How do I configure multi-wan in Routing Table mode?



Similar documents
Fireware How To Network Configuration

Configuration Example

How To Manage Outgoing Traffic On Fireware Xtm

Configuration Example

Configuration Example

Fireware How To Logging and Notification

Fireware How To Dynamic Routing

Fireware XTM Traffic Management

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Firebox X550e, Firebox X750e, Firebox X1250e Firebox X5500e, Firebox X6500e, Firebox X8500e, Firebox X8500e-F

Configuration Example

Configuration Example

Configuring WAN Failover & Load-Balancing

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

How do I set up a branch office VPN tunnel with the Management Server?

Configuration Example

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

How Your Computer Accesses the Internet through your Wi-Fi for Boats Router

VPN Tracker for Mac OS X

Enabling NAT and Routing in DGW v2.0 June 6, 2012

Best Practices: Pass-Through w/bypass (Bridge Mode)

Quick Note 53. Ethernet to W-WAN failover with logical Ethernet interface.

Configuring High Availability for Embedded NGX Gateways in SmartCenter

Link Load Balancing :50:44 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Configuring IP Load Sharing in AOS Quick Configuration Guide

WAN Traffic Management with PowerLink Pro100

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Internet Access Setup

Barracuda Link Balancer Administrator s Guide

Chapter 3 LAN Configuration

Integration Guide. LogicNow MAXfocus

Savvius Insight Initial Configuration

Fireware Essentials Exam Study Guide

2.0 Dual WAN Select Dual-WAN, you will see the following screen shot, Figure 0.1(Dual-WAN Screen Shot) Figure 0.1(Dual-WAN Screen Shot)

Barracuda Link Balancer

Configuring SSL VPN on the Cisco ISA500 Security Appliance

MULTI WAN TECHNICAL OVERVIEW

Using VDOMs to host two FortiOS instances on a single FortiGate unit

P Quick Start Guide. VoIP Analog Telephone Adaptor DEFAULT LOGIN. IP Address Password Version /2007 Edition 1

VPN Configuration Guide WatchGuard Fireware XTM

1 Basic Configuration of Cisco 2600 Router. Basic Configuration Cisco 2600 Router

How to configure VLAN and route failover

Route Based Virtual Private Network

configure WAN load balancing

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Chapter 2 Connecting the FVX538 to the Internet

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

Multi-Homing Security Gateway

Common Application Guide

WatchGuard System Manager User Guide. WatchGuard System Manager v8.0

Volume GAJSHIELD INFOTECH PVT LTD. Wan Failover & Load Balancing. Administrative Guide

Broadband Router ESG-103. User s Guide

Network Configuration

Firewall Defaults and Some Basic Rules

Load Balancing. Outlook Web Access. Web Mail Using Equalizer

Chapter 4 Customizing Your Network Settings

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

SonicOS Enhanced Release Notes

SIP Domain/Proxy, Ring Detect Extension or/and Page Audio Extension, (The 8180 needs its own phone extension) Authentication ID, Password,

Configure WAN Load Balancing

SSL-VPN 200 Getting Started Guide

Optimal Network Connectivity Reliable Network Access Flexible Network Management

High Availability Branch Office VPN

IOS NAT Load Balancing for Two ISP Connections

Transparent Firewall/Filtering Bridge - pfsense By William Tarrh

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

VMware vcloud Air Networking Guide

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

LAN TCP/IP and DHCP Setup

Internet Access Setup

Guideline for setting up a functional VPN

Fireware How To Authentication

Balancing and Gateway Failover

Contents. Platform Compatibility. SonicOS

Configuring the Transparent or Routed Firewall

Internet Load Balancing Guide. Peplink Balance Series. Peplink Balance. Internet Load Balancing Solution Guide

SOHO 6 Wireless Installation Procedure Windows 95/98/ME with Internet Explorer 5.x & 6.0

Lab 5 Explicit Proxy Performance, Load Balancing & Redundancy

How To Set Up A Pploe On A Pc Orca On A Ipad Orca (Networking) On A Macbook Orca 2.5 (Netware) On An Ipad 2.2 (Netrocessor

VoIP CONFIGURATION GUIDE FOR MULTI-LOCATION NETWORKS

IP Office - Job Aid Using a Dedicated T1/PRI PPP ISP Link

AirStation VPN Setup Guide WZR-RS-G54

ADSL Modem. HM210dp/di. User Guide

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

DEPLOYMENT GUIDE Version 1.1. DNS Traffic Management using the BIG-IP Local Traffic Manager

GNAT Box VPN and VPN Client

IREBOX X. Firebox X Family of Security Products. Comprehensive Unified Threat Management Solutions That Scale With Your Business

Branch Office VPN Tunnels and Mobile VPN

NETWORK SETUP INSTRUCTIONS

How to Open HTTP or HTTPS traffic to a webserver behind the NetVanta 2000 Series unit (Enhanced OS)

