How do I set up the Firebox for multi- WAN in round-robin order?

How do I set up the Firebox for multi-WAN in round-robin order?Fireware/MultiWANThis document applies to:Appliance Firebox X Core / Firebox X Core e-Series / Firebox X Peak /Firebox X Peak e-SeriesAppliance Software versions Fireware 8.3 / Fireware Pro 8.3Management Software versions WatchGuard System Manager 8.3IntroductionThe multi-WAN functionality of Fireware is designed to give the Firebox® administrator more control and greater efficiencywith a very large or high-traffic network. You can use Fireware® appliance software to configure up to fourFirebox interfaces as external or wide area network (WAN) interfaces. You can control the flow of traffic through multipleWAN interfaces to share the load of outgoing traffic.Fireware gives you the option to configure multiple external interfaces. This allows you to connect the Firebox tomore than one Internet Service Provider (ISP). When you configure multiple external interfaces, you have threeoptions to control which interface that outgoing packets use:Multi-WAN in round robin orderThis document explains how you can share the load of outgoing traffic among external interfaces through“round robin”. It works like this:- The first host, with IP address x.x.x.x, sends an HTTP request to the Internet. The packets in this session aresent through the lowest number external interface.- The second host, with IP address y.y.y.y, sends an HTTP request to the Internet. The packets in this sessionare sent through the external interface with the second higher number.- The third host, with IP address z.z.z.z, sends an HTTP request to the Internet. The packets in this session aresent through the lowest number external interface (if there are only two external interfaces configured) orthe third higher number external interface.As each host initiates a connection, the Firebox cycles through external interfaces using the pattern explainedabove.Multi-WAN failoverAnother option is failover, which allows you to configure additional external interfaces as backup if the primaryextrnal interface is down. For more information seehttps://www.watchguard.com/support/Fireware_Howto/83/HowTo_SetupWANFailover.pdfMulti-WAN with the routing tableIf you select this option, the Firebox uses the routes set in its internal routing table to send packets throught thecorrect external interface. For more information seehttps://www.watchguard.com/support/Fireware_Howto/83/HowTo_MultiWANroutingtable.pdfIs there anything I need to know before I start?As soon as you configure a second external interface, multiple WAN support is automatically enabled with Multi-WAN in round robin order set as the default.Note that:1

How do I set up the Firebox for multi-WAN in round-robin order?• If you have a policy configured with an individual external interface alias in its configuration, you must changethe configuration to use the alias “Any-External”.• If you use the multiple WAN feature, map your company’s Fully Qualified Domain Name to the external interfaceIP address of the lowest order. If you add a multi-WAN Firebox to your Management Server configuration, youmust add the Firebox using its lowest-ordered external interface to identify it.• You cannot use 1-to-1 NAT in a multiple WAN configuration. If you have a public SMTP server behind yourFirebox, you must set up a static NAT rule to allow access to your public SMTP e-mail server. Then, you can set upmultiple MX records, one for each external Firebox interface.• If you have a multiple WAN configuration, you cannot use the policy-based, dynamic NAT Set Source IP option.Use the Set Source IP option only when your Firebox uses a single external interface.• Multiple WAN support does not apply to branch office or Mobile User VPN traffic. Branch office and Mobile UserVPN traffic always uses the first external interface configured for the Firebox. RUVPN with PPTP operates correctlyin a multiple WAN configuration.• The multiple WAN feature is not supported in drop-in mode.Configure the Firebox for Multi-WAN in Round-Robin Order1 From Policy Manager, select Network > Configuration.The Network Configuration dialog box appears.2

How do I set up the Firebox for multi-WAN in round-robin order?2 Select the interface you want to configure as external and click Configure. Select External from the InterfaceType drop-down list to activate the dialog box. Type an interface name and description.You must have a minimum of two external network interfaces configured before you can see and configure multi-WAN settings.3 Type the IP address and default gateway for the interface. Click OK.When you type an IP address, type all the numbers and the periods. Do not use the TAB or arrow key.After you configure a second external interface, multiple WAN configuration options appear in the Network Configuration dialogbox.3

How do I set up the Firebox for multi-WAN in round-robin order?4 Make sure that Multi-WAN in round robin order is selected. This will send traffic sessions through the externalinterfaces in sequence.5 In the WAN Ping Address dialog box, double-click in the Ping Address column to add an IP address or domainname for each external interface. We recommend that you use the IP address of a computer external to yourorganization.When an external interface is active, the Firebox pings the IP address or domain name you set here each 20 seconds to see if theinterface is operating correctly. If there is no response after three pings, the Firebox starts to use the subsequent configured externalinterface. It then starts to ping the WAN ping address you set for that interface to check for connectivity.6 Click OK. Save your changes to the Firebox.Frequently Asked Questions About This ProcedureI have a public SMTP server behind my Firebox. Because the multi-WAN feature does not work with 1-to-1NAT, what do I do?Because you cannot use 1-to-1 NAT with the multi-WAN feature, you will have to set up a static NAT rule to allowaccess to your public SMTP e-mail server. Then, you must set up multiple MX records, one for each externalFirebox interface.Can I use round-robin for incoming connections?Yes. If you use multi-WAN in round-robin mode, it is possible to set up round-robin DNS with your DNS provider todo load-balancing among more than one external interface.Was this document helpful? Please send your feedback to faq@watchguard.com.SUPPORT:www.watchguard.com/supportU.S. and Canada +877.232.3531All Other Countries +1.206.613.04564COPYRIGHT © 2006 WatchGuard Technologies, Inc. All rights reserved.WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered trademarks or trademarks ofWatchGuard Technologies, Inc. in the United States and/or other countries.