While most consumers will only have one WAN (internet) connection, there are times when two WAN connections may be better than one:
- Your primary internet is not stable and needs a backup internet connection.
- Your primary internet is slow, and need to add another line for bandwidth(and redundancy).
Firewalla's Multi-WAN feature will help you to manage a maximum of two WAN connections in either primary/failover or load balancing mode. Experiences inside the multiple WAN network should be no different than a single WAN, a bit better with added availability and bandwidth.
If you have the Firewalla Gold:
You can just use one of Gold's ports as a new WAN interface, just like your primary WAN.
If you are using the Firewalla Purple:
The Purple Wi-Fi can tether to your mobile phone and create a dynamic backup internet for your whole house while the primary WAN is down.
If you have a multi-WAN configuration, Firewalla will show you the live throughput on each WAN separately when you are connected to the local networks.
How to configure Multi-WAN:
Multi-WAN configuration only becomes available when more than one WAN network is enabled. To create a new WAN connection:
- Tap on Network Manager
- Tap on Edit -> Create Network
- Select WAN Connection
- Tap the Ethernet Port you'd like to create the WAN connection on, then save your configuration.
After you created a secondary WAN, you can configure how multiple connections handle internet traffic under "Multi-WAN Setting". There are two modes:
- Failover (Default)
- Load Balance
The multi-WAN setting is only available if you are running in "Router Mode". The number of WAN connections currently is limited to 2 on the Firewalla App.
Failover mode is intended to ensure the availability of the internet connection, where you can use a standby network to take over when the active connection fails. In this case, only one WAN circuit is active at any time. (there may be traffic on the standby to do basic connectivity checks)
- Active & Standby State: When both connections are enabled, the Primary WAN will be active, and the other one will be standby. If the active connection fails, the standby will become active to maintain uninterrupted internet connectivity.
- Primary WAN: The Primary WAN will be active when both connections are available at the same time.
- Auto Failback: When the primary connection fails, the standby WAN takes over. If Auto Failback is enabled, the connection will fail back to the Primary automatically when it resumes.
If you are using DDNS or VPN with failover mode:
- DDNS always point to the Active WAN.
- Traffic on the VPN Server network will always be sent to the Active WAN. If the Active WAN is down, you'll need to manually reconnect the VPN.
- VPN client traffic will be sent to the primary WAN.
- All traffic will be routed to Active WAN unless specified
If you want to "lock/pin" certain traffic to go to a certain WAN connection:
You can create a "route" for it, so that when this WAN is down, the traffic matching the "route" will be dropped instead of failover to the back WAN.
For example, if you are using your mobile hotspot as your back WAN on Purple in case your ISP is down, yet you don't want video or gaming traffic to kill your mobile plan. You can create Routes to send all video and gaming traffic of all your devices to the primary WAN connection.
More details on Firewalla Policy & Content-based routing.
Load balancing distributes network traffic across multiple networks. It helps improve the responsiveness of internet access and ensures no single network gets overloaded. This mode is ideal if you live in areas that have slow and unstable internet.
Weight Ratio: Load balance allows you to set a relative weight for each WAN connection. The weight is defined as the percentage of traffic (or connections) sent through the connection.
- If one of the WAN connections fails, the other will take over all the traffic.
- Load balancing is done at layer 3 or looking at the IP address. If your flows all have the same destination IP address, they will always flow to the same interface. (This behavior is to ensure correct behavior when dealing with banks ... and other services that check the source IP)
- Load balancing may not work for sites (like banks) that check consistency on the source IP address. If this happens, you can manually route traffic using Firewalla Policy & Content-based routing
- DDNS will be pointed to a random WAN.
- Traffic on the VPN Server network will be sent to a random WAN.
Note: There is a known issue that causes unstable VPN connections if you are using WireGuard in dual-wan load balancing mode. If it occurs to you, please contact us at email@example.com.
- VPN Client traffic with be distributed between two WANs.
- All traffic with be distributed between two WANs unless specified.
WAN Connectivity Test
WAN Connectivity tests are used to decide which WAN circuit is to be used and to trigger failover and fallback actions. This test can be configured by you.
Ping test and DNS test are used for WAN Connectivity Test. If one of the tests fails, the WAN connectivity will be considered to be lost.
- Up to 3 Ping test targets are supported
- You can edit the Ping Test Count and Success Rate Threshold.
The test will ping each of the targets several times (Ping Test Count) on every test. If the success rate is lower than the Success Rate Threshold you've set, the test will be considered as failed.
You can edit which domain is used for the test.
If DNS servers fail to resolve the target domain, the DNS test will be considered as failed.
Learn more on Network Events and Connectivity Test.