5 Easy Steps to Implementing Application Load Balancing for Non-Stop Availability and Higher Performance

nexvortex Setup Template

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

HOWTO: How to configure IPSEC gateway (office) to gateway

Configuring Network Address Translation (NAT)

Chapter 4 Customizing Your Network Settings

THINKTEL COMMUNICATIONS DIGIUM G100/G200 PRI OVER IP SIP TRUNKING

Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

3CX Guide sip.orbtalk.co.uk

Transcription:

How do I configure multi-wan in Routing Table mode? Fireware/Multi-WAN This document applies to: Appliance Firebox X Core / Firebox X Core e-series / Firebox X Peak / Firebox X Peak e-series Appliance Software versions Fireware 8.3 / Fireware Pro 8.3 Management Software versions WatchGuard System Manager 8.3 Introduction The multi-wan functionality of Fireware is designed to give the Firebox administrator more control and greater efficiency with a very large or high-traffic network. You can use Fireware appliance software to configure up to four Firebox interfaces as external or wide area network (WAN) interfaces. This allows you to connect the Firebox to more than one Internet service provider (ISP). When you configure multiple external interfaces, you select one of three different methods the Firebox can use to route outgoing packets through the external interfaces: Multi-WAN with the Routing Table option When you select Routing Table for your multi-wan configuration, the Firebox uses the routes in its internal route table or routes it gets from dynamic routing processes to send packets through the correct external interface. To see if a specific route exists for a packet s destination, the Firebox examines its route table from the top to the bottom of the list of routes. If the Firebox does not find a specified route, it uses the first default route in its route table. To see the internal route table on the Firebox, connect to Firebox System Manager and select the Status Report tab. Multi-WAN in round robin order If you select the round-robin option, you can share the load of outgoing traffic among external interfaces. For more information see https://www.watchguard.com/support/fireware_howto/83/howto_setupmultiwan.pdf Multi-WAN failover The WAN failover option allows you to configure additional external interfaces as backup if the primary external interface is down. For more information see https://www.watchguard.com/support/fireware_howto/83/howto_setupwanfailover.pdf Is there anything I need to know before I start? Determine if the Routing Table method is correct for your network You must decide if the Routing Table method is the correct multi-wan method for your needs. You should use it as an alternative to the round-robin or the WAN failover method because: You enable dynamic routing (RIP, OSPF, or BGP) and the routers on the external network advertise routes to the Firebox so that the Firebox can learn the best routes to external locations. 1

There is an external site or external network that you must access through a specific route on an external network. Examples include: - You have a private circuit that uses a frame relay router on the external network. - Traffic to an external location should always go through a specific Firebox external interface. You use the Routing Table option for multi-wan in these cases to be sure that the Firebox uses static and dynamic routes to the Internet without interference from the WAN failover and round-robin methods. The Routing Table method is not for load balancing outbound connections It is important to note that the Routing Table option does not load balance connections to the Internet. The Firebox reads its internal route table from top to bottom. Static and dynamic routes that specify a destination appear at the top of the route table and take precedence over default routes. (A default route is a route with destination 0.0.0.0/0). If there is no specific dynamic or static entry in the Firebox route table for a destination, the traffic to that destination uses the first default route. When the Firebox first starts up, the preferred default route is the one through the highest number interface, but this can change as WAN interfaces lose physical link state or gain link state again, or when the connectivity health check determines a WAN link is not available. When the Firebox determines that traffic cannot reach the Internet through an external interface, the Firebox puts the default route for that interface at the bottom of its internal route table. When the physical link to the Ethernet port is lost, the Firebox removes from its route table all routes that use that interface. How the Routing Table method handles outgoing traffic when there is more than one default route Traffic that comes from a trusted or optional network and goes to the external network uses a default route when the destination does not match a more specific route in the Firebox routing table. When you select the Routing Table option as the method for multi-wan, the Firebox puts multiple default routes in its route table. It makes one default route for each external interface. It is important to understand which of these default routes the Firebox uses when there is more than one external interface. Traffic going to the external network uses the default route listed closest to the top of the list in the Firebox route table if it does not match a more specific route. You must connect to Firebox System Manager and select the Status Report tab to see which default route comes first in the routing table. For more information about how the Firebox determines which default route comes first in its routing table, see the Frequently Asked Questions section at the end of this document. Other Considerations If you have a policy configured with an individual external interface alias in its configuration, you must change the configuration to use the alias Any-External when you enable multi-wan. If you have a multiple WAN configuration, you cannot use the dynamic NAT Set Source IP option on the Advanced tab of a policy in Policy Manager. Use the Set Source IP option in your policies only when your Firebox uses a single external interface. The multiple WAN feature is not supported in drop-in mode. 2

