Tuesday, August 25, 2015

Using a mobile hotspot as a second WAN input on a Zyxel USG 60

About a week ago, our broadband connection (CenturyLink DSL) was out for more than 12 hours, including the entire business day. Outages have occurred from time to time in the past, but nothing even close to this one (except during very severe weather that knocks out electrical power regionally).

Outages are a big problem for our small software company. Virtually our entire business is dependent on that internet connection. We use if for email, Google Apps for Business, our customer-facing help desk system, customer support, sales demos, data backups, web site maintenance, and much more. That long outage really put the hurt on us.

For a while we paid for two CenturyLink DSL connections, but that did not really provide any backup because when one was down, the other was always down as well. Using another traditional broadband provider, such as Comcast, is not possible, because they won't run the cable from the street to our building, which is about 1,000 feet down a private driveway. I have even offered to pay for the cable drop, but no dice. They are not interested.

Our new Zyxel USG-60, as well as our older USG-100 both theoretically can accommodate a wireless internet dongle, but I was unable to find an up-to-date compatibility list. The list I did locate identifies devices by manufacturer and part number, so it would take some detective work to determine whether any of these devices match what is offered by AT&T and Verizon (the only LTE coverage in our area). Even if I could solve the compatibility issue, I am confident that the configuration in the USG would be a pain in the ass, and that still leaves me with a significant monthly bill for a service that would rarely be needed.

During the recent outage I enabled the hotspot feature of my Android phone so we were at least able to keep up with email from those computers in our office that have wifi. The catch 22 was that when the wifi connection was active, the local LAN connection was unavailable on those computers. Clearly what we needed was a way to get the USG to use the cell phone as an alternate WAN connection for our entire LAN.

I tried direct tethering with a USB cable, unsuccessfully. Turning to the collective experience of the internet, I found the following thread on DSLReports:

http://www.dslreports.com/forum/r29520012-USG40W-Does-cellular-interface-support-USB-tethering

The last message in the thread, offered by a user, who goes by the handle "login forgot", was...

What I did to work around this was attach a wireless AP in bridge/client mode to the WAN2 port of the USG. That AP then associates to the wireless hotspot that my phone can create.

Windows phone > instant wireless hotspot > EnGenius EAP350 > Ethernet > WAN2 port of USG
Additional details would have been great, but this message was enough to give me hope. I hopped onto Amazon and ordered a TP-Link TL-WA801ND Access Point for $23 that very clearly indicated both bridge and client capabilities. When it arrived I first tried it in bridge mode, but that didn't work. I switched to client mode and BINGO, I was good to go. To save the reader the need to go through the same trial and error, I am sharing the details of the configuration on both the access point and the USG.

Access Point Configuration


Your best bet is to configure the TP-Link (or similar AP)  without connecting it to your network.
  • Plug it in and power it up. 
  • Next, using any wifi capable laptop, tablet or even phone, connect to the default SSID (TP-LINK_), and log into the unit's configuration page using the IP, user ID, and password on the bottom of the unit. Alternatively, just connect a cable from your laptop to the unit's ethernet port.
  • Once connected, skip the "Quick Setup" and go right to Wireless > -Wireless Settings in the navigation bar on the left.
  • Above are the settings that I am using, with my SSID and MAC blacked out. At this point, you should have your phone near the TP-Link AP, and set so that its Wi-Fi hotspot is active. 
  • For Operation Mode select "Client". 
  • I did not bother with WDS, but TP-Link suggests that you enable it if the access point to which you are connecting (your phone or other mobile hotspot) supports it.
  • If you are not sure of the SSID and MAC address of your own phone or cellular wifi hotspot, you can use the Survey button on this page to discover that information. Enter the SSID and MAC address of your phone's hotspot or your cellular wifi hotspot (like a MiFi device) in the next two fields.
  • Make sure the Enable Wireless Radio option is checked.
  • Click SAVE.
  • Now go to -Wireless Security in the navigation bar to enter your hotspot's security settings. In my case, all I needed to do was to select WPA/WPA2 and type in my phone hotspot's password.
  • After entering your credentials, just click SAVE.
  • Although you may want to come back to change the device password (System Tools > -Password) and maybe fiddle with some of the advanced settings, for now I would suggest that you keep it simple until you have successfully tested.
  • Before rebooting the TP-Link (System Tools > -Reboot), I would suggest that you disable DHCP to avoid the possibility of anyone picking up conflicting and incorrect gateway/dns addresses from this unit.
  •  After rebooting and testing, at the very least you should come back into this configuration app to backup your configuration settings (System Tools > -Backup & Restore). It would be a good idea to do that backup before adding too many more changes.
 

Zyxel USG Configuration 

All I had to do on the USG 60 was to:
  • Go to Network > Interface, Ethernet tab to enable the WAN2 interface. I might have enabled the Connectivity Check toward the bottom of the page, but it is possible that it was enabled by default.


At this point, everything may well just work if you already have a Policy Route that is configured with "auto" as the Next-Hop for your lan traffic. Here is the relevant default Policy Route that came pre-configured in my USG 60:

Also required is a WAN Trunk that contains your existing WAN1 and the just-enabled WAN2. My USG 60 came with a SYSTEM_DEFAULT_WAN_TRUNK that includes both WAN interfaces as well as various others, and was set as the Default WAN Trunk. Although not really necessary, I created a User Configured Trunk that contains only the WAN1 and WAN2 interfaces and set that as the Default Trunk. The only reason to do that was so that I could experiment with trunk settings without messing with the Zyxel default trunk configuration.


In case you are scratching your head about the whole Trunk thing, as I understand it, it is basically a pool of outgoing connections. In our scenario here, if you had both WANs connected and WAN1 went down for some reason, outgoing traffic would automatically use WAN2. Therefore, to test your setup, with your phone/wifi hotspot active, and the TP-Link client on, you should be able to disconnect the cable plugged into WAN1 and you should still have internet through your wifi hotspot.

In my use case, WAN2 (the cell phone connection) is off except when I need it. As a result, all internet traffic uses WAN1 (our CenturyLink DSL).  If you were to leave them both on, traffic would automatically be routed to the WAN connection that is least busy (assuming you are using the default "LLF" load balancing algorithm. Unless you have unlimited data on your device and a carrier that doesn't care about high volume tethered/hotspot use, don't leave WAN2 connected or you will end up with a hell of a bill from your mobile carrier. Turning off the TP-Link plugged into the WAN2 is all that you have to do to prevent any accidental use.

With regard to these network devices, I am self-taught, with most of my experience being with Zyxel components, so I am in no way an expert. Nonetheless, if you have a question about this article, leave a comment and I will do my best to help.