Configuring multi WAN failover on Ubiquiti devices

As I’ve been working at home a long time, you really start to notice problems with your main internet connection. I have a Ubiquiti edgerouter x that has 5 ports and can support multi WAN load balancing or failover.

I have cable internet and I also happen to have a Huawei 4G router in my loft where it gets the best signal, and it has an unlimited data contract. The 4G router is connected to a switch that does VLANs and there’s a trunk port between that switch and the router.

To briefly summarise my network and apologies for the poor diagram skills, my cablemodem (WAN1) is connected to router eth0. The 4G modem (WAN2) connects to a switch, that switch has a VLAN trunk connected to eth2 on the router and it’s tagged VLAN 2. My LAN is connected to ETH4 on the router and is technically VLAN1 untagged.

In this setup anything not on eth0/1 is also on switch0

I’m going to assume you have an already setup and working ubiquiti router/l3 switch and you’ve got stuff like DHCP and NAT sorted out. If not, refer to your setup guide (or follow the wizard).

We’re going to be doing this via the CLI, because in my particular setup, the second WAN link I want to use is on a VLAN and the GUI will not let you select a VLAN as a WAN for some reason. (presumably to keep it simple?)

Anyway, the same will apply to you even if you aren’t using a VLAN, we’ll just change the name of the interface to match the one you are using. Let’s get started, SSH into your router and let’s run the following commands:

[email protected]# configure

[email protected]# set firewall group network-group PRIVATE_IPS network 10.0.0.0/8

[email protected]# set firewall modify balance rule 10 action modify

[email protected]# set firewall modify balance rule 10 destination group network-group PRIVATE_IPS

[email protected]# set firewall modify balance rule 10 modify table main

[email protected]# set firewall modify balance rule 20 action modify

[email protected]# set firewall modify balance rule 20 destination group address-group ADDRv4_eth0

[email protected]# set firewall modify balance rule 20 modify table main

[email protected]# set firewall modify balance rule 30 action modify

[email protected]# set firewall modify balance rule 30 destination group address-group ADDRv4_switch0.2

[email protected]# set firewall modify balance rule 30 modify table main

[email protected]# set firewall modify balance rule 110 action modify

[email protected]# set firewall modify balance rule 110 modify lb-group G

[email protected]# set interfaces switch switch0 vif 1 firewall in modify balance

[email protected]# set load-balance group G interface eth0

[email protected]# set load-balance group G interface switch0.2

[email protected]# set load-balance group G interface switch0.2 failover-only

[email protected]# set load-balance group G lb-local disable

[email protected]# set load-balance group G lb-local-metric-change enable

[email protected]# set load-balance group G sticky dest-addr enable

[email protected]# commit; save

The first line with PRIVATE_IPS will be whatever your IP address range is. Mine is 10.0.0.0/8 range.

This line is my WAN1

[email protected]# set firewall modify balance rule 20 destination group address-group ADDRv4_eth0

and this next line is my second WAN (WAN2, the 4G gateway on my VLAN)

[email protected]# set firewall modify balance rule 30 destination group address-group ADDRv4_switch0.2

now if you have your WAN links plugged into eth0 and eth1, then just change “ADDRv4_switch0.2” to “eth1”.

The next important line is

[email protected]# set interfaces ethernet eth4 firewall in modify balance

I have eth4 on my edgerouter connected to switches around the home, so I’m telling edgerouter here that I want any connection via port eth4 (connected to my home lan switches) to go via the load balancer.

I have also used the failover-only option because I want to use the 4G link as a backup. You can change it to use both but I find this only works well on links of equal or similar bandwidth. In my case , load balancing i might occasionally go from a 350mbit cable connection down to 20 mbit 4G so that’s why I use failover.

Don’t forget to setup masquerading for the second WAN link! Also your firewall rules etc.

To test, unplug one of the cables, or turn off one of your WAN modems. Refresh a page like whatismyip.org and you should see it change.

This setup will swap back to the main (ETH0) link when it comes back up. If you’re wondering how it checks, it pings 8.8.8.8 or ubnt.net depending on firmware version. You can change this too, and how often it checks etc.

Limitations: If a failover occurs, and the primary comes back and the secondary still has a working internet connection, you will notice some connections will have stayed on the secondary. This is due to state and forward tables in the kernel. There isn’t really much you can do about it. You can flush the conntrack tables, but then you’re going to kill anything that was downloading / VPNing etc. I just left it as it is, and eventually those connections will die off and return to the primary for future sessions.

This post was an adaption of the official documentation for WAN load balancing, which you can find here

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *