Zyxel Nebula WAN Failover – WAN2 Still Active Despite Policy Route to WAN1

bhiggs
bhiggs Posts: 2  Freshman Member

I’m using Zyxel Nebula with WAN failover enabled - WAN1 is set as the primary, and WAN2 as backup. I’ve also configured policy routes to ensure all LAN traffic (from 10.10.0.0/24 and 172.20.5.0/24) goes out via WAN1, plus a catch-all route for any other traffic to use WAN1 as well.

Despite this, I’m still seeing WAN2 being used intermittently. Load balancing is not enabled, and the device is in failover mode - so in theory, WAN2 should remain idle unless WAN1 fails.

Screenshot 2025-04-28 094640.png Screenshot 2025-04-29 154028.png image.png


Does anyone know why WAN2 is still seeing traffic? Is this expected behavior for system/management traffic in Nebula? And if so, is there a way to force all traffic (including system) through WAN1 unless failover is triggered?

All Replies

  • PeterUK
    PeterUK Posts: 3,750  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited 2:31AM

    Nebula may have limitation vs on site so I'm not sure of the differences

    If you route given traffic out a given WAN when that WAN fails it will not go to WAN2 thats how I know it to be so you need the routing rule with ping check so that when ping fails you have another rule below to route to WAN2

    Zywall may use either WAN with on site you can route Zywall FQDN *.myzyxel.com and *.zyxel.com to go out a given WAN works good on old models but not so well on FLEX H

  • lora785frink
    lora785frink Posts: 3  Freshman Member
    First Comment

    Hello,

    In Nebula
    Log in to the Nebula Control Center.

    Navigate to Security Gateway > Configure > Routing.

    Enable the "Connectivity Check" option.

    Specify the target IP or domain for the health check (e.g., 8.8.8.8 or www.google.com).

    Configure the check interval, timeout, and fail tolerance as needed.

    Save the configuration.​

    On-Site (USG FLEX)
    Access the device's web interface.

    For policy routes:

    Go to Configuration > Network > Routing.

    Add a new policy route.

    Specify the source, destination, and service criteria.

    In the "Next Hop" section, select the desired WAN interface.

    Enable the health check option and configure the target IP and parameters.

    For WAN trunking:

    Navigate to Configuration > Network > Interfaces > Trunk.

    Create a new trunk group with the desired WAN interfaces.

    Configure the load balancing and failover settings.

    Save and apply the configuration.

    Best Regard,

    Lora

  • Zyxel_James
    Zyxel_James Posts: 699  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    it could be a small amount of traffic of ARP, or PING packet to keep connection between WAN2 and its gateway.
    You can capture packets on WAN2 to check what's the traffic about.

Nebula Tips & Tricks