Configuring an OPT interface as an additional WAN¶
Note
The default configuration of the Netgate 1100 has the OPT port already assigned.
This guide configures an OPT port as an additional WAN type interface. These interfaces connect to upstream networks providing connectivity to the Internet or other remote destinations.
See also
Configuring an additional WAN
Requirements¶
This guide assumes the underlying interface is already present (e.g. physical port, VLAN, etc).
The WAN configuration type and settings must be known before starting. For example, this might be an IP address, subnet mask, and gateway value for static addresses or credentials for PPPoE.
Assign the Interface¶
Navigate to Interfaces > Assignments
Look at list of current assignments. If the interface in question is already assigned, there is nothing to do. Skip ahead to the interface configuration.
Pick an available interface in Available network ports
If there are no available interfaces, then one may need to be setup in some other way (e.g. VLANs).
Click
Add
The firewall will assign the next available OPT interface number corresponding to the internal interface designation. For example, if there are no current OPT interfaces, the new interface will be OPT1. The next will be OPT2, and so on.
Note
As this guide does not know what that number will be on a given configuration, it will refer to the interface generically as OPTx.
The newly assigned interface will have its own entry under the Interfaces menu and elsewhere in the GUI.
Interface Configuration¶
The new interface must be enabled and configured.
Navigate to Interfaces > OPTx
Check Enable interface
Set custom name in the Description, e.g.
WAN2
Set IP address and CIDR for static, or DHCP/PPPoE/etc.
See also
Create a Gateway if this is a static IP address WAN:
Click
Add a New Gateway
Configure the gateway as follows:
- Default
Check if this new WAN should be the default gateway.
- Gateway Name
Name it the same as the interface (e.g.
WAN2
), or a variation thereof.- Gateway IPv4
The IPv4 address of the gateway inside the same subnet.
- Description
Optional text describing the purpose of the gateway.
Click
Add
Ensure the new gateway is selected as the IPv4 Upstream Gateway
Check Block private networks
This will block private network traffic on the interface, though if the firewall rules for this WAN are not permissive, this may be unnecessary.
Check Block bogon networks
This will traffic from bogus or unassigned networks on the interface, though if the firewall rules for this WAN are not permissive, this may be unnecessary.
Click Save
Click Apply Changes
The presence of a selected gateway in the interface configuration causes the firewall to treat the interface as a WAN type interface. This is manual for static configurations, as above, but is automatic for dynamic WANs (e.g. DHCP, PPPoE).
The firewall applies outbound NAT to traffic exiting WAN type interfaces but
does not use WAN type interface networks as a source for outbound NAT on other
interfaces. Firewall rules on WAN type interfaces get reply-to
added to
ensure traffic entering a WAN exits the same WAN, and traffic exiting the
interface is nudged toward its gateway. The DNS Resolver will not accept queries
from clients on WAN type interfaces without manual ACL entries.
See also
Outbound NAT¶
For clients on local interfaces to get to the Internet from private addresses to destinations through this WAN, the firewall must apply Outbound NAT on traffic leaving this new WAN.
Navigate to Firewall > NAT, Outbound tab
Check the current outbound NAT mode
If the mode is set to Automatic or Hybrid, then this may not need further configuration. Ensure there are rules for the new WAN listed as a Interface in the Automatic Rules at the bottom of the page. If so, skip ahead to the next section.
If the mode is set to Manual, create a new rule or set of rules to cover the new WAN.
If there are existing rules in the Mappings table, they can be copied and adjusted to use the new WAN. Otherwise, create them manually:
Click
to add a new rule at the top of the list.
Configure the rule as follows:
- Interface
Choose the new WAN interface (e.g. WAN2)
- Address Family
IPv4
- Protocol
Any
- Source
Network, and fill in the LAN subnet, e.g.
192.168.1.0/24
.If there is more than one LAN subnet, create rules for each or use other methods such as aliases or CIDR summarization to cover them all.
- Destination
Any
- Translation Address
Interface Address
- Description
Text describing the rule, e.g.
LAN outbound on WAN2
Click Save
Click Apply Changes
Repeat as needed for additional LANs.
Firewall Rules¶
By default there are no rules on the new interface, so the firewall will block all traffic. This is ideal for a WAN, so is safe to leave as-is. Adding services on the new WAN, such as VPNs, may require rules but those should be handled on a case-by-case basis.
Warning
Do not add any blanket “allow all” style rules on any WAN.
Gateway Groups¶
Gateway Groups do not control traffic directly, but can be used in other places, such as firewall rules and service bindings, to influence how those areas use gateways.
