Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
New Member
Posts: 9
Registered: ‎01-30-2014
Kudos: 1
Accepted Solution

Dual WAN with some hosts using only one WAN

I've been reading through the different posts and searching for this, but I can't find the answer so far. 

At the moment I have an Edgerouter Lite at home with a single WAN link, but I am looking to buy another for the office where we have dual links. I am very happy with the new simplified load balancing WAN configuration, but I can't seem to find whether there is a way to bind certain devices to go out through only one interface. 

As an alternative way to manually solve the issue, would it be possible to setup a virtual interface (switch?) in the same subnet as the physical interface, but a different IP to essentially setup dual gatways, one for each WAN link? 

As a last question, when using the failover-only option in the dual wan configuration, does the failover-only WAN connection still accept incoming connections? If so, will the established connection then continue to use the failover WAN link or will it go over the primary WAN link for the outbound?

I'm sorry if this has been covered already, but I didn't see much about it when browsing. 


Accepted Solutions
Highlighted
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3035
Solutions: 945
Contributions: 16

Re: Dual WAN with some hosts using only one WAN

One approach would be to do a static-mapping for the devices that you want to restrict to WAN2 unless fail-over:

ubnt@wlb# show service dhcp-server 
 disabled false
 hostfile-update disable
 shared-network-name LAN {
     authoritative enable
     subnet 192.168.1.0/24 {
         default-router 192.168.1.1
         dns-server 192.168.1.1
         lease 86400
         start 192.168.1.100 {
             stop 192.168.1.249
         }
         static-mapping minion1 {
             ip-address 192.168.1.10
             mac-address 24:a4:3c:3d:53:b0
         }
         static-mapping minion2 {
             ip-address 192.168.1.11
             mac-address 00:18:dd:31:64:f0
         }
         static-mapping minion3 {
             ip-address 192.168.1.12
             mac-address 90:2b:34:97:e8:82
         }
     }
 }

 Then for convenience create a firewall group of the same addresses:

 

ubnt@wlb# show firewall group 
 address-group my_minions {
     address 192.168.1.10
     address 192.168.1.11
     address 192.168.1.12
 }

Then create 2 load-balance groups.  One that load-balances both interfaces and one that is restricted to WAN2 with fail-over.

ubnt@wlb# show load-balance 
 group LB-LAN {
     interface eth1 {
     }
     interface eth2 {
     }
 }
 group LB-minions {
     interface eth1 {
         failover-only
     }
     interface eth2 {
     }
 }

Now define our firewall modify group to first handle the restricted group and let all the rest hit the other lb-group:

ubnt@wlb# show firewall modify 
 modify WLB {
     rule 10 {
         action modify
         modify {
             lb-group LB-minions
         }
         source {
             group {
                 address-group my_minions
             }
         }
     }
     rule 20 {
         action modify
         modify {
             lb-group LB-LAN
         }
     }
 }

 Then last apply that modify rule to the in on the LAN interface:

ubnt@wlb# show interfaces 
 ethernet eth0 {
     address 192.168.1.1/24
     description LAN
     duplex auto
     firewall {
         in {
             modify WLB
         }
     }
     speed auto
 }

 After running some traffic we look at our stats:

ubnt@wlb:~$ show load-balance status 
Group LB-LAN
  interface   : eth1
  carrier     : up
  status      : active
  gateway     : 172.16.3.242
  weight      : 50
  flows
      WAN Out : 427
      WAN In  : 0
    Local Out : 477

  interface   : eth2
  carrier     : up
  status      : active
  gateway     : 2.2.2.2
  weight      : 50
  flows
      WAN Out : 452
      WAN In  : 0
    Local Out : 504

Group LB-minions
  interface   : eth1
  carrier     : up
  status      : failover
  gateway     : 172.16.3.242
  weight      : 0
  flows
      WAN Out : 0
      WAN In  : 0
    Local Out : 137

  interface   : eth2
  carrier     : up
  status      : active
  gateway     : 2.2.2.2
  weight      : 100
  flows
      WAN Out : 92
      WAN In  : 0
    Local Out : 137

The things to notice are in bold - group LB-LAN has a 50/50 weight on the interfaces and the WAN Out counters are fairly balanced while group LB-minions has a 0/100 weight on the interfaces and all the WAN Out traffic is on eth2.

