ISP Redundancy with SonicWall
If you have used the internet then you know that there will be disruptions and that many of those disruptions are caused by your ISP.
The best part is that you can minimize ISP caused internet disruptions by having multiple ISPs and configuring your router/firewall to failover properly when one link has a failure. The SonicWall firewalls have built in support to manage multiple ISPs with failover. While this article was created using a SonicWall TZ 215 running SonicOS Enhanced 5.8.1.13-1o, the steps are pretty much the exact same using other SonicWall models and SonicOS versions, such as my NSA 3500 running SonicOS Enhanced 5.9.0.3-117o. Everything is pretty much the same. Differences will be seen in the number of interfaces. This article will explain configuring multiple ISPs/WANs on SonicWall firewalls.
Configuring your router for basic failover means only the primary Internet connection will normally be used and the secondary connection will be used only if the primary fails. The advantage to failover is it ensures all traffic is going over a single path.
If the primary ISP goes down, then the tracked IP address fails, and the default route is removed from OSPF or EIGRP. Then, the core switch installs the less-preferred static route that points at the second ASA. Then, users would go out the second ISP. But to be honest, you should not do this. USE VLAN ID: Optional / Dependent on ISP Load Balancing: Failover Only / Weighted LB Load Balancing Weight (Weighted LB only): 50 or customized Report Interface Events: Checked Enable Smart Queues: Optional. Apply the settings. Failover means that when the primary connection is down, the secondary connection takes over. If two ISP links are set up so that the primary link takes 100% of the traffic, then there is no load balancing implemented. For maximum reliability you should use at least 2 ISP connections. The benefit of this is that you’re insulated from many issues. In addition, we recommend that you use physically diverse paths coming in to your building from unique providers, such as: fiber and cable, DSL and fixed-wireless, or T1 and cable, that way you’ll have the ultimate in Internet redundancy.
Inbound vs Outbound Link Balancing
The important thing to understand is the difference between inbound and outbound ISP redundancy. If you have servers on the inside of your network that need to be accessed from outside, you will want to have inbound redundancy. You may wish to read a previous article on Link Balancers that explains how this can be done. However, if what you need is just outbound link balancing, then your SonicWall should be able to do exactly what you need. Even better, this article will show you how!
Configure Your SonicWall for Multiple ISPs/WANs
Step 1 – Physical Connection
Your SonicWall will typically have multiple interfaces that can be used for ISP connections. In the image above the typical LAN(X0) and WAN(X1) interfaces are likely already being used for your first ISP/WAN and your LAN. For this example, I used interface X2 for my second ISP. If it is available, then plug your second ISP’s uplink cable there.
Step 2 – Configure Your X2 Network Interface
Configure the SonicWall X2 Network Interface
Next, we need to login to the SonicWall Firewall with your web browser. Navigate to Network / Interfaces. Find X2 in the list and click on the pencil edit button for X2.
First, you will want to set the Zone for this interface to “WAN”.
Next, you will type in the static or DHCP IP Addressing information that your ISP gave you.
If you want to be able to manage your SonicWall using this address and interface, then allow that by checking the protocols on the Management Line.
Click Ok, when done.
Step 3 – Browse to Network / Failover & LB
Enable load balancing by checking the “Enable Load Balancing” check box, then under “Groups”, find the “Default LB Group” and click the Configure / Pencil button for the Default LB Group.
At this point, you will need to choose a “Type” for this Load Balancer. There are 4 types to choose from:
* Basic Failover – Probes the internet on both interfaces, but all traffic goes through your primary. If the primary goes down, traffic goes through secondary.
* Round Robin – Traffic goes equally over both ISP interfaces. If one goes down, all traffic goes through the one that is still up.
* Spill-over – All traffic up to a specified MBPS rating goes through the primary ISP interface, traffic over the threshold goes through the secondary ISP interface.
* Ratio – When both ISP interfaces are up, traffic goes through each using a specified ratio that we configure adding up to 100% (70-30,60-40,etc…).
* Round Robin – Traffic goes equally over both ISP interfaces. If one goes down, all traffic goes through the one that is still up.
* Spill-over – All traffic up to a specified MBPS rating goes through the primary ISP interface, traffic over the threshold goes through the secondary ISP interface.
* Ratio – When both ISP interfaces are up, traffic goes through each using a specified ratio that we configure adding up to 100% (70-30,60-40,etc…).
Make your “Type” choice. I chose “round robin” which makes the options you see above. I then chose the X2 interface and added it to the Selected Interface Pool on the right using the “Add >>” button. Your options will be slightly different depending on the “type” choice you chose above. For Spill-over, you will choose how much bandwidth to use on the primary before spilling traffic over to the secondary interface. If you chose ratio, you will decide what percentage of the total traffic to send over each interface.
Configure SonicWall Failover and Load Balancing Probing
Configure Probing
Probing is what is used to detect if an ISP is up and operational or not. We tell it how frequently to check the interface, how many failures it takes to deactivate the interface, and how many successful checks to make before reactivating the interface again.
We also can check the “Probe responder.global.sonicwall.com on all interfaces in this group” to have it probe the SonicWall system through each interface for the probe. Set these the way you want and then…
Click Ok. This will bring you back to the Failover and LB page.
You should see something similar to what is shown in the image above with both interfaces in the group and statistics displaying. Be sure to click the “Accept” button.
Your SonicWall should now be configured for Failover and Load Balancing.
