OPT interface used for primary external interface often get override by WAN interface

phphil
phphil Posts: 29
First Comment Third Anniversary
 Freshman Member
edited April 2021 in Security
We have 3 separated internet subscription from different ISPs.

One is configured to use the WAN1 interface, the second is configured to use WAN2 interface, and the third one use the OPT interface. 

Actually we always want to use the OPT interface for all incoming and outgoing traffic, aka our external IP must be the one provided by the third ISP.
To obtain this behavior we initially applied the following configuration under Configuration > Network > Interface > Trunk : we added a "User configuration" that defined the primary interface using the Weighted round robin algorithm. 
This actually work most of the time, but at every firewall reboot the firewall start to use WAN1 as the default external interface, and lately the system started to suddenly switch from OPT to WAN1 very often and randomly. 

There is some known bug on the firewall feature "default Trunk", or we miss configured something, or maybee the reason is the fact/nature of OPT interface itself to cause the unexpected switch (it's purpose is generic and can be used either as an internal or an internal interface) ?

Many thanks for the attention and for the help eventually
Best regards

All Replies

  • PeterUK
    PeterUK Posts: 1,450
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
     Guru Member

    What happens if you make a top routeing rule with:

    incoming = interface

    member = LAN1

    next hop

    type = interface

    interface = OPT


  • phphil
    phphil Posts: 29
    First Comment Third Anniversary
     Freshman Member
    Thank you for the suggestion, I'm trying to understand if I'm looking at the correct configuration, 
    I go under Configuration > Network > Routing (tab) > Add (button)
    But the config parameters are different than the one you listed 


  • PeterUK
    PeterUK Posts: 1,450
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
     Guru Member

    Your on the right settings

    where “incoming” is select “interface” this adds a member box select LAN1 or to have any LAN leave incoming as any.

    Under next-hop for “type” select Interface then under that their by interface select OPT

    At the bottom with show advanced check enable connectivity check and check this address to like 8.8.8.8 or your ISP WAN gateway. This allow for the rule to disable so other WAN gateways on WAN1 can be used when ping fails on OPT.


  • Zyxel_Jeff
    Zyxel_Jeff Posts: 341
    25 Answers First Comment Friend Collector First Anniversary
     Master Member

    Hi @phphil

    You may consider Spillover of Trunk.

    First, navigate Network > Interface > Ethernet > edit WAN1, WAN2, OPT bandwidth e.q. their bandwidth is 1Gbps.

    Second, navigate Network > Interface > Trunk > Add a Spillover configuration and move your OPT port to the highest position.


  • phphil
    phphil Posts: 29
    First Comment Third Anniversary
     Freshman Member
    Thank you PeterUK, your suggestion worked perfectly!
  • phphil
    phphil Posts: 29
    First Comment Third Anniversary
     Freshman Member
    I've noticed later on, that all the VPN tunnels won't work anymore after adding the Routing rule. The rule work perfectly for fixing the main issue, but it interfere with the VPN  connections.

    The VPN connections are configured to use the OPT interface already, so I don't really see why the tunnel goes down as soon as I enable the routing rule.

    I've already tried to tweak the rule changing the incoming interface, avoiding use the "Any (Excluding Zywall)", but using specific LAN interface (we have 3 LANs i've created 3 separate routing rules). But this won't work neither, Site to site vpn tunnels goes down. 

    Any idea what could cause this?
  • PeterUK
    PeterUK Posts: 1,450
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
     Guru Member
    edited January 2021

    Is this with the newest firmware?

    do the tunnels nailed-up your side?

    Do you only have one WAN IP to the OPT?

    Seems like a bug I can't see why that routing rule would cause that.

    What you could try for the routing rule is set “source address” for your LAN subnet.


Security Highlight