For most scenarios it helps to create three gateway groups to start with:
PreferWAN
, PreferWAN2
, and LoadBalance
:
Navigate to System > Routing, Gateway Groups tab
Click
Add to create a new gateway group
Configure the group as follows:
- Group Name
PreferWAN
- Gateway Priority
Gateway for WAN on Tier 1, and WAN2 on Tier 2
- Description
Prefer WAN, fail to WAN2
Click Save
Click
Add to create another gateway group
Configure the group as follows:
- Group Name
PreferWAN2
- Gateway Priority
Gateway for WAN on Tier 2, and WAN2 on Tier 1
- Description
Prefer WAN2, fail to WAN
Click Save
Click
Add to create another gateway group
Configure the group as follows:
- Group Name
LoadBalance
- Gateway Priority
Gateways for WAN and WAN2 both on Tier 1
- Description
Prefer WAN2, fail to WAN
Note
This performs connection-based load balancing, not per-packet load balancing.
Click Save
Click Apply Changes
Now set the default gateway to a failover group:
Navigate to System > Routing, Gateways tab
Set Default gateway IPv4 to PreferWAN
Click Save
Click Apply Changes
Note
This is important for failover from the firewall itself so it always has outbound access. While this also enables basic failover for client traffic, it’s better to use policy routing rules to control client traffic behavior.
DNS¶
DNS is critical for Internet access and it’s important to ensure the firewall can always resolve hostnames using DNS even when running on a secondary WAN.
The needs here depend upon the configuration of the DNS Resolver or Forwarder.
If the DNS Resolver is in its default resolver mode, then default gateway switching will be sufficient to handle failover in most cases, though it may not be as reliable as using forwarding mode.
If the DNS Resolver is in forwarding mode or the firewall is using the DNS Forwarder instead, then maintaining functional DNS requires manually configuring gateways for forwarding DNS servers.
Navigate to System > General Setup
Add at least one DNS server for each WAN, ideally two or more
These servers must be unique, the same server cannot be listed more than once.
Select a gateway for each DNS server, corresponding to the WAN through which the firewall can reach the DNS server.
For public DNS servers such as CloudFlare or Google, either WAN is OK, but if either WAN uses DNS servers from a specific ISP, ensure those exit the appropriate WAN.
Uncheck DNS Server Override
This will tell the firewall to use the DNS servers entered on this page and to ignore servers provided by dynamic WANs such as DHCP or PPPoE. Occasionally these providers may push conflicting DNS server information so the best practice is to assign the DNS servers manually.
Click Save
Note
If the DNS Resolver has specific outgoing interfaces selected in its configuration, select the new WAN there well as well.
Setup Policy Routing¶
Policy routing involves setting a gateway on firewall rules which direct matching traffic out specific WANs or failover groups.
In simple cases (one LAN, no VPNs) the only requirement to configure policy routing is to add a gateway to existing rules.
Navigate to Firewall > Rules, LAN tab
Edit the default pass rule for the LAN
Click Display Advanced
Set the Gateway to one of the gateway groups based on the desired LAN client behavior.
For example, pick PreferWAN so clients use WAN and then if WAN fails, they use WAN2.
Click Save
Click Apply Changes
If there are other local networks or VPNs which clients on LAN must reach, add rules above the default pass rules to pass local traffic without a gateway set:
Navigate to Firewall > Rules, LAN tab
Click
to add a new rule at the top of the list
Configure the rule as follows:
- Action
Pass
- Interface
LAN
- Protocol
Any
- Source
LAN net
- Destination
The other local subnet, VPN network, or an alias of such networks.
- Description
Pass to local and VPN networks
Do not set a gateway on this rule.
Click Save
Click Apply Changes
Dynamic DNS¶
Dynamic DNS provides several benefits for multiple WANs, particularly with VPNs. If the firewall does not already have one or more Dynamic DNS hostnames configured, consider signing up with a provider and creating one or more.
It’s a good practice to have a separate DNS entry for each WAN and a shared entry for failover, or one per failover group. If that is not viable, at least have one for the most common needs.
The particulars of configuring Dynamic DNS entries vary by provider and are beyond the scope of this document.
VPN Considerations¶
IPsec can use a gateway group as an as interface, but needs a dynamic DNS hostname as companion. The remote peer would need to use the Dynamic DNS hostname as the peer address of this firewall instead of an IP address. Because this relies on DNS, failover can be slow.
WireGuard does not bind to an interface, but can work with Multi-WAN. It will respond from WAN2 if client contacts WAN2, but when initiating it will always use the current default gateway. Static routes can nudge traffic for a specific peer out a specific WAN.
OpenVPN can use a gateway group as an interface for clients or servers. Client behavior is OK and should match default failover behavior configured on the group. For servers it is better to bind the server to localhost and use port forwards from each WAN to localhost. Remote clients can then have multiple remote entries and contact each WAN as needed at any time.
Testing¶
Methods for testing depend on the type of WANs and gateway groups in use.
For most WANs, a better test is to unplug the upstream connection from the CPE. This more accurately simulates a typical type of upstream connectivity failure. Do not power off the CPE or unplug the connection between the firewall and the CPE. While this may work, it’s a much less common scenario and can behave differently.
For testing load balancing, use cURL or multiple browsers/sessions when checking the IP address multiple times. Refreshing the same browser window will reuse a connection to the server and is not helpful for testing connection-based load balancing.