Reply
Highlighted
Emerging Member
Posts: 51
Registered: ‎11-13-2015
Kudos: 2
Accepted Solution

Dual Wan but no failover or load balancing

TLDR: How to enable second WAN interface without failover or load balance.

 

I have searched and searched forums and the most specfiic similar questions go unanswered.

like https://community.ubnt.com/t5/UniFi-Routing-Switching/Dual-WAN-disable-failover/m-p/2495352#M108112

 

I have a dual wan setup using PBR to specifically route external traffic to a specfic interface based on vlan but allow local intervlan traffic. My issue is that I dont want failover or load balancing and find no way to disable it.  It seems you can only enable the second WAN interface be selecting Failover or Load-Balance. Im starting with what I can do via the gui and then applying my PBR via command line and saving to the controller. I dont actually want either of these functions (load-balance /failover) and only wish to control WAN via PBR.  I effectively just need to disable failover functionaility.

 

Currently I feel that it is working immediately after applying the PBR but it quickly breaks when failover occurs. I have high latency Sat and a crappy cellular connection so failover occurs very often.

 


Accepted Solutions
New Member
Posts: 36
Registered: ‎03-09-2016
Kudos: 21
Solutions: 1

Re: Dual Wan but no failover or load balancing

Hi,

 

I think this is because you select the auto config gui tool for dual wan, failover thing ... 

For my point of view, you should configure manualy both wan and setup with cli the PBR.  

 

the auto config tool is not needed to configure a wan or to enable it.  Just setup your WAN by applying fixed IP or dhcp, setup masquerading and FW rules (if needed) for each, you can also setup some static route to 0.0.0.0 but will be bypassed by your PBR settings.

 

I did setup dual wan with PBR on my edgerouter x and didn't not touch the auto config gui tool. 

 

View solution in original post

Veteran Member
Posts: 7,240
Registered: ‎03-24-2016
Kudos: 1862
Solutions: 822

Re: Dual Wan but no failover or load balancing

Both WAN links need their own masquerade rule.  Without it, packets are sent out with LAN source addresses, which can't be routed over the internet

View solution in original post

Veteran Member
Posts: 7,240
Registered: ‎03-24-2016
Kudos: 1862
Solutions: 822

Re: Dual Wan but no failover or load balancing

If you use your own route tables for WAN1 and WAN2, make sure to add blackhole route to them

Like

Spoiler
set protocols static table 1 route 0.0.0.0/0 blackhole distance 255

Normally, you have another route alongside it, that "wins."

 

If that route fails, blackhole matches and dumps packet

View solution in original post


All Replies
Senior Member
Posts: 5,692
Registered: ‎01-04-2017
Kudos: 795
Solutions: 288

Re: Dual Wan but no failover or load balancing

Emerging Member
Posts: 51
Registered: ‎11-13-2015
Kudos: 2

Re: Dual Wan but no failover or load balancing

Ive looked very hard over a span of months actually

 

"It seems you can only enable the second WAN interface be selecting Failover or Load-Balance."

 

Your link does not address this. I dont want failover or load-balance which are on in order for me to enable WAN2

New Member
Posts: 36
Registered: ‎03-09-2016
Kudos: 21
Solutions: 1

Re: Dual Wan but no failover or load balancing

Hi,

 

I think this is because you select the auto config gui tool for dual wan, failover thing ... 

For my point of view, you should configure manualy both wan and setup with cli the PBR.  

 

the auto config tool is not needed to configure a wan or to enable it.  Just setup your WAN by applying fixed IP or dhcp, setup masquerading and FW rules (if needed) for each, you can also setup some static route to 0.0.0.0 but will be bypassed by your PBR settings.

 

I did setup dual wan with PBR on my edgerouter x and didn't not touch the auto config gui tool. 

 

Emerging Member
Posts: 51
Registered: ‎11-13-2015
Kudos: 2

Re: Dual Wan but no failover or load balancing

That was the issue, I needed to enable the second WAN interface via CLI in order to avoid using either Failover or LB options in the GUI. I am still missing something though, Ive added the interface and the the appropriate next hops via PBR tables and source route but I still am unable to get the traffic out the second interface.

 

S>* 0.0.0.0/0 [1/0] via 192.168.1.1, eth0
  *                 via 192.168.11.3, eth2

C>* 192.168.1.0/24 is directly connected, eth0

C>* 192.168.11.0/24 is directly connected, eth2

 

eth0         192.168.1.100/24                  u/u  WAN

eth2         192.168.11.2/24                   u/u  WAN2

 

