We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see https://campus.barracuda.com/doc/71862301/ for further information on our EoS policy.

How to Configure Link Balancing and Failover for Multiple WAN Connections

  • Last updated on

If you are using two DHCP connections from the same carrier that is using the same remote network and gateway, see How to Configure Automatic Failover with Dual DHCP WAN Connections using the Same Remote Gateway.

If you are using two or more ISP connections, you can use outbound link and load balancing to balance the traffic between the different Internet connections. If one ISP goes down, the traffic will be routed over the remaining connection. Basic link failover functionality can be achieved by using different route metrics. A better solution is to use custom connection objects to distribute the load and/or configure failover for different links. Using custom connection objects allows you to decide on link balancing on a per-access rule basis. For this article, we assume we are using a mix of one static and one dynamic (DHCP) Internet connection.

In this article:

static_dhcp_wan.png

Step 1. Configure the WAN Connections

Configure your WAN connections:

This configuration uses the following example settings for both WAN connections:

ISPIP AddressGatewayNetwork Interface
ISP 162.99.0.6962.99.0.254port 3
ISP 2dynamically assigneddynamically assigneddhcp

For WAN connections with dynamic address assignment (e.g. ,DHCP), verify that you enable the settings Own Routing Table, Use Assigned IP, Create Default Route, and Clone Routes in the configuration.

Step 2. Add a Source Based Route

Configure the source routes for both connections to avoid IP packets from being sent via the wrong ISP line. For DHCP connections, the routes are already introduced automatically by the DHCP client. For ISP connections with static IP addresses, configure a source-based route.

  1. Open the Network page (Config > Full Config > Box).
  2. In the left menu, select Routing.
  3. Click Lock.
  4. In the Source Based Routing section, click + to add a new route.
  5. Enter a Name for the route and click OK.
  6. In the Source Networks table, add the network for which the routing table is consulted., e.g., 62.99.0.0/24
  7. In the Routing Table Contents section, click + to configure the route.
  8. In the Target Network Address field, enter 0.0.0.0/0.
  9. Select unicast as the Route Type.
  10. Enter the Gateway IP address, e.g., 62.99.0.254
  11. Click OK.
  12. Select postmain as the Table Placement option.
  13. Click OK.
  14. Click Send Changes and Activate.

Step 3. Configure Link Monitoring

For the dynamic Internet connection, configure link monitoring for both routes (default and source based) to monitor IP addresses beyond the ISP gateway.

  1. Open the Network page (Config > Full Config > Box).
  2. In the left menu, select xDSL/DHCP/ISDN.
  3. In the Configuration Mode menu, select Switch to Advanced.
  4. Click Lock.
  5. Edit the DHCP link.
  6. In the Connection Monitoring section, add a target IP address to be used for monitoring into the Reachable IPs table. This address must be reachable only via the DHCP connection.
  7. Click OK.
  8. Click Send Changes and Activate.

After you configure your routes, you must activate your new network configurations.

  1. Go to the Control > Box page.
  2. In the left menu, expand Network and click Activate new network configuration.
  3. Select Failsafe. A Network Configuration Reconfigured message will appear.

Step 4. Create a Custom Connection Object for Link Balancing with Failover (Fallback)

The Barracuda NG Firewall can perform link failover and link cycling using multiple connections. The failover and load balancing policy used in the custom connection object defines how the traffic is routed:

  • Link Balancing with Fallback Traffic is always routed over the primary uplink as long as it is available. If the main uplink fails, the secondary uplink is used.
  • Random Link Balancing – Sessions are distributed randomly according to the weight of the connections. If one of the connections fails, traffic is routed through the other available connections as defined in the connection policy.
  • Sequential Link Balancing  The Source IPs are sequentially cycled through, factoring in the weight defined for each uplink. The Barracuda NG Firewall remembers the sources/destination of active sessions and will reuse the same connection if a similar connection is established.

Create a custom connection object for link balancing and failover:

  1. Open the Forwarding Rules page (Config > Full Config > Virtual Servers > your virtual server > Assigned Services > Firewall).
  2. Click Lock.
  3. In the left menu, click on Connections.  
  4. Right-click and select New. The Edit/Create a Connection Object window opens.
  5. Enter a Name for the connection object. E.g., LBFailover
  6. Select From Interface as the NAT Address. 

  7. In the Interface Name field, enter the port the ISP 1 is connected to. E.g. ,port3 or dhcp

  8. In the Failover and Load Balancing section, select one load balancing/failover Policy:
    1. FALLBACK (Fallback to alternative Source Addresses)
      • Select either Interface or source IP address for each Internet connection.  
      • Enter the interface or source IP address for the connection.
    2. SEQ (Sequentially cycle Source Addresses)
      • Select either Interface or source IP address for each Alternative connection.  
      • Enter the interface or source IP address for each connection.  
      • Enter the Weight factor. This value determines how the load is distributed between the different connections.
    3. RAND (Random Source Addresses)
      • Select either Interface or source IP address for each Alternative connection.  
      • Enter the interface or source IP address for each connection.  
      • Enter the Weight factor. This value determines how the load is distributed between the different connections.
  9. Click OK.
  10. Click Send Changes and Activate.

Step 5. Apply the Connection Object

Use the object for all access rules handling outgoing traffic.

  1. Open the Forwarding Rules page (Config > Full Config > Virtual Servers > your virtual server > Assigned Services > Firewall).
  2. Click Lock.
  3. Edit an access rule handling outgoing traffic. E.g., LAN-2-INTERNET
  4. Select the custom connection object created in Step 4 from the Connection Method list.
  5. Click OK.
  6. Click Send Changes and Activate.

Step 6. (optional) Configure Notifications

You can configure the Barracuda NG Firewall to send SNMP traps or email notifications in case one of the ISP connections fails. Depending on what kind of notification you want to send, change the notification ID for:

  • 62 (Route Changed)
  • 64 (Route Disabled)

For more information, see Events.

You are now load balancing and/or using failover for all outgoing connections, which are handled by access rules using the custom connection object. If needed, you can define multiple custom connection objects and use them to control which ISP connections are used by a specific network or IP address.

Last updated on