Does Virtual IPs in a multiWAN (failover) configuration make sense?

bgeneto

I need some basic help in order to configure Virtual IPs in a two WAN failover setup (one LAN only). If one has a tutorial to share… or please kindly follow my (standard) steps below to see what's going wrong:
1. First I create a virtual IP (Proxy ARP): here you can define one (and only one) interface (e.g., WAN1) associated to the new virtual IP (VIP) Address. This VIP must be a valid WAN1 subnet address;
2. In the next step one usually defines a NAT 1:1 rule (also bounded to only one interface, typically the same as previously configured for VIPs, i.e. WAN1) to map the VIP to a private LAN subnet address;
3. Now the tricky part (at least to me): Add a firewall rule allowing traffic (from anywhere/any port) to the corresponding private IP address (as setup in NAT 1:1). Here I can see three rational options:
  3a. creating a floating rule (for interfaces WAN1 and WAN2) with default gateway;
  3b. creating a floating rule (for interfaces WAN1 and WAN2) selecting the failover gateway (in advanced features); 
  3c. creating a static WAN1 rule selecting the failover gateway (in advanced features);

But since VIP and NAT was created exclusively for WAN1 interface, which option should I use in order to allow incoming traffic from WAN1 or WAN2 (when WAN1 fails) that are destinated to the configured VIP be addressed to the private IP? Only one rule is sufficient to accomplish this? Does it make sense for two failover WANs with completely different subnets/networks?

Any help is welcome.

mibovrd

http://www.osnet.eu/sites/www.osnet.eu/files/appliances/policybased_multiwan.pdf

urbangear

i have the same setup (multi WAN/single LAN), assigning two of my public IPs to two different hosts in my LAN, after adding VIPs and assigning those to my internal hosts i then created a rule in WAN with a default gateway as both public Ips belong to WAN interface

and it worked… be sure to use another ISP to check if it's accessible from the outside

bgeneto

@urbangear:

i have the same setup (multi WAN/single LAN), assigning two of my public IPs to two different hosts in my LAN, after adding VIPs and assigning those to my internal hosts i then created a rule in WAN with a default gateway as both public Ips belong to WAN interface

and it worked… be sure to use another ISP to check if it's accessible from the outside

But in your case there is no loadbalancing (at least you didn't mention it), so a rule in WAN in just fine. What if your WAN is Tier 1 in a failover gateway group? Still creating the rule in WAN and selecting the failover gateway group would grant access to your VIPs from WAN (Tier 1) and WAN2 (Tier 2) also? Or a floating rule would be more appropriate in this case?