Configuring an OPT interface as an additional WAN

Note

The default configuration of the Netgate 1100 has the OPT port already assigned.

This guide configures an OPT port as an additional WAN type interface. These interfaces connect to upstream networks providing connectivity to the Internet or other remote destinations.

See also

Multi-WAN documentation

Requirements

  • This guide assumes the underlying interface is already present (e.g. physical port, VLAN, etc).

  • The WAN configuration type and settings must be known before starting. For example, this might be an IP address, subnet mask, and gateway value for static addresses or credentials for PPPoE.

Assign the Interface

  • Navigate to Interfaces > Assignments

    Look at list of current assignments. If the interface in question is already assigned, there is nothing to do. Skip ahead to the interface configuration.

  • Pick an available interface in Available network ports

    If there are no available interfaces, then one may need to be created first (e.g. VLANs).

  • Click fa-plus Add

The firewall will assign the next available OPT interface number corresponding to the internal interface designation. For example, if there are no current OPT interfaces, the new interface will be OPT1. The next will be OPT2, and so on.

Note

As this guide does not know what that number will be on a given configuration, it will refer to the interface generically as OPTx and the customized name WAN2.

The newly assigned interface will have its own entry under the Interfaces menu and elsewhere in the GUI.

Interface Configuration

The new interface must be enabled and configured.

  • Navigate to Interfaces > OPTx

  • Check Enable interface

  • Set custom name in the Description, e.g. WAN2

  • Set IP address and CIDR for static, or DHCP/PPPoE/etc.

    See also

    IPv4 Configuration Types

  • Create a Gateway if this is a static IP address WAN:

    • Click fa-plus Add a New Gateway

    • Configure the gateway as follows:

      Default:

      Check if this new WAN should be the default gateway.

      Gateway Name:

      Name it the same as the interface (e.g. WAN2), or a variation thereof.

      Gateway IPv4:

      The IPv4 address of the gateway inside the same subnet.

      Description:

      Optional text describing the purpose of the gateway.

    • Click fa-plus Add

    • Ensure the new gateway is selected as the IPv4 Upstream Gateway

  • Check Block private networks

    This will block private network traffic on the interface, though if the firewall rules for this WAN are not permissive, this may be unnecessary.

  • Check Block bogon networks

    This will traffic from bogus or unassigned networks on the interface, though if the firewall rules for this WAN are not permissive, this may be unnecessary.

  • Click Save

  • Click Apply Changes

The presence of a selected gateway in the interface configuration causes the firewall to treat the interface as a WAN type interface. This is manual for static configurations, as above, but is automatic for dynamic WANs (e.g. DHCP, PPPoE).

The firewall applies outbound NAT to traffic exiting WAN type interfaces but does not use WAN type interface networks as a source for outbound NAT on other interfaces. Firewall rules on WAN type interfaces get reply-to added to ensure traffic entering a WAN exits the same WAN, and traffic exiting the interface is nudged toward its gateway. The DNS Resolver will not accept queries from clients on WAN type interfaces without manual ACL entries.

See also

Interface Configuration

Outbound NAT

For clients on local interfaces to reach the Internet from private addresses to destinations through this WAN, the firewall must apply Outbound NAT on traffic leaving this new WAN.

  • Navigate to Firewall > NAT, Outbound tab

  • Check the current outbound NAT mode and follow the section below which matches the mode.

Automatic or Hybrid Outbound NAT

If the mode is set to Automatic or Hybrid, then this may not need further configuration.

Ensure there are rules for the new WAN listed as a Interface in the Automatic Rules at the bottom of the page. If so, skip ahead to the next section to configure Firewall Rules.

Manual Outbound NAT

If the mode is set to Manual, create a new rule or set of rules to cover the new WAN.

If there are existing rules in the Mappings table, they can be copied and adjusted to use the new WAN. Otherwise, create them manually:

  • Click button_add_top to add a new rule at the top of the list.

  • Configure the rule as follows:

    Interface:

    Choose the new WAN interface (e.g. WAN2)

    Address Family:

    IPv4

    Protocol:

    Any

    Source:

    Either choose LAN Subnets, which will automatically reference any networks on the LAN interface, or choose Network or Alias and manually fill in the LAN subnet, e.g. 192.168.1.0/24.

    If there are multiple local networks, create rules for each or use other methods such as aliases or CIDR summarization to cover them all.

    Destination:

    Any

    Translation Address:

    WAN2 Address (or the custom name of the new WAN interface)

    Description:

    Text describing the rule, e.g. LAN outbound on WAN2

  • Click Save

  • Click Apply Changes

Repeat as needed for additional local networks.

Firewall Rules

By default there are no rules on the new interface, so the firewall will block all traffic. This is ideal for a WAN, so is safe to leave as-is. Adding services on the new WAN, such as VPNs, may require rules but those should be handled on a case-by-case basis.

Warning

Do not add any blanket “allow all” style rules on any WAN.

Gateway Groups

Gateway Groups do not control traffic directly, but can be used in other places, such as firewall rules and service bindings, to influence how those areas use gateways.

For most scenarios it helps to create three gateway groups to start with: PreferWAN, PreferWAN2, and LoadBalance:

  • Navigate to System > Routing, Gateway Groups tab

  • Click fa-plus Add to create a new gateway group

  • Configure the group as follows:

    Group Name:

    PreferWAN

    Gateway Priority:

    Gateway for WAN on Tier 1, Gateway for WAN2 on Tier 2

    Description:

    Prefer WAN, fail to WAN2

  • Click Save

  • Click fa-plus Add to create another gateway group

  • Configure the group as follows:

    Group Name:

    PreferWAN2

    Gateway Priority:

    Gateway for WAN on Tier 2, Gateway for WAN2 on Tier 1

    Description:

    Prefer WAN2, fail to WAN

  • Click Save

  • Click fa-plus Add to create another gateway group

  • Configure the group as follows:

    Group Name:

    LoadBalance

    Gateway Priority:

    Gateways for WAN and WAN2 both on Tier 1

    Description:

    Load Balance Connections on WAN and WAN2

    Note

    Rules using this group enable connection-based load balancing, not per-packet load balancing.

