Flex200 - maybe routing policy limitation?

GiuseppeR
GiuseppeR Posts: 300  Master Member
Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector
edited November 12 in Nebula

Hello everyone,

I need to split my LAN, routing its traffic to WAN1 and WAN2.

Considering public IP (WAN1) and speed (WAN2).

So I have LAN_IP1 to go on the internet via WAN1, while the rest of LAN1 via WAN2.

WAN1 is only for a specific IP assigned to a server (and for emergency internet backup).

So I set the active rule to have LAN_IP1 via Next-Hop WAN1:

Telling the firewall that WAN1 is the backup interface I have all the LAN1 going to internet via WAN2 until WAN2 is down and when WAN2 is down LAN1 goes on the internet with backup interface (WAN1).

The problem is when WAN1 is down, because the LAN_IP1 will go offline too: it is a server and if WAN1 is down it would be not reachable remotely in any way.

Is there a way to tell the firewall that LAN_IP1 has to go online "preferably" with WAN1 and ONLY if WAN1 is down to go via WAN2?

I have similar issues with another Company where I have WAN1, WAN2, WAN3:

As you can see I can tell the firewall to route specific items via WAN1 or WAN2, while WAN3 is a backup, but when WAN3 is working I have those 2 rules offline.

It could be a problem becuase one of those rules are related to a VLAN for VoIP phones, so having only WAN3 (poor LTE performance compared to fiber WAN2) could give zero phone availability

All Replies

  • PeterUK
    PeterUK Posts: 3,443  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    So with rule LAN_IP1 via WAN1 you set a interface ping check on that rule when ping check fails it will go to the next rule

  • GiuseppeR
    GiuseppeR Posts: 300  Master Member
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector

    LAN_IP1 to WAN1 is needed because I need to open a specific port on a specific IP for external service that has to be reachable from internet

  • PeterUK
    PeterUK Posts: 3,443  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    But did you want LAN_IP1 to use WAN2 when WAN1 is down?

  • GiuseppeR
    GiuseppeR Posts: 300  Master Member
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector

    Yes @PeterUK

    because LAN_IP1 is remotely managed so it is useful to route it via WAN1 to let users have daily access to some open ports from WAN area but if WAN1 is down you cannot either remote manage that old server.

    Making the rule LAN_IP1 to use WAN1 preferably would be better so LAN_IP1 uses WAN1 if WAN1 is UP otherwise LAN_IP1 goes via WAN2 at least being reachable for remote management.

    It seems strange to me that you cannot tell the firewall to route LAN_IP1 via Next-Hop WAN1 if WAN1 is UP then to route it via WAN2 as a backup interface if WAN1 is DOWN. It is the same idea that let you use another WAN if the main one is down.

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,170  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security

    Hi @GiuseppeR

    Your scenario can be achieved by combining Policy Routes and the WAN Load Balancing feature. Here’s how you can configure it:

    Policy Route Configuration

    1. Rule 1:
      • Source IP: LAN1_IP (the specific IP you want routed via WAN1)
      • Next-Hop: WAN1
    2. Rule 2:
      • Source IP: Remaining LAN1 IPs
      • Next-Hop: WAN2

    WAN Load Balancing Configuration

    • Set WAN1 as the primary interface for LAN1_IP traffic.
    • Configure WAN2 as the backup interface.
    • Optionally, use Weighted Round Robin if you need dynamic load distribution between WAN interfaces for other traffic.

    Expected Behaviour

    • With this configuration, LAN1_IP traffic will route via WAN1 when it’s available.
    • If WAN1 goes down, traffic for LAN1_IP will automatically fail over to WAN2, ensuring continued remote accessibility.

    You may refer to the following posts for detailed instructions on configuring Policy Routes and Load Balancing:

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • GiuseppeR
    GiuseppeR Posts: 300  Master Member
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector

    Hi @Zyxel_Kay

    I sent you a PM with details, please let me know if it is correct.

    Thanks in advance.

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,170  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security

    Hi @GiuseppeR

    After replicating the same configuration as yours, we observed that this is a current design limitation of the policy route on the Nebula firewall. If you manage the firewall on-premises, you can enable the Health Check options to:

    1. Automatically disable the policy route when the interface link is down.
    2. Enable Connectivity Check to achieve the intended purpose.

    If you believe this feature is necessary for the Nebula firewall, feel free to submit an idea post in the https://community.zyxel.com/en/categories/nebula-ideas .

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • GiuseppeR
    GiuseppeR Posts: 300  Master Member
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector

    Hello @Zyxel_Kay

    done as you requested:

    Please consider to add this to routing policies on Nebula, it is really important.

Nebula Tips & Tricks