Routing a two subnets through a two different WAN ports with mutual redundancy

a1601
a1601 Posts: 30  Freshman Member
First Comment Friend Collector First Anniversary
in Security

Hello!

I need qualified advice how to organize the following scheme of work.

There are two Internet channels, connected to WAN1 and WAN2 (conventionally WAN1 - main channel, WAN2 - backup).
In "normal" mode subnet 192.168.1.0 (1) is routed through WAN1, subnet 192.168.4.0 (4) - through WAN2. This is solved by setting routing rules.
If link on WAN1 fails - the routing rule for WAN1 is disabled and the next rule for WAN2 starts working to switch the routing from network 1 to backup WAN2 (this is also solved by checking the availability in the rule for the WAN1). At the same time subnet 4 also continues to work through WAN2, everything is fine.
But if fails the backup channel WAN2 - need to switch subnet 4 to the main WAN1 - this is where the problem arises.
If i configure the rules to check the availability of WAN2 (to enable the next rule for routing subnet 4 to WAN1) - the check (ping 8.8.8.8 or any other) does not pass in the "normal" mode, this rule is immediately disabled (although channel 2 is working).

Is it possible somehow to make such a mutual reservation of channels for different subnets or is it impossible?

Policy routes:

policy 1
description ZYXEL-WAN1
interface ZyWALL
dscp any
service ZYXEL_SERVICE
next-hop interface wan1
auto-disable
conn-check 8.8.8.8 method icmp period 5 timeout 1 fail-tolerance 1
conn-check activate
!
policy 2
description ZYXEL-WAN2
interface ZyWALL
dscp any
service ZYXEL_SERVICE
next-hop interface wan2
!

policy 3
description LAN1-WAN1
interface lan1
dscp any
next-hop interface wan1
snat outgoing-interface
auto-disable
conn-check activate
conn-check 8.8.8.8 method icmp period 5 timeout 1 fail-tolerance 5
!
policy 4
description LAN1-WAN2
interface lan1
dscp any
next-hop interface wan2
snat outgoing-interface
!
policy 5
description LAN2-WAN2
interface lan2
dscp any
next-hop interface wan2
snat outgoing-interface
auto-disable
conn-check activate
conn-check 8.8.8.8 method icmp period 5 timeout 1 fail-tolerance 5
!
policy 6
description LAN2-WAN1
interface lan2
dscp any
next-hop interface wan1
snat outgoing-interface
!

Thanks in advance!

Accepted Solution

  • a1601
    a1601 Posts: 30  Freshman Member
    First Comment Friend Collector First Anniversary
    Answer ✓

    Sorry again, I misled you. I found my mistake in the settings, everything works as it should now. Thanks for the help!

All Replies

  • PeterUK
    PeterUK Posts: 3,387  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited September 2023

    It should work what you have done...if you unplug WAN2 LAN2 should use WAN1

    Maybe change one of the ping to 8.8.4.4

    There is this firmware saying about a fix for fail over

    https://community.zyxel.com/en/discussion/18656/zld-v5-37wk30-firmware-release#latest

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    Yes, I think your routing configuration can work.
    When WAN1 fails, policies 1, 3, and 6 would automatically disable themselves, and both would be routed through WAN2, and vice versa.

  • a1601
    a1601 Posts: 30  Freshman Member
    First Comment Friend Collector First Anniversary
    https://community.zyxel.com/en/discussion/comment/56653#Comment_56653

    But when both WAN1 and WAN2 work and Enable Connectivity Check for policie 5 - it policie is disabled and both networks routed through WAN1.. (need routed LAN2 through WAN2). Connectivity Check disabeled - it works.
    Pinging another IP for check (8.8.4.4) - it didn't help.

  • PeterUK
    PeterUK Posts: 3,387  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Maybe I'm missing something?

    So with ping check working the following happens

    LAN1 goes out WAN1

    LAN2 goes out WAN2

    ping check fails on WAN1

    LAN1 goes out WAN2

    LAN2 goes out WAN2

    ping check fails on WAN2

    LAN1 goes out WAN1

    LAN2 goes out WAN1

  • a1601
    a1601 Posts: 30  Freshman Member
    First Comment Friend Collector First Anniversary
    https://community.zyxel.com/en/discussion/comment/56658#Comment_56658

    Yes, everything is described correctly, that’s exactly what I want to do. But for some reason it doesn’t work and I don’t understand why.

  • PeterUK
    PeterUK Posts: 3,387  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    so if you put in a test IP where the ping will fail like 127.0.0.2 this will fail the check for testing.

    So what is it your seeing? LAN2 when ping is fine not going out WAN2?

  • a1601
    a1601 Posts: 30  Freshman Member
    First Comment Friend Collector First Anniversary
    https://community.zyxel.com/en/discussion/comment/56660#Comment_56660

    Ping check for any IP (8.8.8.8, 8.8.4.4 and other) for policies LAN2-WAN2 is fail.

    Settings:

    settings.jpg

    Result (WAN1 and WAN2 works fine, LAN2 going out WAN1):

    policies.jpg

  • a1601
    a1601 Posts: 30  Freshman Member
    First Comment Friend Collector First Anniversary

    Sorry, today my tests are incorrect, because in reality there are problems with the provider for WAN2. I'll check again later.

  • a1601
    a1601 Posts: 30  Freshman Member
    First Comment Friend Collector First Anniversary
    Answer ✓

    Sorry again, I misled you. I found my mistake in the settings, everything works as it should now. Thanks for the help!

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)