    Rules using this group will also have failover style behavior as WANs which are down are removed from load balancing.

  • Click Save

  • Click Apply Changes

Now set the default gateway to a failover group:

  • Navigate to System > Routing, Gateways tab

  • Set Default gateway IPv4 to PreferWAN

  • Click Save

  • Click Apply Changes

Note

This is important for failover from the firewall itself so it always has outbound access. While this also enables basic failover for client traffic, it’s better to use policy routing rules to control client traffic behavior.

DNS

DNS is critical for Internet access and it is important to ensure the firewall can always resolve hostnames using DNS even when running on a secondary WAN.

The needs here depend upon the configuration of the DNS Resolver or Forwarder.

If the DNS Resolver is in its default resolver mode, then default gateway switching will be sufficient to handle failover in most cases, though it may not be as reliable as using forwarding mode.

If the DNS Resolver is in forwarding mode or the firewall is using the DNS Forwarder instead, then maintaining functional DNS requires manually configuring gateways for forwarding DNS servers.

  • Navigate to System > General Setup

  • Add at least one DNS server for each WAN in the DNS Server Settings section, ideally two or more. Click fa-plus Add DNS Server to create additional rows.

    Each entry should be configured as follows:

    Address:

    The IP address of a DNS server.

    Each server address must be unique, the same server cannot be listed more than once.

    DNS Hostname:

    Leave this field blank unless the server will be contacted using DNS over TLS through the DNS Resolver. In this case, enter the FQDN of the DNS server so its name can be validated against its TLS certificate.

    Gateway:

    Select a gateway for each DNS server, corresponding to the WAN through which the firewall can reach the DNS server.

    For public DNS servers such as CloudFlare or Google, either WAN is OK, but if either WAN uses DNS servers from a specific ISP, ensure those exit the appropriate WAN.

    Note

    If the gateway drop-down does not appear next to each DNS server, then the firewall does not have more than one gateway configured for any address family. Double check the gateway settings for all WAN interfaces.

  • Uncheck DNS Server Override

    This will tell the firewall to use the DNS servers entered on this page and to ignore servers provided by dynamic WANs such as DHCP or PPPoE. Occasionally these providers may push conflicting DNS server information so the best practice is to assign the DNS servers manually.

  • Click Save

Note

If the DNS Resolver has specific outgoing interfaces selected in its configuration, select the new WAN there well as well.

Setup Policy Routing

Policy routing involves setting a gateway on firewall rules which direct matching traffic out specific WANs or failover groups.

In simple cases (one LAN, no VPNs) the only requirement to configure policy routing is to add a gateway to existing rules.

  • Navigate to Firewall > Rules, LAN tab

  • Edit the default pass rule for the LAN

  • Click Display Advanced

  • Set the Gateway to one of the gateway groups based on the desired LAN client behavior.

    For example, pick PreferWAN so clients use WAN and then if WAN fails, they use WAN2.

  • Click Save

  • Click Apply Changes

If there are other local networks or VPNs which clients on LAN must reach, add rules above the default pass rules to pass local traffic without a gateway set:

  • Navigate to Firewall > Rules, LAN tab

  • Click button_add_top to add a new rule at the top of the list

  • Configure the rule as follows:

    Action:

    Pass

    Interface:

    LAN

    Protocol:

    Any

    Source:

    LAN subnets

    Destination:

    The other local subnet, VPN network, or an alias of such networks.

    Description:

    Pass to local and VPN networks

    Do not set a gateway on this rule.

  • Click Save

  • Click Apply Changes

Dynamic DNS

Dynamic DNS provides several benefits for multiple WANs, particularly with VPNs. If the firewall does not already have one or more Dynamic DNS hostnames configured, consider signing up with a provider and creating one or more.

It is a good practice to have a separate DNS entry for each WAN and a shared entry for failover, or one per failover group. If that is not viable, at least have one for the most common needs.

The particulars of configuring Dynamic DNS entries vary by provider and are beyond the scope of this document.

VPN Considerations

IPsec can use a gateway group as an as interface, but needs a dynamic DNS hostname as companion. The remote peer would need to use the Dynamic DNS hostname as the peer address of this firewall instead of an IP address. Because this relies on DNS, failover can be slow.

WireGuard does not bind to an interface, but can work with Multi-WAN. It will respond from WAN2 if client contacts WAN2, but when initiating it will always use the current default gateway. Static routes can nudge traffic for a specific peer out a specific WAN.

OpenVPN can use a gateway group as an interface for clients or servers. Client behavior is OK and should match default failover behavior configured on the group. For servers it is better to bind the server to localhost and use port forwards from each WAN to localhost. Remote clients can then have multiple remote entries and contact each WAN as needed at any time.

Testing

Methods for testing depend on the type of WANs and gateway groups in use.

  • For most WANs, a better test is to unplug the upstream connection from the ISP Customer Premise Equipment (CPE). This more accurately simulates a typical type of upstream connectivity failure. Do not power off the CPE or unplug the connection between the firewall and the CPE. While this may work, it’s a much less common scenario and can behave differently.

  • For testing load balancing, use cURL or multiple browsers/sessions when checking the IP address multiple times. Refreshing the same browser window will reuse a connection to the server and is not helpful for testing connection-based load balancing.