal network and is reporting a successful connection to your ISP, open another browser and try to access a few Web sites. If access succeeds, you've replaced your router. If it fails, review your configuration settings. If you must change settings, follow sound diagnostic techniques, making one change at a time and testing the result so that you know which change solved the problem. Record each change so that you can reverse settings that aren't required.

Connect the router. At this point, you're still dependent on one broadband Internet connection. To change to two connections, find out whether the new, second ISP assigns addresses dynamically or uses a static address. If the ISP assigns addresses dynamically, connect your new router's second WAN port to the new ISP cable or DSL modem and browse to your router's status page. In a few moments, the router should pick up an address and report that WAN 2 is also connected. If necessary, configure the WAN 2 port with its static IP address, default gateway, and DNS server as your ISP specifies. After the router reports that WAN 2 is connected to ISP 2, it's time to test your fault tolerance.

Disconnect WAN 1 and immediately try to access another Web site. The Web site should come up as usual as the dual router automatically switches to WAN 2. You should be able to switch back and forth with little if any interruption in Internet access. Figure 4 shows the status page of my XCDPG502 with both ISP connections functioning properly.

Added Value
Congratulations. You've just achieved fault-tolerant Internet access for the cost of a second broadband subscription. But this setup offers more than cost savings. Much of the time, both cable and DSL will be up, so you can make the most of them. Most dual-WAN routers support load balancing to split sessions between the two connections. This approach preserves speedy Internet access even during peak usage times. Slightly higher-priced dual routers include site-to-site VPN connections that let you create a virtual WAN between offices. Some routers even let you set up multilink VPN connections that aggregate your combined broadband connections into a single, extra-fast connection between the two sites.

Incoming Connection Failover
If you need to support incoming connections to servers on your WAN (e.g., Web servers, email servers), some routers can act as your Internet-facing DNS server and perform automatic failover from a failed ISP connection to the backup ISP connection. When the router detects that the ISP connection you usually use for incoming email or HTTP requests has failed, it updates the DNS records for those servers with the IP address of your other ISP connection and begins accepting requests on that connection instead. Neither your internal nor Internet-side clients are affected.

To make incoming-connection failover work, you need a static IP address for each connection from its ISP. Static addresses are required because your dual router is serving as the DNS server for your Internet domain name. Although you can change the IP addresses of servers in your Internet domain name and have the changes take effect almost immediately, changes to addresses on your domain name's DNS servers take effect more slowly. Because DNS server addresses are published on the Internet, updates can take up to several days. You need to know the permanent addresses of your DNS servers ahead of time so that Internet clients can still use your alternate DNS server address to resolve the DNS names of your servers.

Also, you need to update your domain's record with your DNS registrar and configure the connections' addresses as the DNS servers of record for your domain. By functioning as the DNS server for your Internet domain, your router can dynamically change the address with which it replies to DNS queries and thereby direct Internet clients to your email or HTTP servers on the ISP connection that's currently up. When a client attempts to resolve your server's DNS name on the Internet and your main ISP connection is down, the client will time out and automatically query the next DNS server listed for your domain—your dual router on the other ISP connection.

Keep in mind, of course, that by relying on one device to provide access to your dual pathways to the Internet, you create a single point of failure. Higher-end dual routers support failover "mates" to eliminate this potential problem. However, in my experience, because solid-state devices (e.g., routers) are more reliable than broadband Internet connections, most SMBs won't need to invest in a backup router.

The Gotchas
When I set up dual Internet connections in my office, I encountered a couple of hitches you should be aware of in advance. One involves choosing the right mode for your modem; the other involves a potential difference in Maximum Transmission Units (MTUs) that the router and the DSL connection support. Other concerns, such as managing alerts and updating firmware, were minor.

Setting up pass-through mode. Some DSL and cable modems can operate in either Network Address Translation (NAT) or pass-through mode. In NAT mode, the broadband modem assumes the IP address the ISP supplies, then, through DHCP, assigns your router an address from a 192.168.*.* range. The modem serves as a NAT server, translating each packet's IP address and port numbers as the packet crosses from the LAN to the Internet or vice versa. NAT works fine for simple outbound access. However, to permit incoming connections to servers on your LAN, you don't want your router sitting behind a NAT server. In addition to opening up necessary ports on your router, you would need to open them on your modem as well. Packets would have to cross two NAT boundaries. Therefore, pass-through mode offers a better way to let Internet clients access servers on your LAN.

