Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

How to ensure VPN Client only uses primary WAN

Answered
Follow
Avatar
robcork

For context, I have a failover WAN setup. I have the Firewalla connecting to a VPN to allow me to watch content for a different country.  I have a VLAN that i put all my streaming devices into and in the VPN client setup, I apply it to the VLAN so all devices in that VLAN go over the VPN connection.

I want to force my VPN client traffic to only use the primary WAN and if the WAN goes down and fails over to WAN2, block the VPN traffic from going over WAN2.

I believe I read in firewalla support articles that it only uses primary WAN but i dont think this is true. Last night my primary ISP went down and i was streaming content and it never stopped and very quickly i burned through a ton of my backup WAN data plan. Whats the best/proper way to accomplish this. I think i've found two ways but not sure. 

  1. Create a route matching all internet traffic and for the network, select the VLAN. Make it a static route
  2. Create a route matching traffic to the domain or ip address of the VPN server the client connects to. Apply to All Devices. Set to Static.

I don't think option 1 accomplishes my goal because i had that route setup before my primary went down last night and i burned a ton of data on my backup WAN. My reasoning why it didn't work is because the route says traffic from devices on the VLAN route via WAN1 but with the VPN Client being applied to the VLAN devices, the traffic from the devices goes over the vpn tunnel before the routing rules can be applied to it. Is that true? 

I'm going to try option 2 but i'm hoping that this rule will force the initial VPN connection from Firewalla to the VPN server to go over WAN1 and if the WAN goes down and the VPN client trys to reconnect to the server, the static rule will mean the connection attempt is dropped.

I'm curious if others have done this and what worked. Am I missing something?

0

Comments

3 comments

Sort by Date Votes
  • Official comment
    Avatar
    FirewallaSupportDesk

    Currently, we don't support specifying a WAN interface for a VPN client.

    Above mentioned methods will not work, because there's no option to control which WAN should be used to establish the VPN client connection. 

    You can upvote the this feature requests in our community, such as https://help.firewalla.com/hc/en-us/community/posts/4413999034131-Enable-routing-of-the-VPN-client-over-a-selected-WAN-link. This is the best way to gain more attention from our engineering team. 

    Comment actions Permalink
  • Avatar
    David Flanigan

    I had this problem.

    The easy fix is to not add your streaming devices into the VPN via the VPN Client configuration (i.e., Apply To) but rather create a route for it. 

    Route Matching: All Video Sites

    On: Streaming Device Group

    Interface: Your VPN

    Make the route static so it will not failover. 

    0
    Comment actions Permalink
  • Avatar
    robcork

    That ensures the devices use the vpn but does not ensure the vpn only uses the primary wan, which is my goal.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post