Simple failover to backup 4G WAN

I’m looking for a simple approach to automatically switch to backup 4G (on eth1) connection when my main WAN (on eth1.300) is down. What I do now is manually change the WAN interface (see below), is there a way to automate this?

# set firewall zone WAN interface 'eth1.300'
set firewall zone WAN interface 'eth1'

# set interfaces ethernet eth1 vif 300 address 'dhcp'
# set interfaces ethernet eth1 vif 300 description 'Landline WAN'
set interfaces ethernet eth1 address 'dhcp'
set interfaces ethernet eth1 description '4G LTE WAN'

# set nat destination rule 100 inbound-interface 'eth1.300'
set nat destination rule 100 inbound-interface 'eth1'

I found this proposal PBR + wan failover - #7 by n.fort based on load balancing, however I don’t know how to assign an interface to my firewall zone WAN or to my nat dest rules. I also found Wan failover with DHCP but that seems to have quite a few moving parts. Is there a way to make a generic interface (bridge?) to refer to in my firewall & NAT config, e.g. something like

# pseudo config
set firewall zone WAN interface 'br0-wan'
set nat destination rule 100 inbound-interface 'br0-wan'

You can have both interfaces active, just set the default-route-distance higher than the other, eg

        dhcp-options {
            default-route-distance 211
        }

All the other config will be applied, and then the router will just prefer your Landline vs 4G. When you need to failover to 4G you go and set the default-route-distance of the Landline higher than 4G, eg 412. To revert, go delete the default-route-distance of the 4G.

There is probably a better “dynamic” way to do it with health checking, etc but I haven’t played with it yet. I do what I describe above at home today in the same set up you’re talking about.

Firewall-wise you probably want an interface-group, so you can put both WAN interfaces in, then you can refer to that interface-group in your firewall rules to apply the same rules to both.

Thanks, that helps. I wasn’t aware of interface-group, that solves my firewall problems.

Is there a way to make NAT for interface groups as well? It looks like I need to implement ‘real’ offloading which directs NAT to the right interface… Any way around that?

You can reference interface groups in NAT rules, unsure what version that was added though. I’m running 1.5-rolling-202409060006

set nat source rule 10 outbound-interface WAN_INTERFACES

Unsure about the offload thing, I’d be curious about that myself.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.