Jump to content


WAN failover with both local gateways

Nextgen Cloudgen firewall wan failover isp lbfailover route metric wan failover

This topic has been archived. This means that you cannot reply to this topic.
1 reply to this topic

#1 Bryan Smeets

Bryan Smeets
  • Members
  • 8 posts

Posted 22 February 2019 - 05:01 AM



A client of ours has two internet connections; Cable (primary) and dsl (failover). Both connections have a locally device which is managed by the ISP. So the gateway of both connections is at the same site as the F18 firewall is. Both connections are NAT-NAT by the way, because there is only one WAN address assigned to each connection, but I doubt that's an issue here.


Both connections are statically configured with a source based route to Connection 1 has a preference of 100, the second connection has 110.


As instructed in the documentation a lbfailover connection is created in the firewall (connections). At step 6, the manual states: "Select From Interface as the NAT Address."

I don't get this step to be honest, but I've set up the following:


NAT Settings
 Translated Source IP: Network interface

 Interface name: eth3 (wan 1)

 Weight 1


Failover and Load Balancing

 Policy: Failover

 Alternatives, Type: Network interface

 Value: eth4 (wan 2)



What happens now, when I actually disconnect the link to eth3 or shutdown the ISPs managed device, the firewall switches to the second ISP. When the first link returns, it will be used again.

However, when there is a problem at ISP 1, the firewall doesn't switch to the failover connection because the first link is still active and it's configured gateway is the local managed device, which is still available.


I can't afford changing settings in a live environment because the box needs to restart the network after each change and I can't risk losing the device because of some misconfiguration. So this is what I've found out yet and I would like to know if this is the best practice:


In the IPv4 Routing table, under both targets, I set the first hop (after the isp routers) of each connection. The documentation says: "In the Connection Monitoring section, add a target IP address to be used for monitoring into the Reachable IPs table. This address must be reachable only via the DHCP connection." Not minding the DHCP-part here, both first hops are reachable trough the other connection, so basically, I can enter something like here right?


Since the Route Metric determines the preferred connection, what is the use of the lbfailover connection?


Thanks in advance. If I need to supply more information, let me know!

#2 Manuel Huber

Manuel Huber
  • Members
  • 166 posts

Posted 25 February 2019 - 06:38 AM

I´d recommend to use more than one Reachable IP address to avoid any issues in case the monitored IP address is not reachable. We just experienced such an issue with Google DNS a few weeks ago (German Telekom had some issues towards Google DNS), so you might want to add e.g. and/or (or probably something more suitable in your specific setup).


According to Barracuda support, you should enter the reachable IPs both in the routing table default route and the according source base routing table default route. I think this route monitoring really only works reliable if you do so.


The connection object needs to be used in the firewall rule(s). You might have several such connection objects, e.g. for one firewall rule to use primarily cable and fallback DSL, whereas at some other rule you might want to primarily use DSL and fallback Cable etc.