In pass-through mode, the modem essentially becomes invisible and simply passes packets back and forth, much as a switch does. Your router communicates directly with the ISP's router. Either your router is assigned an address through DHCP or you manually configure your router with the static address that your ISP supplies. If you have a static IP address from your ISP and you want to permit certain incoming connections (e.g., for your email server), make sure your modem is running in pass-through mode.

To find out whether your modem is running in pass-through mode, connect a PC to the modem before you connect your router to the modem. Configure the PC's network connection to use DHCP. If the PC fails to obtain an IP address and configures a self-assigned address instead, your modem is running in pass-through mode. Your modem is also running in pass-through mode if the PC obtains an address that matches the static address that your ISP provided.

If the modem configures the PC with a local subnet address (e.g., 192.168.*.*), it's functioning as a NAT server. To change the mode, access the modem's Web-based administration pages. Open your Web browser and browse to the address of your network connection's default gateway, which is your modem's current LAN-side address. Find the modem configuration setting that lets you enable pass-through mode (aka demilitarized zone—DMZ—server mode). Some modems let you specify a target PC as the endpoint for incoming packets (the target would be the currently connected PC) or target a manually configured device. Select the manually configured device so that the modem will cooperate with your router (configured with the static IP address) when you connect it.

Troubleshooting the DSL's MTU. The other snag I encountered was at first more difficult to pinpoint. Immediately after I set up the dual-router and ISP connections and started testing (by accessing various Web sites), I experienced intermittent connectivity problems in which Web pages would sometimes fail to fully load. The problems increased when I disconnected my cable modem and relied on DSL alone but disappeared when I disconnected DSL. This pattern pointed to a problem with the DSL connection. I discovered that I could consistently access Web pages with little text and few or small images. However, downloads of larger, more image-laden pages would fail after displaying a fraction of the page's content. Finally, I discovered through a discussion forum that BellSouth, my DSL provider, supports an MTU of 1492 bytes, whereas the router defaulted to 1500 bytes. Packets with more than 1492 bytes were usually dropped. When I modified the router's MTU for the DSL connection, the problem disappeared.

Managing alerts. Some dual routers, including the XC-DPG502, alert you when they detect a problem (e.g., an ISP connection going down). At first, I configured my XC-DPG502 to send such alerts to my mobile phone's text-message email address. I received several disconnection alerts every day for hiccups or delays involving one or the other ISP connection. However, thanks to the XC-DPG502's automatic rerouting, none of my users ever reported a problem. Therefore, I chose to turn off the alert feature. If a connection remains down for long, I know about it because my Internet-based monitoring service checks the health of a server behind the router every few minutes.

Updating firmware. Make sure you have the vendor's current firmware installed on your device. Vendor Web sites often have a more-recent version of firmware available than the version preinstalled on the device. Installing the most-recent firmware on my router solved a connection problem I experienced in the first week of use. Having the current firmware also helps you stay patched against known router security holes. Subscribe to the vendor's update list.

Also, be aware that routers usually have a remote administration option that lets you log on to the router's administration Web pages over the Internet. Most routers disable this feature by default, and I recommend you keep it disabled.

Solid Internet Access
I usually recommend against dual DSL connections because both depend on your phone line. To avoid compromising the fault-tolerance of two separate, unrelated broadband providers, choose cable, power line, or satellite as your other provider. Also, make sure your router provides automatic switchover and includes the advanced features you need. Not all dual routers provide auto-failover DNS serving capabilities or VPN functionality.

Having rock-solid Internet access for the cost of an additional broadband account is well worth the extra $45 a month, especially because the access requires no intervention. When I travel, it's good to know that I can remotely access my network even if one Internet connection goes down. If you're interested in dual-router Internet connectivity, make sure you do your homework, then work through the setup process and enjoy the results! (And keep an eye out for upcoming articles that provide more elegant solutions for SMBs.)