While most consumers will only have one WAN (internet) connection, there are times when two WAN connections may be better than one:
- Your primary internet is not stable and needs a backup internet connection.
- Your primary internet is slow, and need to add another line for bandwidth(and redundancy).
Firewalla's Multi-WAN feature will help you to manage a maximum of two WAN connections in either primary/failover or load balancing mode. Experiences inside the multiple WAN network should be no different than a single WAN, a bit better with added availability and bandwidth.
If you have the Firewalla Gold:
You can just use one of Gold's ports as a new WAN interface, just like your primary WAN.
If you are using the Firewalla Purple:
Firewalla Purple allows a maximum of one Wi-Fi and one ethernet WAN connection for a total of two WAN connections.
The Purple Wi-Fi can tether to your mobile phone and create a dynamic backup internet for your whole house while the primary WAN is down.
If you have a multi-WAN configuration, Firewalla will show you the live throughput on each WAN separately when you are connected to the local networks.
How to configure Multi-WAN:
Multi-WAN configuration only becomes available when more than one WAN network is enabled. To create a new WAN connection:
- Tap on Network Manager
- Tap on Edit -> Create Network
- Select WAN Connection
- Tap the Ethernet Port you'd like to create the WAN connection on, then save your configuration.
After you created a secondary WAN, you can configure how multiple connections handle internet traffic under "Multi-WAN Setting". There are two modes:
- Failover (Default)
- Load Balance
The multi-WAN setting is only available if you are running in "Router Mode". The number of WAN connections currently is limited to 2 on the Firewalla App.
Failover:
Failover mode is intended to ensure the availability of the internet connection, where you can use a standby network to take over when the active connection fails. In this case, only one WAN circuit is active at any time. (there may be traffic on the standby to do basic connectivity checks)
- Active & Standby State: When both connections are enabled, the Primary WAN will be active, and the other one will be standby. If the active connection fails, the standby will become active to maintain uninterrupted internet connectivity.
- Primary WAN: The Primary WAN will be active when both connections are available at the same time.
- Auto Failback: When the primary connection fails, the standby WAN takes over. If Auto Failback is enabled, the connection will fail back to the Primary automatically when it resumes.
If you are using DDNS or VPN with failover mode:
- DDNS always point to the Active WAN.
- Traffic on the VPN Server network will always be sent to the Active WAN. If the Active WAN is down, you'll need to manually reconnect the VPN.
- VPN client traffic will be sent to the primary WAN.
- All traffic will be routed to Active WAN unless specified
Policy-based Routing:
If you want to "lock/pin" certain traffic to go to a certain WAN connection:
You can create a "route" for it, so that when this WAN is down, the traffic matching the "route" will be dropped instead of failover to the back WAN.
For example, if you are using your mobile hotspot as your back WAN on Purple in case your ISP is down, yet you don't want video or gaming traffic to kill your mobile plan. You can create Routes to send all video and gaming traffic of all your devices to the primary WAN connection.
More details on Firewalla Policy & Content-based routing.
Load Balancing:
Load balancing distributes network traffic across multiple networks. It helps improve the responsiveness of internet access and ensures no single network gets overloaded. This mode is ideal if you live in areas that have slow and unstable internet.
Weight Ratio: Load balance allows you to set a relative weight for each WAN connection. The weight is defined as the percentage of traffic (or connections) sent through the connection.
- If one of the WAN connections fails, the other will take over all the traffic.
- Load balancing is done at layer 3 or looking at the IP address. If your flows all have the same destination IP address, they will always flow to the same interface. (This behavior is to ensure correct behavior when dealing with banks ... and other services that check the source IP)
- Load balancing may not work for sites (like banks) that check consistency on the source IP address. If this happens, you can manually route traffic using Firewalla Policy & Content-based routing
- DDNS will be pointed to a random WAN.
- Traffic on the VPN Server network will be sent to a random WAN.
Note: There is a known issue that causes unstable VPN connections if you are using WireGuard in dual-wan load balancing mode. If it occurs to you, please contact us at help@firewalla.com. - VPN Client traffic with be distributed between two WANs.
- All traffic with be distributed between two WANs unless specified.
WAN Connectivity Test
WAN Connectivity tests are used to decide which WAN circuit is to be used and to trigger failover and fallback actions. This test can be configured by you.
Ping test and DNS test are used for WAN Connectivity Test. If one of the tests fails, the WAN connectivity will be considered to be lost.
Ping Test:
- Up to 3 Ping test targets are supported
- You can edit the Ping Test Count and Success Rate Threshold.
The test will ping each of the targets several times (Ping Test Count) on every test. If the success rate is lower than the Success Rate Threshold you've set, the test will be considered as failed.
DNS Test:
You can edit which domain is used for the test.
If DNS servers fail to resolve the target domain, the DNS test will be considered as failed.
Learn more on Network Events and Connectivity Test.
Comments
13 comments
When setup in Multi-WAN mode, it is possible to route certain devices out the ISP2 connection while all other devices route out the ISP1 connection?
Maybe a dumb WAN Connectivity Test question.
Since it was on by default after setup, should I assume it should be left on at all times?
Thanks
@nozero, do you see the tests are off?
@Firewalla,
No, still on.
Advanced Options
Connectivity Test
On
>
Test Targets
To test Internet connectivity via Ping test and DNS test. If one of the test fails, the connectivity will be considered to be lost.
@nozero, Yes, we'd suggest you leave it on. The connectivity test is an important feature that can help you identify your ISP connection issues. More information here: https://help.firewalla.com/hc/en-us/articles/4405487405587
@Support Team, Great, and thanks for the info link!
I love that this exists now, but I do have a question.
I have a use case where I would like to hook up my mobile hotspot as backup(WAN2), but if the primary WAN1 goes down and uses the mobile hot spot (WAN2), I only want to allow ONE device (work laptop) to be able to utilize the internet on that backup (WAN2) vs the entire house. Would that be easy to set up, assuming I would just create a RULE that blocks all from that WAN2 then allow only the one device?
The best way is to turn off the obvious bandwidth hogs and leave the other devices on. There is absolutely no need to turn off everything, many IoT devices don't communicate that much, and if you turn them off, may lose functionalities
I have an issue where I have set up primary and secondary, and it all works really well. I love it, because it's actually come in handy a few times during WFH video calls. However, if my secondary gateway loses power, I lose ALL internet connectivity (my primary is still live, and if I connect directly to it, it isn't disconnected from its WAN). I found this out when I was moving my secondary to a new location a few feet away and had to power it down. I have since experimented and this is 100% replicable. I'm guessing this wouldn't be considered a feature?
Secondary WAN down should NOT impact primary WAN
Did you setup any "routes" to force traffic going to the standby? or uses a DNS server only the secondary ISP? if not, send an email to help@firewalla.com, and we can look inside;
Is the Purple really Multi-WAN if you can only have one connection at a time?
Purple can have an ethernet based WAN and a WiFi-based WAN for the purple.
So we have no 4G/5G/LTE signal in our house due to security mesh on the doors/windows etc. I have one ethernet cable running out to our verandah currently wired into a Unifi AP. Is it possible to retain the AP and splice in a 4G failover device such as this: https://www.netgear.com/au/home/mobile-wifi/lte-modems/lb2120/
using a POE switch at the verandah, or do I need to run a 2nd ethernet cable?
Please sign in to leave a comment.