1

How do I configure multi-WAN in

Routing Table mode?
Fireware/Multi-WAN
This document applies to:
Appliance Firebox X Core / Firebox X Core e-Series / Firebox X Peak /
Firebox X Peak e-Series
Appliance Software versions Fireware 8.3 / Fireware Pro 8.3
Management Software versions WatchGuard System Manager 8.3
Introduction
The multi-WAN functionality of Fireware is designed to give the Firebox administrator more control and greater effi-
ciency with a very large or high-traffic network. You can use Fireware appliance software to configure up to four
Firebox interfaces as external or wide area network (WAN) interfaces. This allows you to connect the Firebox to more
than one Internet service provider (ISP). When you configure multiple external interfaces, you select one of three dif-
ferent methods the Firebox can use to route outgoing packets through the external interfaces:
Multi-WAN with the Routing Table option
When you select Routing Table for your multi-WAN configuration, the Firebox uses the routes in its internal route
table or routes it gets from dynamic routing processes to send packets through the correct external interface. To
see if a specific route exists for a packets destination, the Firebox examines its route table from the top to the
bottom of the list of routes. If the Firebox does not find a specified route, it uses the first default route in its route
table. To see the internal route table on the Firebox, connect to Firebox System Manager and select the Status
Report tab.
Multi-WAN in round robin order
If you select the round-robin option, you can share the load of outgoing traffic among external interfaces. For
more information see
https://www.watchguard.com/support/Fireware_Howto/83/HowTo_SetupMultiWAN.pdf
Multi-WAN failover
The WAN failover option allows you to configure additional external interfaces as backup if the primary external
interface is down. For more information see
https://www.watchguard.com/support/Fireware_Howto/83/HowTo_SetupWANFailover.pdf
Is there anything I need to know before I start?
Determine if the Routing Table method is correct for your network
You must decide if the Routing Table method is the correct multi-WAN method for your needs. You should use it as
an alternative to the round-robin or the WAN failover method because:
You enable dynamic routing (RIP, OSPF, or BGP) and the routers on the external network advertise routes to the
Firebox so that the Firebox can learn the best routes to external locations.
How do I configure multi-WAN in Routing Table mode?
2
There is an external site or external network that you must access through a specific route on an external
network. Examples include:
- You have a private circuit that uses a frame relay router on the external network.
- Traffic to an external location should always go through a specific Firebox external interface.
You use the Routing Table option for multi-WAN in these cases to be sure that the Firebox uses static and dynamic
routes to the Internet without interference from the WAN failover and round-robin methods.
The Routing Table method is not for load balancing outbound connections
It is important to note that the Routing Table option does not load balance connections to the Internet. The Firebox
reads its internal route table from top to bottom. Static and dynamic routes that specify a destination appear at the
top of the route table and take precedence over default routes. (A default route is a route with destination 0.0.0.0/0).
If there is no specific dynamic or static entry in the Firebox route table for a destination, the traffic to that destination
uses the first default route. When the Firebox first starts up, the preferred default route is the one through the highest
number interface, but this can change as WAN interfaces lose physical link state or gain link state again, or when the
connectivity health check determines a WAN link is not available. When the Firebox determines that traffic cannot
reach the Internet through an external interface, the Firebox puts the default route for that interface at the bottom of
its internal route table. When the physical link to the Ethernet port is lost, the Firebox removes from its route table all
routes that use that interface.
How the Routing Table method handles outgoing traffic when there is more than one default
route
Traffic that comes from a trusted or optional network and goes to the external network uses a default route when the
destination does not match a more specific route in the Firebox routing table.
When you select the Routing Table option as the method for multi-WAN, the Firebox puts multiple default routes in
its route table. It makes one default route for each external interface. It is important to understand which of these
default routes the Firebox uses when there is more than one external interface.
Traffic going to the external network uses the default route listed closest to the top of the list in the Firebox route
table if it does not match a more specific route. You must connect to Firebox System Manager and select the Status
Report tab to see which default route comes first in the routing table. For more information about how the Firebox
determines which default route comes first in its routing table, see the Frequently Asked Questions section at the end
of this document.
Other Considerations
If you have a policy configured with an individual external interface alias in its configuration, you must change
the configuration to use the alias Any-External when you enable multi-WAN.
If you have a multiple WAN configuration, you cannot use the dynamic NAT Set Source IP option on the
Advanced tab of a policy in Policy Manager. Use the Set Source IP option in your policies only when your Firebox
uses a single external interface.
The multiple WAN feature is not supported in drop-in mode.
How do I configure multi-WAN in Routing Table mode?
3
Configuring the Firebox to use the Routing Table method for Multi-WAN
1 From Policy Manager, select Network > Configuration.
The Network Configuration dialog box appears.
2 Select the interface and click Configure. Select External from the Interface Type drop-down list to activate the
dialog box. Type an interface name and description.
You must have a minimum of two external network interfaces before the multi-WAN settings become available.
How do I configure multi-WAN in Routing Table mode?
4
3 Type the IP address and default gateway for the interface. Click OK.
When you type an IP address, type all the numbers and the periods. Do not use the TAB or arrow key.
After you configure a second external interface, multiple WAN configuration options appear in the Network Configuration dialog
box.
4 Select Routing table to enable the Firebox to use the routes in its internal route table to send packets through
the correct external interface.
5 In the WAN Ping Address dialog box, double-click in the Ping Address column to add an IP address or domain
name for each external interface. We recommend that you use a host that has a public presence on the Internet,
and one that you expect will always reply to pings, such as a prominent web site or a public DNS server. We do
not recommend you select this interfaces default gateway. Select a host that is more distant from your network
to get a more robust test of connectivity.
When an external interface is active, the Firebox pings the IP address or domain name you set here each 20 seconds to see if the
interface is operating correctly. If there is no response after three pings, the Firebox starts to use the subsequent configured external
interface. It continues to ping the WAN ping address you set for that interface to check for connectivity.
6 Click OK. Save the configuration file to the Firebox.
How do I configure multi-WAN in Routing Table mode?
5
Frequently Asked Questions About This Procedure
How do I see the route table on the Firebox?
From WatchGuard System Manager, open your Firebox System Manager and select the Status Report tab. Scroll
down until you see Kernel IP routing table. This shows the internal route table on the Firebox.
What happens if an external interface goes down and comes back up again?
When the Firebox sees that an external interface is active and it previously was not active, it moves the default
route for that interface to the top of the list of default routes. Because the Firebox reads default routes from top to
bottom, this means that the last interface to become active is the interface with the preferred default route. For
traffic that does not match a more specific route, the last default interface route added shows the preferred
external interface.
What is the difference between physical link failure and failure because a WAN ping target is unresponsive?
The main difference is how long the Firebox takes to update its route table:
- If a WAN Ping target is no longer responsive, it can take from 40 seconds to 60 seconds for the Firebox to
update its route table.
- If the same WAN Ping target becomes responsive again, it may take from 0 to 60 seconds for the Firebox to
update its route table.
- If the Firebox detects a physical disconnect of the Ethernet port, it updates its route table immediately.
- When the Firebox detects the Ethernet connection is back up, it updates its route table within 20 seconds.
Does the Firebox read its route table when I use Round Robin or WAN Failover for the multi-WAN method?
The Firebox always maintains an internal route table. However, when you select Round Robin or WAN Failover as
the multi-WAN method, those methods for sending traffic to the Internet take precedence and it is possible that
routes to specific locations on the external network can be ignored.
How do I configure multi-WAN in Routing Table mode?
6
SUPPORT:
www.watchguard.com/support
U.S. and Canada +877.232.3531
All Other Countries +1.206.613.0456
COPYRIGHT 2006 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered trademarks or trademarks of
WatchGuard Technologies, Inc. in the United States and/or other countries.
Was this document helpful? Please send your feedback to faq@watchguard.com.

