Flex 200 Dual WAN Configuration
Hello All,
I have a fleet of USG Flex 200 routers deployed. WAN 1 is static IP from ISP, WAN 2 is private IP (no internet access) from cellular modem.
Goal here is traffic from LAN is IPSEC through WAN 1 when possible to private network. If WAN 1 were to ever fail, Zyxel should fail over to WAN 2 and my LAN address should still be able to communicate to my private network, as WAN 2 would be in this private network as well.
I have a problem though, where sometimes the USG FLEX 200 will failover to WAN 2, but then not switch back to WAN 1 when it is available. It's keepalive address is 8.8.8.8, which is confirmed up at the time it is communicating through WAN 2. If I physically unplug WAN 2 from the Zyxel, it fails over fine.
I have my Trunk configured to be WAN 1 active, WAN 2 passive. I've dropped thoroughput to 1 kbps up/down on load balancer. Still Flex 200 seems to get stuck on WAN 2 for some reason?
This problem has persisted on every firmware I've tried, including newest one.
Any suggestions?
I have a fleet of USG Flex 200 routers deployed. WAN 1 is static IP from ISP, WAN 2 is private IP (no internet access) from cellular modem.
Goal here is traffic from LAN is IPSEC through WAN 1 when possible to private network. If WAN 1 were to ever fail, Zyxel should fail over to WAN 2 and my LAN address should still be able to communicate to my private network, as WAN 2 would be in this private network as well.
I have a problem though, where sometimes the USG FLEX 200 will failover to WAN 2, but then not switch back to WAN 1 when it is available. It's keepalive address is 8.8.8.8, which is confirmed up at the time it is communicating through WAN 2. If I physically unplug WAN 2 from the Zyxel, it fails over fine.
I have my Trunk configured to be WAN 1 active, WAN 2 passive. I've dropped thoroughput to 1 kbps up/down on load balancer. Still Flex 200 seems to get stuck on WAN 2 for some reason?
This problem has persisted on every firmware I've tried, including newest one.
Any suggestions?
0
All Replies
-
Have you made a routing rule to WAN1 with Connectivity Check to 8.8.8.8? seem you have the check on the interface.
0 -
I just have it on the interface.0
-
I have never tested fail over with a Trunk setup I do it by routing rule.
Incoming interface
member LAN1
next hop
type interface
interface WAN1
advance
check
Disable policy route automatically while Interface link down
Enable Connectivity Check
ping setup you set to 8.8.8.8
0 -
With LAN1 next hop WAN1, that won't stop LAN1 traffic from going out IPSEC when WAN1 is active, would it? I'll have to setup a bench test, but I appreciate the assistance!0
-
The IPSEC will go out WAN1 by the Trunk setup you can if needed make routing rule:
Incoming ZYWALL
service IPSEC group with port 500, 4500, 1701 and Protocol=50
next hop
type interface
interface WAN1
Thinking about it if the IPSEC is set on a given interface then it will use that interface
0 -
Hi @tmiller,I test the trunk in my LAB also have connectivity Check on the interface, The outbound traffic will switch back to the "active" one when WAN1 go online .
Shared my trunk settings, and I didn't use any policy route to control outbound traffc.
If the issue still persist, please kindly share your configuration through pirvate messages.
I'm very glad to check for you.
Thank you
Kevin0
Guru Member
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 75 Security Highlight