Now lets cause a failure on eth2:

ubnt@wlb:~$ show load-balance status 
Group LB-LAN
  interface   : eth1
  carrier     : up
  status      : active
  gateway     : 172.16.3.242
  weight      : 100
  flows
      WAN Out : 806
      WAN In  : 0
    Local Out : 846

  interface   : eth2
  carrier     : down
  status      : inactive
  gateway     : 2.2.2.2
  weight      : 0
  flows
      WAN Out : 469
      WAN In  : 0
    Local Out : 638

Group LB-minions
  interface   : eth1
  carrier     : up
  status      : active
  gateway     : 172.16.3.242
  weight      : 100
  flows
      WAN Out : 3
      WAN In  : 0
    Local Out : 241

  interface   : eth2
  carrier     : down
  status      : failover
  gateway     : 2.2.2.2
  weight      : 0
  flows
      WAN Out : 101
      WAN In  : 0
    Local Out : 197

 

ubnt@wlb:~$ show load-balance watchdog 
Group LB-LAN
  eth1
  status: Running 
  pings: 125
  fails: 6
  run fails: 0/3
  route drops: 0
  ping gateway: ping.ubnt.com - REACHABLE

  eth2
  status: Waiting on recovery (0/3)
  pings: 101
  fails: 10
  run fails: 3/3
  route drops: 1
  ping gateway: ping.ubnt.com - DOWN
  last route drop   : Thu Jan 30 23:21:56 2014

Group LB-minions
  eth1
  status: Running 
  failover-only mode
  pings: 125
  fails: 6
  run fails: 0/3
  route drops: 0
  ping gateway: ping.ubnt.com - REACHABLE

  eth2
  status: Waiting on recovery (0/3)
  pings: 102
  fails: 7
  run fails: 3/3
  route drops: 1
  ping gateway: ping.ubnt.com - DOWN
  last route drop   : Thu Jan 30 23:21:59 2014

 

Attached is the complete config.boot file for this example:

EdgeMAX Router Software Development

View solution in original post

Attachment

All Replies
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3035
Solutions: 945
Contributions: 16

Re: Dual WAN with some hosts using only one WAN

I think all the things you're asking about are currently possible and actually there are probably a couple ways to handle it.  For the group that should only use LINK2, are they supposed to fail-over to LINK1 when   their link is down?  As for incoming on a fail-over link, yet that should work (although I haven't tried it).

EdgeMAX Router Software Development
New Member
Posts: 9
Registered: ‎01-30-2014
Kudos: 1

Re: Dual WAN with some hosts using only one WAN

Thank you for the quick followup. 

A failover to Link1 when Link2 would be prefered, but I think we could live without it if it isn't possible. 


If you could point me in the right direction for the configuration for that I would appreciate it. I don't know if it would be easier to do it by IP address with a static DHCP mapping, MAC address, or some other method?

Highlighted
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3035
Solutions: 945
Contributions: 16

Re: Dual WAN with some hosts using only one WAN

One approach would be to do a static-mapping for the devices that you want to restrict to WAN2 unless fail-over:

ubnt@wlb# show service dhcp-server 
 disabled false
 hostfile-update disable
 shared-network-name LAN {
     authoritative enable
     subnet 192.168.1.0/24 {
         default-router 192.168.1.1
         dns-server 192.168.1.1
         lease 86400
         start 192.168.1.100 {
             stop 192.168.1.249
         }
         static-mapping minion1 {
             ip-address 192.168.1.10
             mac-address 24:a4:3c:3d:53:b0
         }
         static-mapping minion2 {
             ip-address 192.168.1.11
             mac-address 00:18:dd:31:64:f0
         }
         static-mapping minion3 {
             ip-address 192.168.1.12
             mac-address 90:2b:34:97:e8:82
         }
     }
 }

 Then for convenience create a firewall group of the same addresses:

 

ubnt@wlb# show firewall group 
 address-group my_minions {
     address 192.168.1.10
     address 192.168.1.11
     address 192.168.1.12
 }

Then create 2 load-balance groups.  One that load-balances both interfaces and one that is restricted to WAN2 with fail-over.

ubnt@wlb# show load-balance 
 group LB-LAN {
     interface eth1 {
     }
     interface eth2 {
     }
 }
 group LB-minions {
     interface eth1 {
         failover-only
     }
     interface eth2 {
     }
 }

Now define our firewall modify group to first handle the restricted group and let all the rest hit the other lb-group:

ubnt@wlb# show firewall modify 
 modify WLB {
     rule 10 {
         action modify
         modify {
             lb-group LB-minions
         }
         source {
             group {
                 address-group my_minions
             }
         }
     }
     rule 20 {
         action modify
         modify {
             lb-group LB-LAN
         }
     }
 }

 Then last apply that modify rule to the in on the LAN interface:

ubnt@wlb# show interfaces 
 ethernet eth0 {
     address 192.168.1.1/24
     description LAN
     duplex auto
     firewall {
         in {
             modify WLB
         }
     }
     speed auto
 }

 After running some traffic we look at our stats:

ubnt@wlb:~$ show load-balance status 
Group LB-LAN
  interface   : eth1
  carrier     : up
  status      : active
  gateway     : 172.16.3.242
  weight      : 50
  flows
      WAN Out : 427
      WAN In  : 0
    Local Out : 477

  interface   : eth2
  carrier     : up
  status      : active
  gateway     : 2.2.2.2
  weight      : 50
  flows
      WAN Out : 452
      WAN In  : 0
    Local Out : 504

Group LB-minions
  interface   : eth1
  carrier     : up
  status      : failover
  gateway     : 172.16.3.242
  weight      : 0
  flows
      WAN Out : 0
      WAN In  : 0
    Local Out : 137

  interface   : eth2
  carrier     : up
  status      : active
  gateway     : 2.2.2.2
  weight      : 100
  flows
      WAN Out : 92
      WAN In  : 0
    Local Out : 137

The things to notice are in bold - group LB-LAN has a 50/50 weight on the interfaces and the WAN Out counters are fairly balanced while group LB-minions has a 0/100 weight on the interfaces and all the WAN Out traffic is on eth2.

Now lets cause a failure on eth2:

ubnt@wlb:~$ show load-balance status 
Group LB-LAN
  interface   : eth1
  carrier     : up
  status      : active
  gateway     : 172.16.3.242
  weight      : 100
  flows
      WAN Out : 806
      WAN In  : 0
    Local Out : 846

  interface   : eth2
  carrier     : down
  status      : inactive
  gateway     : 2.2.2.2
  weight      : 0
  flows
      WAN Out : 469
      WAN In  : 0
    Local Out : 638

Group LB-minions
  interface   : eth1
  carrier     : up
  status      : active
  gateway     : 172.16.3.242
  weight      : 100
  flows
      WAN Out : 3
      WAN In  : 0
    Local Out : 241

  interface   : eth2
  carrier     : down
  status      : failover
  gateway     : 2.2.2.2
  weight      : 0
  flows
      WAN Out : 101
      WAN In  : 0
    Local Out : 197

 

ubnt@wlb:~$ show load-balance watchdog 
Group LB-LAN
  eth1
  status: Running 
  pings: 125
  fails: 6
  run fails: 0/3
  route drops: 0
  ping gateway: ping.ubnt.com - REACHABLE

  eth2
  status: Waiting on recovery (0/3)
  pings: 101
  fails: 10
  run fails: 3/3
  route drops: 1
  ping gateway: ping.ubnt.com - DOWN
  last route drop   : Thu Jan 30 23:21:56 2014

Group LB-minions
  eth1
  status: Running 
  failover-only mode
  pings: 125
  fails: 6
  run fails: 0/3
  route drops: 0
  ping gateway: ping.ubnt.com - REACHABLE

  eth2
  status: Waiting on recovery (0/3)
  pings: 102
  fails: 7
  run fails: 3/3
  route drops: 1
  ping gateway: ping.ubnt.com - DOWN
  last route drop   : Thu Jan 30 23:21:59 2014

 

Attached is the complete config.boot file for this example:

EdgeMAX Router Software Development
Attachment
New Member
Posts: 9
Registered: ‎01-30-2014
Kudos: 1

Re: Dual WAN with some hosts using only one WAN

... 

You're amazing! Thank you. 

Where would I be able to find better documentation on the different commands available in the CLI? I've been doing some reading through this manual by brocade, but there are certainly differences in the edgerouter build of vyatta that don't seem to match up. 

New Member
Posts: 1
Registered: ‎03-15-2013

Re: Dual WAN with some hosts using only one WAN

hi good day

 

do you have any example how to input this via CLI?. actually this is very useful this configuration for me. Thank in advance (sorry for my bad english)

Emerging Member
Posts: 41
Registered: ‎01-10-2010
Kudos: 3

Re: Dual WAN with some hosts using only one WAN

[ Edited ]

UBNT-stig

 

I was able to follow your example here.  I modified it for my network however our WAN's are static.  Could you possibly give an example using static WAN addresses?

 

From my testing thus far it appears that I have to specify the gateway IP's.

 

This appears to be exactly what we need.  Some of our devices (servers) do not appreacate the load balancing when I tried it on them.  None of the workstations seem to be bothered by the load balancing.  This config is perfect for us though with the fallover.  This will be perfect when I get the gateway issue resolved.

 

Is this the answer?

protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 97.76.81.161 {
            }
            next-hop 108.33.72.1 {
            }
        }

 Somehow that just doesn't seem right

 

EDIT:  I tried the code above and it worked.  I'm not sure if thats the correct way to do it however it does seem to work.  I can now ping internet addresses from the router.

EDIT2: It seems to fall over properly.  I've unplugged interfaces and it seems to behave properly.

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3035
Solutions: 945
Contributions: 16

Re: Dual WAN with some hosts using only one WAN

This thread has been marked solved.  Please start a new thread to avoid confusion.

EdgeMAX Router Software Development
Reply