EdgeRouter: Configure dual WAN with EdgeRouter POE

By | January 7, 2016
0 Comment

As more and more “smart home” devices got installed around the house the need to have 24/7 Internet connection was more and more a necessity. The solution I choose was to have a back-up mobile Internet for the home. To make this completly transparent to the “Internet of things” from the house this backup had to be setup at the router level.

The setup:
1. EdgeRouter POE the main router
2. Hitron cable router in bridge mode for the UPC 500/25 Mbps cable Internet
3. D-Link DWR-921/E 4G LTE Router for the Vodafone 3G/4G mobile Internet

The setup is quite strait forward:
1. Link eth0 to the Hitron router as main link.
2. Link eth1 to the D-Link router as the backup link
3. Go to the EdgeRouter POE GUI and choose the 2WAN 1LAN wizard. NOTE: All your configurations from the Edge Router will be replaced by the wizard so make sure you backup your custom setup first. This includes VPN , NAT , port forwarding, custom routes settings.
4. Add the second WAN eth1 as fail-over WAN.

As a result of the wizard we get the following:

The eth0 config:

ubnt@ubnt# show interfaces ethernet eth0
address dhcp
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
poe {
output off
}
speed auto

The eth1 config:

ubnt@ubnt# show interfaces ethernet eth1
address dhcp
description “Internet 2”
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
poe {
output off
}
speed auto

The eth2,eth3,eth4 si the same as before:

ubnt@ubnt# show interfaces ethernet eth2
description Local
duplex auto
poe {
output off
}
speed auto
[edit]
ubnt@ubnt# show interfaces ethernet eth3
description Local
duplex auto
poe {
output 48v
}
speed auto
[edit]
ubnt@ubnt# show interfaces ethernet eth4
description Local
duplex auto
poe {
output 48v
}
speed auto

A new load balancing configuration appears, where eth1 is set as the failover-only. Being a mobile link much slower that the main line I want only failover :

ubnt@ubnt# show load-balance
group G {
interface eth0 {
}
interface eth1 {
failover-only
}
}

There is a new “modify balance” rule added by the wizard to the firewall. The new firewall rules looks like the following:

all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify balance {
rule 1 {
action modify
modify {
lb-group G
}
}
}
name WAN_IN {
default-action drop
description “WAN to internal”
rule 10 {
action accept
description “Allow established/related”
state {
established enable
related enable
}
}
rule 20 {
action drop
description “Drop invalid state”
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description “WAN to router”
rule 10 {
action accept
description “Allow established/related”
state {
established enable
related enable
}
}
rule 20 {
action drop
description “Drop invalid state”
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable

The NAT configuration is defined on both WAN interfaces:

ubnt@ubnt# show service nat
rule 5000 {
outbound-interface eth0
type masquerade
}
rule 5002 {
outbound-interface eth1
type masquerade
}

The port forwarding setup configured from GUI supports only one WAN interface:

ubnt@ubnt# show port-forward
auto-firewall enable
hairpin-nat enable
lan-interface switch0
rule 1 {
description https
forward-to {
address 192.168.2.21
port 443
}
original-port 443
protocol tcp
}
rule 2 {
description ipsec1
forward-to {
address 192.168.2.21
port 500
}
original-port 500
protocol udp
}
rule 3 {
description ipsec2
forward-to {
address 192.168.2.21
port 4500
}
original-port 4500
protocol udp
}
rule 4 {
description ipsec3
forward-to {
address 192.168.2.21
port 1701
}
original-port 1701
protocol udp
}
wan-interface eth0

5. TODO change the port forwarding rule to support both WANs

6. Configure port forwarding also in the D-Link router.

7. To check the load balance status exit the configuration mode then run the status command:

ubnt@ubnt:~$ show load-balance status
Group G
interface : eth0
carrier : up
status : active
gateway : 84.117.103.1
weight : 100
flows
WAN Out : 28622
WAN In : 144
Local Out : 13126

interface : eth1
carrier : up
status : failover
gateway : 192.168.0.1
weight : 0
flows
WAN Out : 50
WAN In : 4
Local Out : 16667

Then check the connection watchdog status:

ubnt@ubnt:~$ show load-balance watchdog
Group G
eth0
status: Running
pings: 1387
fails: 2
run fails: 0/3
route drops: 1
ping gateway: ping.ubnt.com – REACHABLE
last route drop : Fri Sep 18 03:49:51 2015
last route recover: Fri Sep 18 03:50:24 2015

eth1
status: Running
failover-only mode
pings: 354
fails: 0
run fails: 0/3
route drops: 2
ping gateway: ping.ubnt.com – REACHABLE
last route drop : Fri Sep 18 06:40:46 2015
last route recover: Fri Sep 18 06:43:50 2015

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.