Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Prefer one WAN on either firewall rather than use second WAN

    Routing and Multi WAN
    2
    5
    389
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ads76
      last edited by ads76

      Hi everyone

      I'm building a two firewall CARP pair, each with a WAN connection to two different ISPs. One ISP has a 1Gb synchronous link, the other asynchronous 1Gb down but only 100Mb up. Each firewall has it's own IP on each ISP network and they share a CARP VIP on each ISP network which is used for NAT. There are two LANs and the firewalls use CARP to provide gateway HA.

      I'd like to failover from the primary firewall to the secondary when the synchronous WAN connection goes down, to use the synchronous WAN link on the secondary. I only want to use the asynchronous WAN (on either firewall) if the synchronous WAN is also down on the secondary firewall.

      Is that possible? I've read this, but it doesn't seem to be covered, or my eyes are missing the important part. I've looked here on the forums too but I can't find that scenario discussed.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @ads76
        last edited by

        @ads76
        What makes you think that the up-link to ISP A will still be available at the secondary, after it went down on the primary? This wouldn't be the case at all.

        "Uplink going down" means that the monitoring pings to the ISP gateway or to another public IP are failing or get a very high latency. The monitoring IP is normally the same on both nodes, because it is synced from the primary to the secondary.
        Hence if a gateway is detected as offline on the primary it gets the same status on the secondary as well.

        A 1 Reply Last reply Reply Quote 1
        • A
          ads76 @viragomann
          last edited by

          @viragomann Thanks for helping clarify my understanding. I think I was conflating link down (e.g. to a local WAN modem) with gateway down.

          If the link to the WAN1 modem goes down on one firewall, then presumably CARP kicks in and triggers a firewall failover to the secondary, unless the link to the WAN1 modem is down there too, in which case the secondary firewall would still have higher advskew.

          If the gateway monitor IP (e.g. 8.8.8.8) is detected as down or has packet loss/high latency, but the link to the modem is still up, then CARP plays no role but gateway detection determines that gateway is down and begins using the other WAN link as its fallback route.

          Do I understand that correctly?

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @ads76
            last edited by

            @ads76
            CARP has nothing to do with dual-WAN at all.

            CARP provides redundancy of the routers, dual-WAN provides redundancy of internet connections.

            CARP: the secondary monitors if the primary is alive and takes over the connections if the advertisements are missing. It takes over both WANs and decides by it's own gateway monitoring and settings, which to use.

            Dual-WAN: Each firewall monitors both upstream connections and decides, which to use according to your gateway settings. The gateway settings are normally synced from the primary to the secondary.

            A 1 Reply Last reply Reply Quote 2
            • A
              ads76 @viragomann
              last edited by

              @viragomann Got it, thanks 👍

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.