04-16-2014 03:17 AM
Hi, first hello to everyone since this is my first post
I have a client who's running two Watchguard Firebox in cluster mode, but we hit a bottleneck and now I'm trying to find some suitable replacement for them, but I can't seem to find the information I need to know wether the Edge Router Pro would be a suitable replacement.
Right now the firewalls run in a master-slave cluster, and have 4 WANs with load balance + failover, and one lan port with 6 tagged VLANs. One of those WANs has 12 public IPs in use, and there's both inbound and outboound NAT configured for them.
The problem is now I need a fifth wan port, and the Watchguard products are limited to 4, so I can't install another line until I have this resolved.
What are the limits for Edge Routers? Can I have 5 Wan ports, and multiple public IPs per WAN port, and make different inbound and outbound NAT entries per WAN port or is it limited? if it is... what are the limitations? Do they support active-active or master-slave clustering?
Is there any documentation (besides the user manual and quick start guies) where I could get that sort of information?
04-16-2014 06:08 AM
There are no arbitrary limitations on what can be done with the port on the ERPro or any of the ERs with the exception of the ER-PoE switch block.
With the ERPro, you could have 7 WAN and 1 LAN if you so desired. You can add a rediculous number addresses to any of those interfaces and an equally rediculous number of NAT rules. For NAT rules, the limit is arbitrarily set to 10,000, but I am pretty sure that could be increaesed if there were sufficient resources on the system and you needed more.
It is probably easier to determine if a specific scenario will work vs. trying to find the limits.
04-16-2014 07:23 AM
Thanks for your input, I'll try to be as specific as I possibly can (it's a pretty big setup and English is not my mother language...)
Provider 1: 12 Public IPs in a fibre channel line (54Mbps down/54Mbps up). This is the main connection to the internet
Provider 2: 1 Public IP from a SDSL line (2Mbps down/2Mbps up). Used exclusively for the email server
Provider 3: 1 Public IP from a ADSL line (6Mbps down/1Mbps up). Failover line & load balance
Provider 4: 1 Public IP from a ADSL line (8Mbps down/2Mbps up). Failover line, load balance and maintenance access
* Now we're checking to add a new provider with more capacity to load balance parts of the main connection (if we can install it, it will be 120Mb down/4Mbps up or so)
Provider 1 IP mapping: (obviously these aren't the real IP addresses but you can make an idea of the setup)
126.96.36.199 --> Provider's router IP
188.8.131.52 --> Main email server ip address (used exclusively for email exchange and external web/imap access to the server)
184.108.40.206 --> Main outgoing IP address for the internal client network (Vlan #1)
220.127.116.11 --> Web+Email+FTP server for a secondary domain (used exclusively for this purpose)
18.104.22.168 --> Access IP for another FTP server from another domain, and RDP/VNC access for some internal clients
22.214.171.124-108 --> Videoconferencing systems
126.96.36.199 --> Outgoing Internet access from the free/insecure VLAN (Vlan #6)
There are some more but you get the point
Provider 2 is exclusively used for load balancing and failover of the mail server
Provider 3 and 4 are used to load balance outgoing traffic with Provider 1
Provider 5 will be used the same as Provider 3 and 4, and depending how many public IPs we get, maybe to accomodate other services
1 10.0.0.0/24 <-- Main VLAN with most servers and internal clients
2 10.0.1.0/24 <-- Security VLAN (CCTV, etc)
3 10.0.5.0/24 <-- VLAN for maintenance personnel
4 10.0.6.0/24 <-- VLAN for some industrial components that need to be isolated from other networks
5 10.0.10.0/24 <-- Management VLAN with access to most of the network equipment, the firewalls are here too
6 10.0.11.0/24 <-- Free wireless access and 'non-secure' wired access
There's usually some more but we enable and disable them when needed.
Now comes the fun part:
Main email server gets all the incoming traffic from one of the IP address given by Provider 1 and Provider 2, and all the outgoing traffic that goes from it goes through that same IP address and failovers to Provider 2 if the first goes down. This public IP cannot be shared with anything else.
Web+Emal+FTP Server for secondary domain has the same setup as the email server but without failover. Same as above, the public IP isn't shared with anything else
And like these, like 20 firewall rules that are working, both for connections coming from the internet and ones that come from the internal network. Some are balanced, some with failover, and some none.
The firewall configuration is redundant in a master-slave configuration. If master goes down, it cuts the network for about half a second and the slave firewall kicks in, maintaining the same addresses and services exactly the same
In the switch side of things, all the equipment is from HP. Main building structure is managed through ProCurve 5406ZL with routing from the VLANs to the firewall cluster IP (10.0.10.100), and there are two HP MSM765 mobility controllers and a lot of Access Points giving WLAN coverage
More or less that's it...
04-16-2014 05:21 PM - edited 10-28-2015 03:38 PM
As @mrjester mentioned there really isn't any limit on the number of WAN interfaces. If they have static public IPs and static gateways then all the default routes will have equal cost and the router will use a flow hash to do ECMP (equal cost multi-path) routing. Or with policy based routing you could define a routing table for each WAN to direct certain traffic to certain interfaces LINK. We recently added a WAN load-balance w/failover feature - LINK. This feature is basically policy based routing with a simplified config and a ping watchdog to automatically failover (however that feature is currently limitted to 2 WAN interfaces)
10-28-2015 03:20 PM
Actually both links appear to be dead, and I am not even sure if this is the most recent information reguarding a multi wan setup... Help is much appreciated!
10-28-2015 03:41 PM
The second link on this goes to the wrong place, any chance of getting that corected?
Thanks for pointing out the broken links. I fixed them, so try again.
06-07-2016 01:47 PM
Sorry for reviving this somewhat old thread, but I thought it may be best than creating a new one...
Has something changed in regards to supporting more than 2 wan loadbalancing/policy?
I have a use case where we have 4 connections from LTE sources and a Satelite connection. Speeds vary (as one can imagine), so some sort of dynamic calculation of route would be really great, although we usually know more or less whats the best route...
Our needs would be to be able to send traffic from a specific VLAN to either a "load balanced" wan group (which could be 1 - 4 of the links depending on which one(s) are up), as well as fixing certain VLANs to specific WAN ports.
I wonder if this is doable, and if anyone has any pointers on a setup of this kind.
06-07-2016 02:48 PM
Thanks a lot for the pointer stig! I'll look into that...
I will start building "brick by brick" as we have a site-to-site vpn to put on top of this (probably ipsec), and also mdns reflector need to be active...
but I'll go piece by piece and let you guys know how things go and any doubts coming along the way...
In the end I hope to add some scripts to the ER webserver in order to automate some tasks (take a link up, down, etc), as well as perhaps trying to evolve into reading the throughput on different links and balancing them accordingly... If anyone has done this I'd be interested in seeing it... (The Unifi controller seems to have a "queue" feature which does something related to a speedtest on the wan link, but it seems to be "1-time" and I'm not 100% clear on what it does yet...)
For now I'm researching everything and will let you all know how things go!
Thanks for the pointer its already very helpful.