Network>WAN Failover & LB
WAN Failover and Load Balancing allows you to designate the Modem interface
for dialup backup or use the user-assigned OPT interface as
a Secondary backup WAN port. The Secondary WAN port can be used in a simple
active/passive setup, where traffic is only routed through the Secondary WAN
port if the Primary WAN port is down and/or unavailable. This feature is referred
to as basic failover. This allows the SonicWALL security appliance
to maintain a persistent connection for WAN port traffic by failing over to
the modem or a secondary WAN port. It can also be used in a more dynamic active/active
setup, where the administrator can choose a method of dividing outbound traffic
flows between the Primary fixed WAN port and the user-assigned Secondary WAN
port. This latter feature is referred to
as load balancing.
you begin, be sure you have configured a user-defined interface to mirror
the WAN port settings.
WAN Failover Caveats
WAN Failover and Load-Balancing applies to outbound-initiated traffic only;
it cannot be used to perform inbound load-balancing functions, such as what
a content switching or load-balancing appliance provides.
- Make sure that the SonicWALL security appliance has the proper NAT policies
for the Secondary WAN interface an incorrect or missing NAT Policy for
the Secondary WAN port is the most common problem seen when configuring WAN
Failover & Load-Balancing.
- The Primary and Secondary WAN ports cannot be on the same IP subnet; each
WAN connection must be on unique IP subnets in order to work properly.
- You cannot use the WAN failover feature if you have configured the SonicWALL
security appliance to use Transparent Mode in the Network > Settings page.
Setting Up WAN Failover and Load Balancing
The following are the steps to configuring WAN Failover and Load Balancing
on the SonicWALL security appliance:
- Configuring an interface as a Secondary WAN port
- Creating a NAT Policy for the Secondary WAN port
- Activating WAN Failover/Load-Balancing
- Choosing a WAN Failover/Load-Balancing method
- Setting Up Probe Monitoring
Configure WAN Failover to the Modem
If you are using the Modem as a backup connection for your WAN, enable WAN
failover to the modem. If your primary WAN connection fails, the TZ 170 SP
Wireless will automatically try to connect with the modem. It will then monitor
the WAN port, and switch back when it has a reliable connection again. To
configure WAN failover to the modem:
- In the Ethernet WAN Failover & Load Balancing section, check
Load Balancing box.
- Check the Enable Dial-Up Wan Failover box.
- Click Apply.
Configuring the OPT Interface as a Secondary WAN Port
On Network > Interfaces page, configure the OPT port
to be in WAN zone, and enter in the correct address settings provided by the
Secondary ISP. In
the example, the SonicWALL security appliance is acquiring its secondary WAN
address dynamically from ISP #2, using DHCP. Any interface added to the WAN
zone by default creates a NAT Policy allowing internal LAN subnets to NAT out
this Secondary WAN interface.
Creating a NAT Policy for the Secondary WAN Port
You need to create a NAT policy on your SonicWALL for WAN Failover. Follow
these steps to create a NAT policy on your SonicWALL using theor OPT interface:
- Select Network>NAT Policies.
- Click Add. The Add NAT Policy window is displayed.
- Select Any from the Original Source menu.
- Select OPT IP from the Translated
- Select Any from the Original Destination menu.
- Select Original from the Translated Destination menu.
- Select Any from the Original Service menu.
- Select Original from the Translated Service menu.
- Select X0 from the Inbound Interface menu.
- Select OPT interface from the
Outbound Interface menu.
- Make sure the Enable setting is checked.
- Click OK.
Activating WAN Failover and Load Balancing
To configure the SonicWALL for WAN failover and load balancing, follow the
- On the Network > WAN Failover & LB page, select
Enable Load Balancing.
- From the Secondary WAN Interface menu, select your secondary WAN interface.
- Enter a number between 5 and 300, in the Check Interface Every
_ Seconds field. You can use the default value of 5 seconds.
- In the Deactivate Interface after _ missed intervals field, enter a number
between 1 and 10. You can use the default value of 3. If the default
value is used,
then the interface is considered inactive after 3 successive attempts
at 5 seconds each.
- Enter a number between 1 and 10 in the Reactivate Interface after
_ successful intervals field. You can use the default value of
3. If the default value is
used, then the interface is considered active after 3 successive
attempts at 5
- Click Apply.
Choosing an Outbound Load Balancing Method
You need to choose a load balancing method. By default, the SonicWALL will
select Basic Active/Passive Failover as the method, but there are four load
balancing methods available:
Basic Active/Passive Failover: When this setting is selected,
the SonicWALL security appliance only sends traffic through the Secondary
WAN interface if
the Primary WAN interface has been marked inactive. The SonicWALL security
appliance is set to use this as the default load balancing method. If the
Primary WAN fails, then the SonicWALL security appliance reverts to this
of the ones described below. This mode will automatically return back to
using the Primary WAN interface once it has been restored (preempt mode).
has an associated Preempt and fail back to Primary WAN when possible checkbox.
When this checkbox is selected, the SonicWALL security appliance switches
back to sending its traffic across the Primary WAN interface when it resumes
to the SonicWALL security appliance’s checks (the WAN’s physical
link is restored, or the logical probe targets on the WAN port resume responding).
Per Destination Round-Robin: When this setting is selected,
the SonicWALL security appliance load-balances outgoing traffic on a per-destination
basis. This is
a simple load balancing method and, though not very granular, allows you
to utilize both links in a basic fashion (instead of the method above,
not utilize the capability of the Secondary WAN until the Primary WAN has
failed). The SonicWALL security appliance needs to examine outbound flows
in source IP and destination IP and make the determination as to which
interface to send the traffic out of and accept it back on. Please note
will be overridden by specific static route entries.
Spillover-Based: When this settings is selected, the user
can specify when the SonicWALL security appliance starts sending traffic
through the Secondary
WAN interface. This method allows you to control when and if the Secondary
interface is used. This method is used if you do not want outbound traffic
sent across the Secondary WAN unless the Primary WAN is overloaded. The
SonicWALL security appliance has a non-Management Interface exposed hold
timer set to
20 seconds – if the sustained outbound traffic across the Primary
WAN interface exceeds the administrator defined Kbps, then the SonicWALL
appliance spills outbound traffic to the Secondary WAN interface (on a
per-destination basis). The user entry box should not have a default entry
and be left empty
for the user. Please note this feature will be overridden by specific static
- Percentage Based:
When this setting is selected, you can specify the percentages of traffic
sent through the Primary WAN and Secondary WAN interfaces. This
method allows you to actively utilize both Primary and Secondary WAN interfaces.
Only one entry box is required (percentage for Primary WAN), as the SonicWALL
will auto-populate a non-user-editable entry box with the remaining percentage
assigned to the Secondary WAN interface. Please note this feature will
be overridden by specific static route entries.
WAN Load Balancing Statistics
The WAN Load Balancing Statistics section displays the following status
information on the Primary and Secondary WAN interfaces:
- Link Status
- Load Balance State
- Probe Monitoring
- New Connections
- Total Connections
- Rx Unicast Packets
- Rx Bytes
- Tx Unicast Packets
- Tx Bytes
- Tx Current Percentage
- Tx Current Throughput (KB/s)
Clicking the Clear Statistics button at the top of the Network>WAN
Faliover & Load Balancing page clears the WAN Load Balancing Statistics.