uOS - WAN Trunk Link Sticking
Zyxel Employee
Overview
The WAN Trunk Link Sticking feature is designed to maintain session consistency by ensuring that traffic from the same source IP to the same destination continues to use the same WAN interface.
This function enhances connection stability for applications or services that are sensitive to IP address changes — such as online banking, government portals, payment gateways, and online gaming.
1.Background – WAN Trunk Load Balancing
Zyxel firewalls support WAN Trunking, which allows multiple WAN interfaces to share outbound internet traffic.
The system decides which WAN link to use based on the load-balancing algorithm configured in the trunk:
Algorithm
|
Description
|
|---|---|
Weighted Round Robin
| Distributes sessions proportionally based on configured weights. |
Least Load First | Chooses the WAN with the lightest current load. |
Spillover
| Directs traffic to the next WAN once a bandwidth threshold is reached. |
While these methods effectively balance load, they may cause sessions from the same client to shift between WAN links, resulting in different source IP addresses — which can disrupt session-based services.
2. What Is Link Sticking?
Link Sticking ensures that all connections from the same source IP to the same destination are routed through the same WAN interface within a specific time window.
- Default stickiness duration: 300 seconds
- During this time, repeated sessions from the same client to the same destination continue to use the same WAN link.
- After the timer expires, new sessions follow the trunk algorithm again.
Example
Condition
|
Behavior
|
|---|---|
Client A → example.com | Always uses WAN1 for 300 seconds |
Client B → example.com | Always uses WAN2 for 300 seconds |
After 300s idle
| New sessions may be assigned to another WAN based on load balance |
This prevents session termination on services that verify continuity of the source IP address.
3.Default Behavior after Firmware Upgrade
After upgrading to the latest firmware:
Previous Load-Balance Algorithm
|
Link Sticking After Upgrade
|
Reason
|
|---|---|---|
Least Load First / Spillover | Enabled | Compatible with dynamic balancing behavior. |
Weighted Round Robin (1:1 default weight) | Disabled
| Prevents clients from being locked to a slower WAN when link speeds differ. |
Example Scenario
A customer has:
- WAN1 = 100 Mbps
- WAN2 = 1 Gbps
- Both set to weight 1:1
If Link Sticking is enabled, the firewall might repeatedly assign some clients to the slower link. Hence, to maintain fair traffic distribution, Link Sticking is disabled by default when Weighted Round Robin is used.
4. How to Check and Configure Link Sticky
CLI Commands
4.1 To verify current status:
show config vrf main system link-sticking
Output Example:
4.2 To configure Link Sticking:
vrf main system link-sticking enabled true
Output Example:
Note:
Configuration of Link Sticking is available only via CLI. It cannot be changed through the Nebula Cloud GUI or the local web interface.
5. Link Sticking Operation Example
Topology Example:
[PC1] → [Firewall] → (WAN1, WAN2)
[PC2] → [Firewall] → (WAN1, WAN2)
- Both WAN1 and WAN2 are active members of the trunk.
- Load-balancing algorithm = Weighted Round Robin (1:1)
- Link Sticking = Enabled
Step
|
Action
|
Result
|
|---|---|---|
1 | PC1 initiates first session to Internet | Session assigned to WAN1 |
2
| PC1 initiates new session within 300s | Uses same WAN1
|
3 | PC2 starts session | Assigned to WAN2 |
4
| After 300s idle | PC1 may be reassigned per algorithm |
Administrators can verify this behavior by visiting cURL such as http://ipinfo.io/ip.
Repeated tests to the same site will show the same public IP when Link Sticking is active.
6.Priority Between “Link Sticking” and “Force Reconnect on Active WAN”
If both features are enabled simultaneously, they interact as follows:
Feature
|
Function
|
|---|---|
Link Sticking
| Keeps the same WAN for the same source/destination pair. |
Force Reconnect on Active WAN
| Terminates existing sessions on secondary WANs when the primary WAN recovers. |
Priority
Force Reconnect on Active WAN takes priority over Link Sticking.
When the primary WAN link recovers, all sessions on backup links are disconnected and re-established through the primary WAN, even if Link Sticking was active.
7.Summary
Aspect
|
Description
|
|---|---|
Feature Name | WAN Trunk Link Sticking |
Function
| Maintains session consistency by using the same WAN link for identical source–destination traffic |
Default Duration | 300 seconds |
Configuration
| CLI only (vrf main system link-sticking enabled true) |
Default Status | Depends on load-balancing algorithm |
Priority
| “Force Reconnect on Active WAN” overrides Link Sticking |
Use Case
| Online banking, e-commerce, gaming, and any session-sensitive applications |
Key Takeaway
The Link Sticking function stabilizes WAN session behavior for IP-sensitive applications by ensuring consistent outbound interface usage.
Combined with intelligent trunk balancing, it provides both reliability and performance for modern multi-WAN environments.
Categories
- All Categories
- 439 Beta Program
- 2.8K Nebula
- 202 Nebula Ideas
- 127 Nebula Status and Incidents
- 6.3K Security
- 515 USG FLEX H Series
- 328 Security Ideas
- 1.7K Switch
- 84 Switch Ideas
- 1.3K Wireless
- 49 Wireless Ideas
- 6.9K Consumer Product
- 288 Service & License
- 458 News and Release
- 90 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.3K FAQ
- 34 Documents
- 85 About Community
- 97 Security Highlight