Skip to main content
lucasneumann
lucasneumann
Visitor III
May 14, 2016
Question

Dual WAN config with health monitor triggered failover Policy Route question

  • May 14, 2016
  • 1 reply
  • 7492 views
Hi i have a FGT60D (5.4) with two WAN connections and configured a health monitor for wan1 if multiple servers are not reachable. if the health monitor takes wan1 down, wan2 starts working through the second default route with the higher distance configured. so far, this works like a charm. what i want to accomplish now is: - at least make the firewall reachable through wan2 from the outside at all time for ping and maybe https/ssh management (trusted hosts only) - if possible, also make various virtual ips via wan2 accessible all the time from the outside. i realize that this is going to be an issue because the packets wont find their right way back as long as wan1 and its default route is active. is there a way to accomplish my goals with policy routes? everything i have tried didnt work unfortunately. one way would be to put wan2 in a seperate vdom but i want to avoid going through a seperate virtual firewall instance with all the traffic and creating all those firewall policies twice, if possible. thanks for any advice! regards

    1 reply

    Burhanripl
    Burhanripl
    New Member
    May 14, 2016

    Keep the same distance of both the Wan

    Your config should be like this.

     

    WAN1 : Distance 10   Priority 10

    WAN2 : Distance 10   Priority 20

     

    Lower priority wan with same distance is given preference. Routing monitor will show both Wan as UP, but only wan1 will be used for outbound connections as far as it is up.

    echo
    echo
    Explorer II
    May 20, 2016

    @Burhanripl: Yes, that's how I have configured such cases too and it works.

     

    There has been an issue though. IP-phones, after switching over to the backup connection and later, when the primary restores, not all sessions go back to the primary and the phones don't work properly. I don't know how to force them to go back to the primary _automatically_. This can be done manually but it should be automatic.

    ecsupport
    ecsupport
    New Member
    June 24, 2016

    Will the WAN health check work for simple WAN failover between to interfaces, without setting them up beforehand in a WAN LLB group interface (which i don't want to do). I just want to mimic the same functionality i had in 5.2: Router - Static - Settings - Link Health Monitor

     

    In 5.4 health check, I also don't see the option for a gateway when setting up the WAN health check, so i presume it pings out from ALL routable interfaces and yanks the gateway/route of any that fail while continuing to ping for recovery??

    Terms & ConditionsAccessibility statement