In a Cascade of WAN Interfaces, Where should I do the Connectivity Check?

nwikner Posts: 3
Friend Collector First Comment
edited April 2021 in Security

I have a ZyWALL 110 at home.  During Covid times I need very reliable internet connection, and my connection via the ISP, Comcast, on wan1 was unreliable at times.  I decided to add a second ISP provider, CenturyLink and connect that to wan2.  I followed the directions in These instructions were not specific to CenturyLink; it took many days of trial and error, but I finally got it to work.  The setup on wan2 is a cascade of interfaces.  CenturyLink requires an external VLAN201 and also requires PPPoE authentication.  So I have a user-defined VLAN interface, called “VLAN201” with wan2 as it’s base port and VLAN ID: 201.  Next I have a user-defined PPP interface, called “CenturyLink” with VLAN201 as its Base Interface.  I have 4 questions:

  1. To do reliable load balancing between the 2 ISPs, I need to do do a connectivity check on both wan1 and on wan2.  This is trivial on wan1; I just specify the parameters in Network/Interface/Ethernet/wan1/connectivity check.  But on the wan2 side, all 3 of CenturyLink (the PPP interface), VLAN201, and wan2 have the option to specify a connectivity check.  Do I specify the connectivity check in a) wan2; b) VLAN201; c) CenturyLink; d) wan2 and VLAN201; e) wan2 and CenturyLink; f) VLAN201 and CenturyLink; g) wan2, VLAN201 and CenturyLInk?
  2. I have set up DDNS with Primary Interface/IP of CenturyLink/from interface and Backup Interface/IP of wan1/from interface.  This is in support of a site-to-site VPN which relies on both ends on DDNS.  Is the failover to the Backup Interface sensitive to the settings on the Connectivity Check?  Should I make those settings very aggressive (such as Check Period: 5 seconds; Check Timeout: 1 second; Check Fail Tolerance: 1) instead of the default values (30,5,5)?  What are the advantages and disadvantages of aggressive vs. default settings?
  3. I am currently using the SYSTEM_DEFAULT_WAN_TRUNK.  I have noticed that my new interfaces, CenturyLink and VLAN201 have been automatically added to the default list (wan1, wan2, wan1_ppp, wan2_ppp, and opt_ppp).  The CenturyLink egress speed is about 8 times as fast as the Comcast egress speed.  I have set the Egress Bandwidth on wan1 to it's measured value.  I have also measured the Egress Bandwidth on the CenturyLink side but again, there are 3 places to enter this: CenturyLink, VLAN201, and wan2.  Do I enter this in all 3 places or in 2 of them or just one.  If 1 or 2, which one(s)?
  4. I might want to use the Weighted Round Robin algorithm instead of the Least Load First algorithm used by the SYSTEM_DEFAULT_WAN_TRUNK.  If I create a User Configured Trunk to do this, I presume that I should list wan1 (Comcast) with a weight of 1.  Which of (wan2, VLAN201, CenturyLink) should I also include in the Member list?  If more than one of these, should I give them both (all) a weight of 8?
Thanks for your help.


  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Anniversary First Answer First Comment
    edited December 2020
    1. It depends on which interface you want to do connectivity check with specific peer.
    2.If you configure Connectivity Check of VPN are more aggressive, the failover function of VPN will be sensitive. I think default is suitable of VPN scenario.
    3. You should set Egress Bandwidth on each interface, if you would like to limit them.
    4.You can configure interface which handle main traffic with weight of 8 , others could set lower value.

Security Highlight