Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Best way to configure HA with Dual WAN Failover

I have two WAN links - a primary and secondary for failover. I want appliance-HA. Best way to set this up?

Category: Mid Range Firewalls
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @DesertSweeper there is no much magic around it. Depending on how your connections are provided, it is simple as connecting both X1 interfaces to router #1 and both X2 interfaces to router #2. If your WAN router do not provide multiple ports you need to use a mini-switch or a bigger switch and seperate each link into its own VLAN.

    This is a simplified explanation, but if you scenario differs you might need to drop in some more details.

    --Michael@BWC

  • BbialyBbialy Newbie ✭
    edited February 2023

    @DesertSweeper

    in deed there is no magic here. But... there is always any kind of but...

    At the beginning sorry for using trival/simple terms...

    you have to consider on 2 levels:

    1. HA of WAN - in short words be prepared for one of ISP failure
    2. HA of Sonicwall device.

    so IMHO goal is to have ability to utilize both Wan links on each HA device pair. (easy to failover/firmware upgrade etc.

    If you have two WAN links there is question is if the ISP can give you to cables/ports for each link.

    If yes - you are the winner so there is no problem

    If not sorry :-( You have to: use dummy 4-5 port switch on each WAN link (Sonicwall engineers: do read previous sentnce) or you have to use dedicated managed WAN switch where you will configure 2 VLAN with 3 untagged ports in it. (DON'T USE THE SAME SWITCH FOR LAN AND WAN!!!! i know that you can setup VLAN separation and ACL on ports, but DON'T!!!

    Then connect X1 to WAN 1 and X2 to WAN2 on each of FW.

    Then you have to configure L&B group with logical tests.

    Pinging gateway on each WAN link is not good idea - i.e if you will have error 39,99$ on one link (unpaid invoice :-)) gateway might still be responding and all your logical test will pass so your Internet will going to crash. Ping google dns or use soncwall tcp responder.

    Please also set in HA monitoring check for at least physical check of interface state.

    Some other advices for simple setup

    • - use HA stateful - if your license can handle that
    • - preempt option for HA to operate from
    • - MUST USE virtual MAC

    Connecting to LAN good idea is to have stacked switch or VLT configured on LAN switches. Then set non-LACP LAG for X0 ports. - I know it is not necessary, but when creating virtual interface there is only place remember to - this from my privet best-practce guide.

Sign In or Register to comment.