USG 210 - weird behaviour during WAN failover
Options
the_maxtor
Posts: 3
in Security
Hi community, this is my first post here.
I'm playing with a Zyxel USG 210, I'm trying to configure properly the WAN failover feature.
We have 2 WAN connection, WAN1 is pure ethernet with static IP, WAN2 is a PPPoE connection over VLAN 100, which parent's interface is WAN2. Connectivity check is also enabled on both WAN1 and PPPoE interfaces and the IP address to ping is 1.1.1.1
Default Trunk is a custom spillover Trunk, with PPPoE interface set as active and WAN1 as passive.
We also configured 2 policy routes, for outbound connection for LAN clients. The first policy route said that traffic from LAN1 interface to any other destination should use PPPoE interface and the second policy route said that traffic from LAN1 interface to any other destination should use WAN1 interface.
When we completed the configuration we wanted to test the failover, in order to be sure it works properly.
Scenario1: We remove cable from WAN2 (the internet connection we use as primary), no issue whatsoever, the firewall failover to WAN1 correctly
Scenario2: We remove cable from WAN1 (the secondary internet connection) the clients are not able to reach the internet anymore. Traceroute from clients stops at 1st hop (the firewall), PPPoE connection is still up, but for some reason the firewall removes both default routes for WAN1 and WAN2/PPPoE, even if it should remove only the default route of the disconnected interface: WAN1 . If we disconnect and connect again the PPPoE interface then the firewall add the default route for WAN2/PPPoE and everything starts working again. Why is that? Did anyone have this same issue?
I'm playing with a Zyxel USG 210, I'm trying to configure properly the WAN failover feature.
We have 2 WAN connection, WAN1 is pure ethernet with static IP, WAN2 is a PPPoE connection over VLAN 100, which parent's interface is WAN2. Connectivity check is also enabled on both WAN1 and PPPoE interfaces and the IP address to ping is 1.1.1.1
Default Trunk is a custom spillover Trunk, with PPPoE interface set as active and WAN1 as passive.
We also configured 2 policy routes, for outbound connection for LAN clients. The first policy route said that traffic from LAN1 interface to any other destination should use PPPoE interface and the second policy route said that traffic from LAN1 interface to any other destination should use WAN1 interface.
When we completed the configuration we wanted to test the failover, in order to be sure it works properly.
Scenario1: We remove cable from WAN2 (the internet connection we use as primary), no issue whatsoever, the firewall failover to WAN1 correctly
Scenario2: We remove cable from WAN1 (the secondary internet connection) the clients are not able to reach the internet anymore. Traceroute from clients stops at 1st hop (the firewall), PPPoE connection is still up, but for some reason the firewall removes both default routes for WAN1 and WAN2/PPPoE, even if it should remove only the default route of the disconnected interface: WAN1 . If we disconnect and connect again the PPPoE interface then the firewall add the default route for WAN2/PPPoE and everything starts working again. Why is that? Did anyone have this same issue?
0
All Replies
-
The 1st policy route need to be set with a Connectivity check in advanced so that when that route fails the 2nd route takes over.
0 -
I can assure you that is not the problem. On the system logs you can see that whenever an interface goes down the firewall correctly disables all the related policy routes. And by the way, everything works like a charm when we disconnect the primary WAN0
-
0
-
0
-
Hi,
... the custom trunk you mentioned above... (ppoe as active, wan1 passive, spillover)0 -
Hello @the_maxtor,Currently, we have two methods to achieve WAN failover, one is by WAN trunk, another is by policy route, and it seems you set up both methods at the same time, could you choose one of them and try again? Please refer to the YouTube tutorials.WAN trunk -> failover to passive interface. https://www.youtube.com/watch?v=jogTfujoHkIPolicy route -> ignore policy route rule from table. https://www.youtube.com/watch?v=6XhyZ3KWaxcThanks,James0
Guru Member
Ally Member
Zyxel Employee
Categories
- All Categories
- 383 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 80 Nebula Status and Incidents
- 5.1K Security
- 75 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 209 Service & License
- 335 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 889 Nebula FAQ
- 415 Security FAQ
- 233 Switch FAQ
- 203 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 62 Security Highlight
