While most consumers will only have one WAN (Internet) connection, there are times when two WAN connections may be better than one:
- Your primary internet is not stable and needs a backup internet connection.
- Your primary internet is slow, and needs another line for bandwidth and redundancy.
Firewalla's Multi-WAN feature will help you manage a maximum of two WAN connections in either primary/failover or load balancing mode. Experiences inside a multiple WAN network should be similar to a single WAN network, if not a bit better with the added availability and bandwidth.
If you have Firewalla Gold:
You can use one of Gold's ports as a new WAN interface, just like your primary WAN, or get a Wi-Fi SD and back up your home network with Wi-Fi.
If you have Firewalla Gold + Firewalla WiFi SD:
The Firewalla WiFi SD can be used in conjunction with the Firewalla Gold (and future Gold products) to enable you to tether to your phone (or another WiFi hotspot) when your main network is down and have the Firewalla Multi-WAN support automatically swap your primary internet (and automatically swap back once your primary internet is up).
If you are using Firewalla Purple:
Firewalla Purple allows a maximum of one Wi-Fi and one Ethernet WAN connection for a total of two WAN connections.
The Purple Wi-Fi can tether to your mobile phone and create a dynamic backup internet for your whole house while the primary WAN is down.
If you have a multi-WAN configuration, Firewalla will show you the live throughput on each WAN separately when you are connected to the local networks.
How to configure Multi-WAN:
Multi-WAN configuration only becomes available when more than one WAN network is enabled and your box is running in "Router Mode". Currently, Multi-WAN settings only support 2 WAN connections.
To create a new WAN connection:
- Tap on Network Manager
- Tap on Edit -> Create Network
- Select WAN Connection
- Tap the Ethernet Port or the Wi-Fi interface you'd like to create the WAN connection on, then save your configuration.
After you create a secondary WAN, you can configure how multiple connections handle Internet traffic under "Multi-WAN Setting". There are two modes:
- Failover (Default)
- Load Balance
Failover mode is intended to ensure the availability of the Internet connection, where you can use a standby network to take over when the active connection fails. In this case, only one WAN circuit is active at any time. There may be traffic on the standby to do basic connectivity checks.
- Active & Standby State: When both connections are enabled, the Primary WAN will be active, and the other one will be on standby. If the active connection fails, the standby network will become active to maintain uninterrupted internet connectivity.
- Primary WAN: The Primary WAN will be active when both connections are available at the same time.
- Auto Failback: When the primary connection fails, the standby WAN takes over. If Auto Failback is enabled, the connection will fail back to the Primary automatically when it resumes.
If you are using DDNS or VPN with failover mode:
- DDNS always points to the Active WAN.
- Traffic on the VPN Server network will always be sent to the Active WAN. If the Active WAN is down, you'll need to manually re-connect the VPN.
- VPN client traffic will be sent to the primary WAN.
- All traffic will be routed to the Active WAN unless specified.
If you want to "lock/pin" certain traffic to go to a certain WAN connection, you can create a "route" for it, so that when this WAN is down, the traffic matching the "route" will be dropped instead of going through the network on standby.
For example, if you are using your mobile hotspot as your backup WAN on Purple but you don't want video or gaming traffic to kill your mobile plan, you can create Routes to send all video and gaming traffic to the primary WAN connection and set the Route Preference to Static.
On the contrary, if you want to send your video traffic to your primary WAN only when it's available, and allow the traffic to go through to the secondary WAN when the primary is down, you can set the Route Preference to Preferred.
More details on Firewalla Policy & Content-based routing.
Another example is wi-fi calling. If you have trouble with Wi-Fi calling in a multi-WAN configuration in Load balancing mode, it may be because traffic is split between the WANs and incoming packets may come over a different WAN than the corresponding outgoing traffic went over. The solution is to create a Preferred Route to send the required ports and domains for Wi-Fi calling over one WAN. For example, for Verizon you can create routes for:
- Ports: 500,4500
- Domain(s): wo.vzwwo.com
You can find a few other carrier settings here or check with your mobile carrier. With preferred routes for these in place:
- All Wi-Fi calling traffic will go over the specified WAN as long as the WAN is available but if not, traffic will failover to the alternate WAN. Wi-Fi calling traffic won't be load balanced.
- All other traffic will be load balanced according to the settings you selected.
Example Routes looks like:
Load balancing distributes network traffic across multiple networks. It helps improve the responsiveness of internet access and ensures no single network gets overloaded. This mode is ideal if you live in areas that have slow and unstable Internet.
Weight Ratio: Load balance allows you to set a relative weight for each WAN connection. The weight is defined as the percentage of traffic (or connections) sent through the WAN.
- If one of the WAN connections fails, the other will take over all the traffic.
- Load balancing is done at layer 3 or by looking at the IP address. If your flows all have the same destination IP address, they will always flow to the same interface. This behavior is to ensure that your network works correctly when dealing with banks and other services that check the source IP.
- Load balancing may not work for sites (like banks) that check the consistency of the source IP address. If this happens, you can manually route traffic to stay on one network using Firewalla Policy & Content-based routing.
- DDNS will be pointed to a random WAN.
- Traffic on the VPN Server network will be sent to a random WAN.
Note: There is a known issue that causes unstable VPN connections if you use WireGuard in dual-WAN load balancing mode. If you run into this issue, please contact us at firstname.lastname@example.org.
- VPN Client traffic with be distributed between the two WANs.
- All traffic will be distributed between the two WANs unless specified.
When running Internet Speed Test or Quality Test with load balancing mode:
- The traffic will not be balanced between the two WANs. The box will randomly pick a WAN for each test, so your test results may vary from time to time.
WAN Connectivity Test
WAN Connectivity tests are used to decide which WAN circuit can be used and to trigger failover and fallback actions if necessary. There are two types of tests available for each WAN connection: Ping Tests and DNS Tests. If one of the tests fails, the WAN connection will be considered lost.
- Up to 3 Ping test targets are supported.
- You can edit the Ping Test Count and Success Rate Threshold.
The test will ping each target several times (Ping Test Count) on every test. If the success rate is lower than the Success Rate Threshold you've set, the test will be considered as failed.
You can edit which domain is used for the test. If DNS servers fail to resolve the target domain, the DNS test will be considered as failed.
Learn more about Network Events and Connectivity Test.