About Multi-WAN Methods
When you configure multiple external interfaces, you have several options to control which interface an outgoing packet uses.
If you use Dynamic Routing, you can use either the Routing Table or Round-Robin multi-WAN method. For information about how to select which method to use, go to Multi-WAN Methods and Dynamic Routing.
Modem Participation in Multi-WAN
The modem is available as an external interface with modem failover enabled. Modem interfaces can also participate in multi-WAN on supported Fireboxes. By default, modem interfaces do not participate in multi-WAN. When you add a modem interface as a multi-WAN participant, link monitor is disabled by default to avoid unwanted bandwidth consumption. For more information, go to About Modem Interfaces
Modems can also be configured for VPN failover. For more information, go toConfigure Branch Office VPN (BOVPN) Failover.
Failover
In Fireware v12.5.4 or higher, failover is the default multi-WAN option.
When you use the failover method to route traffic through the Firebox external interfaces, you select one external interface to be the primary external interface. Other external interfaces are backup interfaces, and you set the order for the Firebox to use the backup interfaces. The Firebox monitors the primary external interface. If it goes down, the Firebox sends all traffic to the next external interface in its configuration. While the Firebox sends all traffic to the backup interface, it continues to monitor the primary external interface. When the primary interface is active again, the Firebox immediately starts to send all new connections through the primary external interface again.
You control the action for the Firebox to take for existing connections; these connections can failback immediately, or continue to use the backup interface until the connection is complete. Multi-WAN failover and FireCluster are configured separately. Multi-WAN failover caused by a failed connection to a link monitor host does not trigger FireCluster failover. FireCluster failover occurs only when the physical interface is down or does not respond. FireCluster failover takes precedence over multi-WAN failover.
For more information, go to Configure the Failover Multi-WAN Method.
Routing Table
Use the Routing Table method when you want a quick and easy way to evenly distribute outgoing traffic among multiple external interfaces.
When you configure multi-WAN with the Routing Table option, the Firebox looks at its internal route table to check for specific static or dynamic routing information for each connection. The route table includes static routes that you configure on the device. If you use dynamic routing, the route table includes dynamic routes.
To see whether a specific route exists for a packet’s destination, the Firebox examines its route table from the top to the bottom of the list of routes. The list is sorted by metric, from lowest to highest cost. You can see the list of routes in the route table on the Status tab of Firebox System Manager.
If no specified route is found, the Firebox selects the route to use based on source and destination IP hash values of the packet, using the ECMP (Equal Cost Multipath Protocol) algorithm specified in RFC2992.
ECMP is an algorithm for routing packets to destinations when there are multiple next-hop paths of equal cost. The Routing Table multi-WAN method uses ECMP to evenly distribute outgoing traffic across multiple external interfaces based on source and destination IP addresses, and based on the number of connections that go through each external interface. The ECMP algorithm does not consider current traffic load.
For more information, go to Configure the Routing Table Multi-WAN Method.
In Fireware v12.5.3 or lower, Routing Table is the default multi-WAN option.
Round-Robin
The Round-robin method distributes traffic to each external interface based on the number of connections.
For light traffic loads, weighted Round-robin behaves like a connection-based Round-robin because the weights you use tend to determine the number of connections through each external interface. When the traffic load increases, weighted Round-robin behaves more like a load-based Round-robin because the weights you assign tend to determine the load through each external interface.
The Round-robin algorithm is applied only after routes, sticky connections, and SD-WAN routing fail to give a routing decision.
The weights you assign are relative weights. For example, suppose interface 0 (eth0) is an external interface and you give it a weight of 3. Interface 1 (eth1) is also an external interface and you give it a weight of 2. For every three bytes of traffic that go through eth0, two bytes will go through eth1. The byte count sent through eth0 will be one and one-half times as much as eth1.
To determine which interface to use for a new outgoing connection, weighted Round-robin calculates the connections:weight ratio (current connections as a proportion of the assigned weight) for each external interface and chooses the interface with least value for the new connection.
For example, configure Interfaces 0, 1, and 2 as external interfaces, and use Round-robin weights of 8, 2, and 1 for those interfaces respectively. Assume that new connections happen in sequence, and each new connection increases the load on an interface equally. The algorithm assigns the new connections as shown in the table:
Current ratio of {connections:weight} Interface 0 |
Current ratio of {connections:weight} Interface 1 |
Current ratio of {connections:weight} Interface 2 |
New connection uses this interface |
0:8 | 0:2 | 0:1 | 0 |
1:8 | 0:2 | 0:1 | 1 |
1:8 | 1:2 | 0:1 | 2 |
1:8 | 1:2 | 1:1 | 0 |
2:8 | 1:2 | 1:1 | 0 |
3:8 | 1:2 | 1:1 | 0 |
4:8 | 1:2 | 1:1 | 0 |
5:8 | 1:2 | 1:1 | 1 |
5:8 | 2:2 | 1:1 | 0 |
6:8 | 2:2 | 1:1 | 0 |
7:8 | 2:2 | 1:1 | 0 |
8:8 | 2:2 | 1:1 | Use ECMP when all interfaces have full traffic load |
Calculate Weights for Round-robin
You can only use whole numbers for the interface weights; no fractions or decimals are allowed.
To ensure an optimal distribution of connections, you might need to perform a calculation to know which whole-number weight to assign for each interface. Use a common multiplier so that the ratios of connections at each external interface is resolved to whole numbers.
Example
You have three Internet connections. One ISP gives you 6 Mbps, another ISP gives you 1.5 Mbps, and a third ISP gives you 768 Kbps. Convert the proportion to whole numbers:
- Convert the 768 Kbps to Mbps so that you use the same unit of measurement for all three lines. This is approximately .75 Mbps. Your three lines are rated at 6, 1.5, and .75 Mbps.
- Multiply each value by 100 to remove the decimals. Proportionally, these are equivalent: {6 : 1.5 : .75} is the same ratio as {600 : 150 : 75}.
- Find the greatest common divisor of the three numbers. In this case, 75 is the largest number that evenly divides all three numbers 600, 150, and 75.
- Divide each of the numbers by the greatest common divisor.
The results are 8, 2, and 1. This gives the whole-number weights used for the example.
For more information, go to Configure the Round-Robin Multi-WAN Method.
Interface Overflow
Use the Interface Overflow method when you want to restrict the maximum bandwidth that each external interface uses. When the bandwidth threshold is reached for an external interface, new connections use the next external interface in your list.
When you use the Interface Overflow multi-WAN configuration method, you select the order you want the Firebox to send traffic through external interfaces and configure each interface with a bandwidth threshold value. The Firebox starts to send traffic through the first external interface in its Interface Overflow configuration list. When the traffic through that interface reaches the bandwidth threshold you have set for that interface, the Firebox starts to send traffic to the next external interface you have configured in your Interface Overflow configuration list.
This multi-WAN configuration method allows the amount of traffic sent over each WAN interface to be restricted to a specified bandwidth limit. To determine bandwidth, the Firebox examines the amount of sent (TX) and received (RX) packets and uses the higher number. When you configure the interface bandwidth threshold for each interface, you must consider the needs of your network for this interface and set the threshold value based on these needs. For example, if your ISP is asymmetrical and you set your bandwidth threshold based on a large TX rate, interface overflow will not be triggered by a high RX rate.
If all WAN interfaces have reached their bandwidth limit, the Firebox uses the ECMP (Equal Cost Multi-Path Protocol) routing algorithm to find the best path.
For more information, go to Configure the Interface Overflow Multi-WAN Method.