About Multi-WAN
By default, multi-WAN is not enabled for modems. Multi-WAN does not impact BOVPNs or inbound traffic.
Multi-WAN Requirements and Conditions
You must have a second Internet connection and more than one external interface to use most multi-WAN configuration options.
Conditions and requirements for multi-WAN use include:
- If you have a policy configured with an individual external interface alias in its configuration, you must change the configuration to use the alias Any-External, or another alias you configure for external interfaces. If you do not do this, some connections could be denied by your firewall policies.
- Multi-WAN settings do not apply to incoming connections. When you configure a policy for inbound connections, you can ignore all multi-WAN settings.
- Map the Fully Qualified Domain Name used by your company to the external interface IP address of the lowest order. If you add a multi-WAN Firebox to your Management Server configuration, you must use the lowest-ordered external interface to identify it when you add the device.
- To use multi-WAN, you must use mixed routing mode for your network configuration. This feature does not operate in drop-in or bridge mode network configurations.
You can use one of four multi-WAN configuration options to manage your network connections. For more information on each option, go to About Multi-WAN Methods.
When you enable multi-WAN, the Firebox monitors the status of each external interface. Make sure that you define a link monitor host for each interface. We recommend that you configure two link targets for each interface.
For more information, go to About Link Monitor.
Multi-WAN is not supported on the Firebox T10. Multi-WAN is supported on T15 devices with Fireware v12.3 or higher. Modem failover is supported for the Firebox T10 and T15. This is true even after an upgrade to Fireware v12.1 or higher, which converts modems to external interfaces. For more information, see Configure Modem Failover.
Multi-WAN and Participating Interfaces
In the multi-WAN configuration you can select which external interfaces participate in multi-WAN. You must select at least two interfaces to participate in multi-WAN. If all interfaces selected in the multi-WAN configuration are down, the Firebox routes outbound connections through the non-participating external interface that has the lowest routing metric.
Multi-WAN and SD-WAN
After you configure multiple external interfaces, you can create policies that send outgoing connections to a specific external interface. The SD-WAN routing settings in a policy override the settings in the multi-WAN configuration for connections that the policy applies to.
For information about SD-WAN, go to About SD-WAN.
In Fireware v12.3 or higher, SD-WAN replaces policy-based routing. In Fireware v12.2.1 or earlier, to route traffic to a different external interface, you must use policy-based routing. When you upgrade to Fireware v12.3 or higher, policy-based routing without failover is converted to an SD-WAN action with a single interface. Policy-based routing with failover is converted to an SD-WAN action with multiple interfaces. In Policy Manager, the policy-based routing setting is still available for backwards compatibility with older Fireware OS versions. For more information about policy-based routing, go to Configure Policy-Based Routing in Fireware v12.2.1 or lower in the WatchGuard Knowledge Base.
Multi-WAN and DNS
Make sure that your DNS server can be reached through every WAN. Otherwise, you must modify your DNS policies such that:
- The From list includes Firebox.
- An SD-WAN action is selected that includes a WAN interface that can reach the DNS server.
If only one WAN can reach the DNS server
Select an SD-WAN action that includes that WAN interface.
In the Web UI, select the SD-WAN tab, and then select an SD-WAN action. In Policy Manager, select Route Outbound Traffic Using > SD-WAN Based Routing.
If more than one WAN can reach the DNS server
You can select an SD-WAN action that includes all WAN interfaces that can reach the DNS server.
In the SD-WAN action, the first interface in the list is the primary interface. The primary interface is preferred if it is up and has metrics that do not exceed the values you specified in the SD-WAN action. You can move interfaces up or down in the list to change the primary interface.
For more information about SD-WAN configuration, go to Configure SD-WAN.
Multi-WAN and FireCluster
You can use multi-WAN failover with the FireCluster feature, but they are configured separately. Multi-WAN failover caused by a failed connection to a link monitor host does not trigger FireCluster failover. FireCluster failover occurs only when the physical interface is down or does not respond. FireCluster failover takes precedence over multi-WAN failover.
Default Route Distance
If your Firebox has only one external interface (single WAN), the default route distance (metric) is 5. If your Firebox has more than one external interface (multi-WAN), the default route distance is 20 for an external interface that does not participate in multi-WAN.
For an external interface that participates in multi-WAN, the default route distance depends on the multi-WAN configuration:
| Multi-WAN Method | Default Route Distance (Metric) |
|---|---|
| Routing Table | 5 |
| Round Robin | 5 |
| Interface Overflow | 5 |
| Failover | 10 |
| Failover (secondary external interface) | 11 |
For each additional secondary external interface, increase the distance value by 1. For example, if you have three secondary external interfaces, the distances are 11, 12, and 13.
For more information about the route table, go to Read the Firebox Route Tables.