Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Does Virtual IPs in a multiWAN (failover) configuration make sense?

    Routing and Multi WAN
    3
    4
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bgeneto
      last edited by

      I need some basic help in order to configure Virtual IPs in a two WAN failover setup (one LAN only). If one has a tutorial to share… or please kindly follow my (standard) steps below to see what's going wrong:
      1. First I create a virtual IP (Proxy ARP): here you can define one (and only one) interface (e.g., WAN1) associated to the new virtual IP (VIP) Address. This VIP must be a valid WAN1 subnet address;
      2. In the next step one usually defines a NAT 1:1 rule (also bounded to only one interface, typically the same as previously configured for VIPs, i.e. WAN1) to map the VIP to a private LAN subnet address;
      3. Now the tricky part (at least to me): Add a firewall rule allowing traffic (from anywhere/any port) to the corresponding private IP address (as setup in NAT 1:1). Here I can see three rational options:
        3a. creating a floating rule (for interfaces WAN1 and WAN2) with default gateway;
        3b. creating a floating rule (for interfaces WAN1 and WAN2) selecting the failover gateway (in advanced features); 
        3c. creating a static WAN1 rule selecting the failover gateway (in advanced features);

      But since VIP and NAT was created exclusively for WAN1 interface, which option should I use in order to allow incoming traffic from WAN1 or WAN2 (when WAN1 fails) that are destinated to the configured VIP be addressed to the private IP? Only one rule is sufficient to accomplish this? Does it make sense for two failover WANs with completely different subnets/networks?

      Any help is welcome.

      1 Reply Last reply Reply Quote 0
      • M
        mibovrd
        last edited by

        http://www.osnet.eu/sites/www.osnet.eu/files/appliances/policybased_multiwan.pdf

        Tweet: MIBovrd@cqrite http://www.cqrite.com

        1 Reply Last reply Reply Quote 0
        • U
          urbangear
          last edited by

          i have the same setup (multi WAN/single LAN), assigning two of my public IPs to two different hosts in my LAN, after adding VIPs and assigning those to my internal hosts i then created a rule in WAN with a default gateway as both public Ips belong to WAN interface

          and it worked… be sure to use another ISP to check if it's accessible from the outside

          1 Reply Last reply Reply Quote 0
          • B
            bgeneto
            last edited by

            @urbangear:

            i have the same setup (multi WAN/single LAN), assigning two of my public IPs to two different hosts in my LAN, after adding VIPs and assigning those to my internal hosts i then created a rule in WAN with a default gateway as both public Ips belong to WAN interface

            and it worked… be sure to use another ISP to check if it's accessible from the outside

            But in your case there is no loadbalancing (at least you didn't mention it), so a rule in WAN in just fine. What if your WAN is Tier 1 in a failover gateway group? Still creating the rule in WAN and selecting the failover gateway group would grant access to your VIPs from WAN (Tier 1) and WAN2 (Tier 2) also? Or a floating rule would be more appropriate in this case?

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.