How do I set up the Firebox for multi- WAN in round

How do I set up the Firebox for multiWAN in round-robin order?
Fireware/MultiWAN
This document applies to:
Appliance
Firebox X Core / Firebox X Core e-Series / Firebox X Peak /
Firebox X Peak e-Series
Appliance Software versions
Fireware 8.3 / Fireware Pro 8.3
Management Software versions
WatchGuard System Manager 8.3
Introduction
The multi-WAN functionality of Fireware is designed to give the Firebox® administrator more control and greater efficiency with a very large or high-traffic network. You can use Fireware® appliance software to configure up to four
Firebox interfaces as external or wide area network (WAN) interfaces. You can control the flow of traffic through multiple WAN interfaces to share the load of outgoing traffic.
Fireware gives you the option to configure multiple external interfaces. This allows you to connect the Firebox to
more than one Internet Service Provider (ISP). When you configure multiple external interfaces, you have three
options to control which interface that outgoing packets use:
Multi-WAN in round robin order
This document explains how you can share the load of outgoing traffic among external interfaces through
“round robin”. It works like this:
- The first host, with IP address x.x.x.x, sends an HTTP request to the Internet. The packets in this session are
sent through the lowest number external interface.
- The second host, with IP address y.y.y.y, sends an HTTP request to the Internet. The packets in this session
are sent through the external interface with the second higher number.
- The third host, with IP address z.z.z.z, sends an HTTP request to the Internet. The packets in this session are
sent through the lowest number external interface (if there are only two external interfaces configured) or
the third higher number external interface.
As each host initiates a connection, the Firebox cycles through external interfaces using the pattern explained
above.
Multi-WAN failover
Another option is failover, which allows you to configure additional external interfaces as backup if the primary
extrnal interface is down. For more information see
https://www.watchguard.com/support/Fireware_Howto/83/HowTo_SetupWANFailover.pdf
Multi-WAN with the routing table
If you select this option, the Firebox uses the routes set in its internal routing table to send packets throught the
correct external interface. For more information see
https://www.watchguard.com/support/Fireware_Howto/83/HowTo_MultiWANroutingtable.pdf
Is there anything I need to know before I start?
As soon as you configure a second external interface, multiple WAN support is automatically enabled with MultiWAN in round robin order set as the default.
Note that:
1
How do I set up the Firebox for multi-WAN in round-robin order?
•
•
•
•
•
•
If you have a policy configured with an individual external interface alias in its configuration, you must change
the configuration to use the alias “Any-External”.
If you use the multiple WAN feature, map your company’s Fully Qualified Domain Name to the external interface
IP address of the lowest order. If you add a multi-WAN Firebox to your Management Server configuration, you
must add the Firebox using its lowest-ordered external interface to identify it.
You cannot use 1-to-1 NAT in a multiple WAN configuration. If you have a public SMTP server behind your
Firebox, you must set up a static NAT rule to allow access to your public SMTP e-mail server. Then, you can set up
multiple MX records, one for each external Firebox interface.
If you have a multiple WAN configuration, you cannot use the policy-based, dynamic NAT Set Source IP option.
Use the Set Source IP option only when your Firebox uses a single external interface.
Multiple WAN support does not apply to branch office or Mobile User VPN traffic. Branch office and Mobile User
VPN traffic always uses the first external interface configured for the Firebox. RUVPN with PPTP operates correctly
in a multiple WAN configuration.
The multiple WAN feature is not supported in drop-in mode.
Configure the Firebox for Multi-WAN in Round-Robin Order
1
From Policy Manager, select Network > Configuration.
The Network Configuration dialog box appears.
2
How do I set up the Firebox for multi-WAN in round-robin order?
2
Select the interface you want to configure as external and click Configure. Select External from the Interface
Type drop-down list to activate the dialog box. Type an interface name and description.
You must have a minimum of two external network interfaces configured before you can see and configure multi-WAN settings.
3
Type the IP address and default gateway for the interface. Click OK.
When you type an IP address, type all the numbers and the periods. Do not use the TAB or arrow key.
After you configure a second external interface, multiple WAN configuration options appear in the Network Configuration dialog
box.
3
How do I set up the Firebox for multi-WAN in round-robin order?
4
Make sure that Multi-WAN in round robin order is selected. This will send traffic sessions through the external
interfaces in sequence.
In the WAN Ping Address dialog box, double-click in the Ping Address column to add an IP address or domain
name for each external interface. We recommend that you use the IP address of a computer external to your
organization.
5
When an external interface is active, the Firebox pings the IP address or domain name you set here each 20 seconds to see if the
interface is operating correctly. If there is no response after three pings, the Firebox starts to use the subsequent configured external
interface. It then starts to ping the WAN ping address you set for that interface to check for connectivity.
6
Click OK. Save your changes to the Firebox.
Frequently Asked Questions About This Procedure
I have a public SMTP server behind my Firebox. Because the multi-WAN feature does not work with 1-to-1
NAT, what do I do?
Because you cannot use 1-to-1 NAT with the multi-WAN feature, you will have to set up a static NAT rule to allow
access to your public SMTP e-mail server. Then, you must set up multiple MX records, one for each external
Firebox interface.
Can I use round-robin for incoming connections?
Yes. If you use multi-WAN in round-robin mode, it is possible to set up round-robin DNS with your DNS provider to
do load-balancing among more than one external interface.
Was this document helpful? Please send your feedback to faq@watchguard.com.
SUPPORT:
COPYRIGHT © 2006 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered trademarks or trademarks of
www.watchguard.com/support
WatchGuard Technologies, Inc. in the United States and/or other countries.
U.S. and Canada +877.232.3531
All Other Countries +1.206.613.0456
4
Open as PDF
Similar pages