Next hop/gateway for eth1 is 192.168.1.1

Next hop/gateway for eth2 is 192.168.11.3

 

set protocols static table 1 route 0.0.0.0/0 next-hop 192.168.1.1
set protocols static table 2 route 0.0.0.0/0 next-hop 192.168.11.3

set firewall modify SOURCE_ROUTE rule 10 description 'traffic ISP1'
set firewall modify SOURCE_ROUTE rule 10 source group address-group 5a46eec4e4b070d74d22f49f
set firewall modify SOURCE_ROUTE rule 10 modify table 1

set firewall modify SOURCE_ROUTE rule 20 description 'traffic ISP2'
set firewall modify SOURCE_ROUTE rule 20 source group address-group 5bc553d52a558b0457eaf2fd
set firewall modify SOURCE_ROUTE rule 20 modify table 2

 

group ending in 494f represents networks I wish to exit WAN

group ending in f2fd represents networks I wish to exit WAN2

 


set firewall modify SOURCE_ROUTE rule 5 description "LAN to LAN skip PBR"
set firewall modify SOURCE_ROUTE rule 5 destination group address-group 5a3db3b9e4b0e14537b98a3a
set firewall modify SOURCE_ROUTE rule 5 modify table main

 

group ending in 8a3a represents all LAN networks

Veteran Member
Posts: 7,240
Registered: ‎03-24-2016
Kudos: 1862
Solutions: 822

Re: Dual Wan but no failover or load balancing

Did you apply modify ruleset SOURCEROUTE to LAN interface?

 

btw: Descriptive groupnames! Did you made those up?

Emerging Member
Posts: 51
Registered: ‎11-13-2015
Kudos: 2

Re: Dual Wan but no failover or load balancing

This is what I applied to LAN interface

 

set interfaces ethernet eth1 firewall in modify SOURCE_ROUTE
set interfaces ethernet eth1 vif 30 firewall in modify SOURCE_ROUTE
set interfaces ethernet eth1 vif 50 firewall in modify SOURCE_ROUTE
set interfaces ethernet eth1 vif 192 firewall in modify SOURCE_ROUTE
set interfaces ethernet eth1 vif 193 firewall in modify SOURCE_ROUTE

 

I dont have access to the device to pull the groupname data from config

but this is what it looks like in the CLI after creating the group names in the GUI

 

The first group represents all of the above networks except 192

Second group is just 192

Veteran Member
Posts: 7,240
Registered: ‎03-24-2016
Kudos: 1862
Solutions: 822

Re: Dual Wan but no failover or load balancing

Config snippets look fine, this should work.  Post complete config, and specifyu exactly what doesn't work 

 

Emerging Member
Posts: 51
Registered: ‎11-13-2015
Kudos: 2

Re: Dual Wan but no failover or load balancing

Symptom was that network needing to exit via WAN/eth0 was working fine but network needing to exit via WAN2/eth2 was not. I was not able to ping external and traceroute never got past the edgerouter interface 192.168.2.240

 

Figured it out after taking a line by line look at the config and looking specifically for anything mentioning eth0 without a similar entry for eth2

 

This fixed it but why? I dont see folks mentioning the need for this in any similar thread to get WAN2 functional

 

set service nat rule 6004 description "MASQ corporate_network to WAN2"
set service nat rule 6004 log disable
set service nat rule 6004 outbound-interface eth2
set service nat rule 6004 protocol all
set service nat rule 6004 source group network-group corporate_network
set service nat rule 6004 type masquerade

 

Veteran Member
Posts: 7,240
Registered: ‎03-24-2016
Kudos: 1862
Solutions: 822

Re: Dual Wan but no failover or load balancing

Both WAN links need their own masquerade rule.  Without it, packets are sent out with LAN source addresses, which can't be routed over the internet

Emerging Member
Posts: 51
Registered: ‎11-13-2015
Kudos: 2

Re: Dual Wan but no failover or load balancing

Thanks for your replies. Next up for me is multiple WAN port forwarding. Quick search shows many threads on this topic for me to research. I prefer to do as much as possible via GUI so I will be looking to see if thats possible.

Emerging Member
Posts: 51
Registered: ‎11-13-2015
Kudos: 2

Re: Dual Wan but no failover or load balancing

My configuration is close but still not working exactly as I would like. I have both WAN connections working without failover or LB and using PBR.  The problem is I dont ever want traffect exiting the wrong WAN interface and I am seeing traffic exiting the wrong interface periodically. I found that if I disable the internet connection for WAN2 traffic tries to go out WAN1 with high packet loss.  How can I better enforce traffic to exit only the desired WAN?  Thanks.

Veteran Member
Posts: 7,240
Registered: ‎03-24-2016
Kudos: 1862
Solutions: 822

Re: Dual Wan but no failover or load balancing

If you use your own route tables for WAN1 and WAN2, make sure to add blackhole route to them

Like

Spoiler
set protocols static table 1 route 0.0.0.0/0 blackhole distance 255

Normally, you have another route alongside it, that "wins."

 

If that route fails, blackhole matches and dumps packet

Emerging Member
Posts: 51
Registered: ‎11-13-2015
Kudos: 2

Re: Dual Wan but no failover or load balancing

Added, thanks again

Reply