The following two tabs change content below.Jeff has 20 years of professional IT experience, having done nearly everything in his roles of IT consultant, Systems Integrator, Systems Engineer, CNOC Engineer, Systems Administrator, Network Systems Administrator, and IT Director. If there is one thing he knows for sure, it is that there is always a simple answer to every IT problem and that downtime begins with complexity. Seasoned IT professional by day, Jeff hopes to help other IT professionals by blogging about his experiences at night on his blog: http://uptimemadeeasy.com. You can find Jeff on Google+ or LinkedIn at: LinkedIn or Twitter at: Twitter
- Configure Your HP Procurve Switch with SNTP - May 5, 2015
- Configuring HP Procurve 2920 Switches - May 1, 2015
- Troubleshooting Sendmail - November 28, 2014
Related posts:
WAN Failover |
|
- 2Settings
- 3Reports
- 5WAN Failover FAQs
About WAN Failover
WAN Failover works in conjunction with multiple ISPs to assure that you maintain Internet connectivity if a loss of connectivity occurs on one of your WAN connections. If one of your ISP links goes down, WAN Failover will automatically route all traffic over the other WAN(s) until service is restored.
You may also consider using WAN Balancer in your network as well - it allows you to maintain an automatic distribution of traffic over multiple WAN links rather than just failing over if one goes down.
Tests are configured for each WAN which are run continuously to determine the current status of each interface. If enough test fail on a given WAN to exceed the failure threshold then the WAN is considered down and internet-bound traffic will not go out that WAN. The lowest ID active WAN is used as the current default WAN interface for internet-bound traffic.
Settings
This section reviews the different settings and configuration options available for WAN Failover.
Status
The status tab presents an overview of the WANs and the current test results.
- Interface ID: The number of the interface.
- Interface Name: The name of the interface in Untangle's GUI.
- System Name: The name of the interface as seen by Untangle's OS.
- Online Status: True or False whether the WAN is online.
- Current Tests Count: The total number of the tests ran on that interface.
- Tests Passed: The total number of the tests ran on that interface that passed.
- Tests Failed: The total number of the tests ran on that interface that failed.
Tests
WAN Failover must have tests set up for every WAN interface; these tests are set up on the Tests tab. Just click Add, select your interface and test type, then run the test - if it passes, go ahead and save it.
Tests is how WAN Failover determines if the given WAN interface is up or down so it is important to pick tests carefully that correlate with the status of that WAN connection. For example, pinging an ISP router is generally a good test because it will usually fail when the ISP is down but work when connectivity is good. Pinging a public site like google.com may work, but may sometimes have false positives or false negatives.Pinging the gateway may also work, but may sometimes provide false positives when the gateway is reachable but the ISP itself is offline.
The options are as follows:
- Interface: The interface you want to set up a test for.
- Description: A description for this test.
- Testing Interval: Determines how often (in seconds) your specified test will be executed.
- Timeout: The maximum amount of time that may pass without receiving a response to your test. This value should be less than the Testing Interval. You should make sure that you allow for enough time to pass if you have a poor connection to the internet, or a connection that often has long latency (delays) associated with it.
- Failure Threshold: How many failures are acceptable during the testing period.
- Test Type: is the specific method you will use to determine whether failover will be initiated. Test Types are explained below.
Note on DNS tests:
Warning DNS tests use all the DNS entries in the Interface WAN settings. If the DNS entries are only available on a specific WAN, for example ISP DNS only available on their network, then routes must be configured for those DNS servers. Otherwise some DNS tests will fail as the DNS is not reachable on a non-ISP WAN making Untangle falsely see the WAN as down.
Reports
The Reports tab provides a view of all reports and events for all traffic handled by WAN Failover.
Reports
This applications reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.
Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.
Pre-defined report queries:
Report Entry | Description |
---|---|
WAN Failover Summary | A summary of WAN Failover actions. |
WAN Disconnect Events | The number of disconnect events grouped by WAN. |
WAN Interface Outages | The fails tests of each interface over time. |
Outage Events | Events where the failure threshold was exceeded and the WAN was considered offline. |
Test Events | All test events and their outcome. |
Failed Test Events | All tests that resulted in failure. |
Success Test Events | All tests that resulted in success. |
The tables queried to render these reports:
Related Topics
WAN Failover FAQs
I installed and configured WAN Failover, but nothing is happening. What should I do?
Make sure each ISP's interface has is WAN Interface? checked at Config > Networking > Interfaces and has all of the required information properly entered. You'll also need to verify WAN Failover has tests set up for each WAN connection. If you're only using WAN Failover, you'll need to disconnect your primary WAN to get traffic to flow over the secondary. If you're using WAN Balancer, make sure your weights are set properly.
What tests should I use for Failover?
This is really up to you. Untangle provides four test methods - in each case, Untangle sends out data packets and decides if the WAN is up or down depending on your specified Testing, Timeout and Failure Threshold intervals:
- Ping Test: Untangle will ping the specified IP address.
- ARP Test: Untangle will ARP for its gateway.
- DNS Test: Untangle will make a request to the upstream DNS server.
- HTTP Test: Untangle will make a connection to the specified domain name.
Is a ping test better than the HTTP test?
Yes and no - ping tests are simpler and more straight forward than the HTTP test, but some network operators block ping requests. In both cases, you should select IP addresses that are external to your network but relatively close to you. As the number of network hops increases, the chances of encountering a bad or slow link increases. When that happens, Untangle may interpret it as a network problem and report one of your WAN connections as failing.
What Is My Isp Information
I only have one internet connection. Why would I want WAN Failover?
With a single WAN connection, its obvious that you have no alternative if your internet connection fails. You can still monitor the uptime of your ISP with WAN Failover by defining a rule that will log service interruptions. If downtime is hurting you financially, WAN Failover can help you document it rather inexpensively.
Which Internet Provider Is Best
Retrieved from 'https://wiki.untangle.com/index.php?title=WAN_Failover&oldid=24548'