OPT interface used for primary external interface often get override by WAN interface

Options
phphil
phphil Posts: 37  Freshman Member
First Anniversary 10 Comments Friend Collector
edited April 2021 in Security
We have 3 separated internet subscription from different ISPs.

One is configured to use the WAN1 interface, the second is configured to use WAN2 interface, and the third one use the OPT interface. 

Actually we always want to use the OPT interface for all incoming and outgoing traffic, aka our external IP must be the one provided by the third ISP.
To obtain this behavior we initially applied the following configuration under Configuration > Network > Interface > Trunk : we added a "User configuration" that defined the primary interface using the Weighted round robin algorithm. 
This actually work most of the time, but at every firewall reboot the firewall start to use WAN1 as the default external interface, and lately the system started to suddenly switch from OPT to WAN1 very often and randomly. 

There is some known bug on the firewall feature "default Trunk", or we miss configured something, or maybee the reason is the fact/nature of OPT interface itself to cause the unexpected switch (it's purpose is generic and can be used either as an internal or an internal interface) ?

Many thanks for the attention and for the help eventually
Best regards

All Replies

  • PeterUK
    PeterUK Posts: 2,757  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    What happens if you make a top routeing rule with:

    incoming = interface

    member = LAN1

    next hop

    type = interface

    interface = OPT


  • phphil
    phphil Posts: 37  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    Thank you for the suggestion, I'm trying to understand if I'm looking at the correct configuration, 
    I go under Configuration > Network > Routing (tab) > Add (button)
    But the config parameters are different than the one you listed 


  • PeterUK
    PeterUK Posts: 2,757  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Your on the right settings

    where “incoming” is select “interface” this adds a member box select LAN1 or to have any LAN leave incoming as any.

    Under next-hop for “type” select Interface then under that their by interface select OPT

    At the bottom with show advanced check enable connectivity check and check this address to like 8.8.8.8 or your ISP WAN gateway. This allow for the rule to disable so other WAN gateways on WAN1 can be used when ping fails on OPT.


  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,073  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @phphil

    You may consider Spillover of Trunk.

    First, navigate Network > Interface > Ethernet > edit WAN1, WAN2, OPT bandwidth e.q. their bandwidth is 1Gbps.

    Second, navigate Network > Interface > Trunk > Add a Spillover configuration and move your OPT port to the highest position.


  • phphil
    phphil Posts: 37  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    Thank you PeterUK, your suggestion worked perfectly!
  • phphil
    phphil Posts: 37  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    I've noticed later on, that all the VPN tunnels won't work anymore after adding the Routing rule. The rule work perfectly for fixing the main issue, but it interfere with the VPN  connections.

    The VPN connections are configured to use the OPT interface already, so I don't really see why the tunnel goes down as soon as I enable the routing rule.

    I've already tried to tweak the rule changing the incoming interface, avoiding use the "Any (Excluding Zywall)", but using specific LAN interface (we have 3 LANs i've created 3 separate routing rules). But this won't work neither, Site to site vpn tunnels goes down. 

    Any idea what could cause this?
  • PeterUK
    PeterUK Posts: 2,757  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2021
    Options

    Is this with the newest firmware?

    do the tunnels nailed-up your side?

    Do you only have one WAN IP to the OPT?

    Seems like a bug I can't see why that routing rule would cause that.

    What you could try for the routing rule is set “source address” for your LAN subnet.


Security Highlight