TZ270W - WAN Interfaces doesn't work outside default load-balancing group

LexES

Hello,

I'm currently testing a solution with 4 differents ISP and i need to configure the 4 physical WAN interfaces.

Everything is working when i put them all in the default load-balancing group but not when they are unasigned.

As it is in testing right now it is not a problem but as i want to implement them later on our main FW, i prefer to understand how it is working and how to have them outside of any load-balancing as it is not needed at all.

Is this a normal behaviour ? If no, can you explain me which rules to add/modify because i can't find anything in the default rules section.

I thank you in advance for your answer,

Best regards.

BWC

@LexES you can use different VLANs or just different ranges, IMHO doesn't matter, because PBR works on the Source Address.

Policy -> Rules and Policies -> Routing Policies.

A routing policy would look like this:

SRC: Range1 / DST: Any (0.0.0.0/0) / Interface: X1 / GW: X1 IPv4 Default Gateway

SRC: Range2 / DST: Any (0.0.0.0/0) / Interface: X2 / GW: X2 IPv4 Default Gateway

SRC: Range3 / DST: Any (0.0.0.0/0) / Interface: X3 / GW: X3 IPv4 Default Gateway

SRC: Range4 / DST: Any (0.0.0.0/0) / Interface: X4 / GW: X4 IPv4 Default Gateway

This will route any traffic destined to WAN depending on the Source address to one of the 4 ISPs.

If you combine this with the Load Balancing Failover you'll always get an outbound link to route with.

It's pretty straightforward, and you could even route specific traffic (service / application) via specific WAN interfaces.

--Michael@BWC

BWC

@LexES if you don't wanna stick all WAN interfaces in the only available LB Group you need to configure Routing Rules, what is called Policy Based Routing. Or you could use SDWAN to spread the traffic based on performance values.

It depends what you try to accomplish and how to use the WAN links. If you have Basic Failover activated in the LB Group that mainly the 1st link will be used.

Maybe you can explain what you wanna do with 4 links on such a small appliance and then we can come up with some suggestions.

--Michael@BWC

LexES

Here more details !

My goal is to have 10 PC/VM that can swap between any of the 4 ISP at any time for video web site testing purpose.

This 4 ISP are not in use for our usual business network trafic, we have another one for it.

1) I'm not sure about the LAN configuration yet but my first idea is to create one VLAN with a /24 and apply routing rules on the FW with a /27 like :

• - X.X.X.1-30 trafic goes to ISP1 Physical interface
• - X.X.X.33-62 trafic goes to ISP2 Physical interface
• - ...
• 
  

2) User will use a script on their PC to swap IP and be in the right /27.

3) I was also thinking about creating different virtual interface on my LAN interface to have 4 @IP to reach and apply route/rules on each one

• - VX.1 : X.X.X.251 route to ISP1 Physical interface
• - VX.2 : X.X.X.252 route to ISP2 Physical interface

But i must use a different VLAN on each Vitrual Interface so i can't really use it

4) The 270W is just for my testing part, the final FW is a NSA 4650 (not have access yet)

I'm sure there must have more optimal solutions but i'm new on firewall solution and have not really figure yet all the part of this project.

Regards.

LexES

Hello again,

Coming back from testing and it work like a charm !

This is what i was looking for !

I'll just have to finish the VLAN part on my side and it will be good for me.

Thanks for your precious help and fast answer !

Best regards.