Configuring the Firebox to use the Routing Table method for Multi-WAN 1 From Policy Manager, select Network > Configuration. The Network Configuration dialog box appears. 2 Select the interface and click Configure. Select External from the Interface Type drop-down list to activate the dialog box. Type an interface name and description. You must have a minimum of two external network interfaces before the multi-wan settings become available. 3

3 Type the IP address and default gateway for the interface. Click OK. When you type an IP address, type all the numbers and the periods. Do not use the TAB or arrow key. After you configure a second external interface, multiple WAN configuration options appear in the Network Configuration dialog box. 4 Select Routing table to enable the Firebox to use the routes in its internal route table to send packets through the correct external interface. 5 In the WAN Ping Address dialog box, double-click in the Ping Address column to add an IP address or domain name for each external interface. We recommend that you use a host that has a public presence on the Internet, and one that you expect will always reply to pings, such as a prominent web site or a public DNS server. We do not recommend you select this interface s default gateway. Select a host that is more distant from your network to get a more robust test of connectivity. When an external interface is active, the Firebox pings the IP address or domain name you set here each 20 seconds to see if the interface is operating correctly. If there is no response after three pings, the Firebox starts to use the subsequent configured external interface. It continues to ping the WAN ping address you set for that interface to check for connectivity. 6 Click OK. Save the configuration file to the Firebox. 4

Frequently Asked Questions About This Procedure How do I see the route table on the Firebox? From WatchGuard System Manager, open your Firebox System Manager and select the Status Report tab. Scroll down until you see Kernel IP routing table. This shows the internal route table on the Firebox. What happens if an external interface goes down and comes back up again? When the Firebox sees that an external interface is active and it previously was not active, it moves the default route for that interface to the top of the list of default routes. Because the Firebox reads default routes from top to bottom, this means that the last interface to become active is the interface with the preferred default route. For traffic that does not match a more specific route, the last default interface route added shows the preferred external interface. What is the difference between physical link failure and failure because a WAN ping target is unresponsive? The main difference is how long the Firebox takes to update its route table: - If a WAN Ping target is no longer responsive, it can take from 40 seconds to 60 seconds for the Firebox to update its route table. - If the same WAN Ping target becomes responsive again, it may take from 0 to 60 seconds for the Firebox to update its route table. - If the Firebox detects a physical disconnect of the Ethernet port, it updates its route table immediately. - When the Firebox detects the Ethernet connection is back up, it updates its route table within 20 seconds. Does the Firebox read its route table when I use Round Robin or WAN Failover for the multi-wan method? The Firebox always maintains an internal route table. However, when you select Round Robin or WAN Failover as the multi-wan method, those methods for sending traffic to the Internet take precedence and it is possible that routes to specific locations on the external network can be ignored. 5

Where do the routes in the Firebox route table come from? Routes in the internal route table on the Firebox include: - The routes the Firebox learns from dynamic routing processes running on the Firebox (RIP, OSPF, and BGP) if you enable dynamic routing. - The permanent network routes or host routes you add to Policy Manager at Network > Routes. - The routes the Firebox automatically makes when it reads the network configuration information from Policy Manager at Network > Configuration. I use dynamic routing (RIP, OSPF, or BGP) but only for interior routes. Should I use the Routing Table method for multi-wan? It is not necessary to use the Routing Table method for multi-wan if you do not use dynamic routing to share route information with routers on the external network. The round-robin and WAN failover methods interfere only with routes that use a gateway located on an external network. Routes that use a gateway on an internal (optional or trusted) network are not affected by the multi-wan method you select. How does the Firebox determine which default route to put at the top? When an external interface becomes active, the Firebox puts a default route for that external interface at the top of the list of default routes. This means that the last external interface to become active is the interface with the preferred default route. Thus, traffic going to the external network uses the external interface that became active last if the traffic does not match a more specific route to its destination. (A more specific route can be a route that the Firebox learns from a dynamic routing process, or a static route in Policy Manager at Network > Routes.) When the Firebox starts up, the startup process activates Ethernet interfaces starting with the lowest numbered interface eth0. Then it activates the next-highest numbered interface eth1, and then eth2, and so on. Thus after initial startup, the default route associated with the highest numbered external interface is the preferred default route. If an external interface whose default route is not at the top of the list of default routes becomes inactive, this event does not change the order of the preferred default route. However when that external interface becomes active again, the default route for that interface goes to the top of the list of default routes. It becomes the preferred interface for all outgoing connections that do not match a more specific route to the external network. What happens to a dynamic or static route to the external network when the external interface for that route is inactive? When the Firebox detects that an external interface is down, it removes any static or dynamic routes that use that interface. This is true if the WAN Ping target becomes unresponsive and if the physical Ethernet link is down. Was this document helpful? Please send your feedback to faq@watchguard.com. SUPPORT: www.watchguard.com/support U.S. and Canada +877.232.3531 All Other Countries +1.206.613.0456 COPYRIGHT 2006 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information