How do I configure multi-WAN in Routing Table mode?

How do I configure multi-WAN inRouting Table mode?Fireware/Multi-WANThis document applies to:Appliance Firebox X Core / Firebox X Core e-Series / Firebox X Peak /Firebox X Peak e-SeriesAppliance Software versions Fireware 8.3 / Fireware Pro 8.3Management Software versions WatchGuard System Manager 8.3IntroductionThe multi-WAN functionality of Fireware is designed to give the Firebox® administrator more control and greater efficiencywith a very large or high-traffic network. You can use Fireware® appliance software to configure up to fourFirebox interfaces as external or wide area network (WAN) interfaces. This allows you to connect the Firebox to morethan one Internet service provider (ISP). When you configure multiple external interfaces, you select one of three differentmethods the Firebox can use to route outgoing packets through the external interfaces:Multi-WAN with the Routing Table optionWhen you select Routing Table for your multi-WAN configuration, the Firebox uses the routes in its internal routetable or routes it gets from dynamic routing processes to send packets through the correct external interface. Tosee if a specific route exists for a packet’s destination, the Firebox examines its route table from the top to thebottom of the list of routes. If the Firebox does not find a specified route, it uses the first default route in its routetable. To see the internal route table on the Firebox, connect to Firebox System Manager and select the StatusReport tab.Multi-WAN in round robin orderIf you select the round-robin option, you can share the load of outgoing traffic among external interfaces. Formore information seehttps://www.watchguard.com/support/Fireware_Howto/83/HowTo_SetupMultiWAN.pdfMulti-WAN failoverThe WAN failover option allows you to configure additional external interfaces as backup if the primary externalinterface is down. For more information seehttps://www.watchguard.com/support/Fireware_Howto/83/HowTo_SetupWANFailover.pdfIs there anything I need to know before I start?Determine if the Routing Table method is correct for your networkYou must decide if the Routing Table method is the correct multi-WAN method for your needs. You should use it asan alternative to the round-robin or the WAN failover method because:• You enable dynamic routing (RIP, OSPF, or BGP) and the routers on the external network advertise routes to theFirebox so that the Firebox can learn the best routes to external locations.1

How do I configure multi-WAN in Routing Table mode?• There is an external site or external network that you must access through a specific route on an externalnetwork. Examples include:- You have a private circuit that uses a frame relay router on the external network.- Traffic to an external location should always go through a specific Firebox external interface.You use the Routing Table option for multi-WAN in these cases to be sure that the Firebox uses static and dynamicroutes to the Internet without interference from the WAN failover and round-robin methods.The Routing Table method is not for load balancing outbound connectionsIt is important to note that the Routing Table option does not load balance connections to the Internet. The Fireboxreads its internal route table from top to bottom. Static and dynamic routes that specify a destination appear at thetop of the route table and take precedence over default routes. (A default route is a route with destination 0.0.0.0/0).If there is no specific dynamic or static entry in the Firebox route table for a destination, the traffic to that destinationuses the first default route. When the Firebox first starts up, the preferred default route is the one through the highestnumber interface, but this can change as WAN interfaces lose physical link state or gain link state again, or when theconnectivity health check determines a WAN link is not available. When the Firebox determines that traffic cannotreach the Internet through an external interface, the Firebox puts the default route for that interface at the bottom ofits internal route table. When the physical link to the Ethernet port is lost, the Firebox removes from its route table allroutes that use that interface.How the Routing Table method handles outgoing traffic when there is more than one defaultrouteTraffic that comes from a trusted or optional network and goes to the external network uses a default route when thedestination does not match a more specific route in the Firebox routing table.When you select the Routing Table option as the method for multi-WAN, the Firebox puts multiple default routes inits route table. It makes one default route for each external interface. It is important to understand which of thesedefault routes the Firebox uses when there is more than one external interface.Traffic going to the external network uses the default route listed closest to the top of the list in the Firebox routetable if it does not match a more specific route. You must connect to Firebox System Manager and select the StatusReport tab to see which default route comes first in the routing table. For more information about how the Fireboxdetermines which default route comes first in its routing table, see the Frequently Asked Questions section at the endof this document.Other Considerations• If you have a policy configured with an individual external interface alias in its configuration, you must changethe configuration to use the alias “Any-External” when you enable multi-WAN.• If you have a multiple WAN configuration, you cannot use the dynamic NAT Set Source IP option on theAdvanced tab of a policy in Policy Manager. Use the Set Source IP option in your policies only when your Fireboxuses a single external interface.• The multiple WAN feature is not supported in drop-in mode.2

How do I configure multi-WAN in Routing Table mode?Configuring the Firebox to use the Routing Table method for Multi-WAN1 From Policy Manager, select Network > Configuration.The Network Configuration dialog box appears.2 Select the interface and click Configure. Select External from the Interface Type drop-down list to activate thedialog box. Type an interface name and description.You must have a minimum of two external network interfaces before the multi-WAN settings become available.3

How do I configure multi-WAN in Routing Table mode?Frequently Asked Questions About This ProcedureHow do I see the route table on the Firebox?From WatchGuard System Manager, open your Firebox System Manager and select the Status Report tab. Scrolldown until you see Kernel IP routing table. This shows the internal route table on the Firebox.What happens if an external interface goes down and comes back up again?When the Firebox sees that an external interface is active and it previously was not active, it moves the defaultroute for that interface to the top of the list of default routes. Because the Firebox reads default routes from top tobottom, this means that the last interface to become active is the interface with the preferred default route. Fortraffic that does not match a more specific route, the last default interface route added shows the preferredexternal interface.What is the difference between physical link failure and failure because a WAN ping target is unresponsive?The main difference is how long the Firebox takes to update its route table:- If a WAN Ping target is no longer responsive, it can take from 40 seconds to 60 seconds for the Firebox toupdate its route table.- If the same WAN Ping target becomes responsive again, it may take from 0 to 60 seconds for the Firebox toupdate its route table.- If the Firebox detects a physical disconnect of the Ethernet port, it updates its route table immediately.- When the Firebox detects the Ethernet connection is back up, it updates its route table within 20 seconds.Does the Firebox read its route table when I use Round Robin or WAN Failover for the multi-WAN method?The Firebox always maintains an internal route table. However, when you select Round Robin or WAN Failover asthe multi-WAN method, those methods for sending traffic to the Internet take precedence and it is possible thatroutes to specific locations on the external network can be ignored.5