Watchguard Fireware Pro provides you the ability to load balance multiple WAN connections with various types of failover/multi-wan settings.

The multi-wan modes are round-robin, failover, interface overflow and routing table. Let’s dig a little into what these mean:

Round robin
The Firebox uses the average of sent (TX) and received (RX) traffic to balance the traffic load across all external interfaces you specify in your round-robin configuration. By default the weighting of each interface is 1 (equal). If you open Hostwatch you should see all outbound connections nicely distributed over x interfaces.

Failover
When you use failover mode you allocate one interface as your primary and the others become backups, think active/passive. When the primary line fails, it will send all traffic to the next external interface in the configuration whilst continually monitoring the primary line. When this interface is back up it will automatically fall back to using the primary interface.

Interface Overflow
As the name suggests this will use a single interface until it meets a set threshold, when this condition is met it will start using the next external interface in the configuration. If the first interface fails without overflowing, it will failover to the next interface , which places this nicely between failover and round robin.

Routing Table
This method requires more consideration. The Firebox uses its internal routing table or routes it gets from dynamic routing processes to send packets through a specified external interface. If there is no route found it selects the route to use based on source and destination IP hash values of the packet, using ECMP (rfc 2992).

Link monitor
So, how does this magic happen? The firebox uses something they call link monitor to assess if an interface is down. You can use a ping to an IP/Domain name and/or test TCP to an IP/Domain name on a particular port. The settings of real interest are the probe interval, deactivate after and reactivate after.

Multi Wan Settings

The scenario
Firebox x550e running Fireware 11.3.1
3 ADSL Wan links, 1 trusted to Lan,
Computer sitting on the Eclipse interface

The test
Ping www.google.com, pull the network cable for Eclipse and see what happens.

The Results
I was quite surprised at just how well this performed. When physically removing the cable I didn’t drop 1 ping.

Ping Test

In the real world you would expect to see a delay and some timeouts due to the settings you use in link monitor. When physically removing the cable the interface immediately changes to failed mode which overrides the link monitor settings (quite rightly so).