Where do the routes in the Firebox route table come from?
Routes in the internal route table on the Firebox include:
- The routes the Firebox learns from dynamic routing processes running on the Firebox (RIP, OSPF, and BGP) if
you enable dynamic routing.
- The permanent network routes or host routes you add to Policy Manager at Network > Routes.
- The routes the Firebox automatically makes when it reads the network configuration information from
Policy Manager at Network > Configuration.
I use dynamic routing (RIP, OSPF, or BGP) but only for interior routes. Should I use the Routing Table method
for multi-WAN?
It is not necessary to use the Routing Table method for multi-WAN if you do not use dynamic routing to share
route information with routers on the external network. The round-robin and WAN failover methods interfere only
with routes that use a gateway located on an external network. Routes that use a gateway on an internal (optional
or trusted) network are not affected by the multi-WAN method you select.
How does the Firebox determine which default route to put at the top?
When an external interface becomes active, the Firebox puts a default route for that external interface at the top
of the list of default routes. This means that the last external interface to become active is the interface with the
preferred default route.
Thus, traffic going to the external network uses the external interface that became active last if the traffic does not
match a more specific route to its destination. (A more specific route can be a route that the Firebox learns from a
dynamic routing process, or a static route in Policy Manager at Network > Routes.)
When the Firebox starts up, the startup process activates Ethernet interfaces starting with the lowest numbered
interface eth0. Then it activates the next-highest numbered interface eth1, and then eth2, and so on. Thus after
initial startup, the default route associated with the highest numbered external interface is the preferred default
route.
If an external interface whose default route is not at the top of the list of default routes becomes inactive, this
event does not change the order of the preferred default route. However when that external interface becomes
active again, the default route for that interface goes to the top of the list of default routes. It becomes the
preferred interface for all outgoing connections that do not match a more specific route to the external network.
What happens to a dynamic or static route to the external network when the external interface for that route
is inactive?
When the Firebox detects that an external interface is down, it removes any static or dynamic routes that use that
interface. This is true if the WAN Ping target becomes unresponsive and if the physical Ethernet link is down.