Barracuda NG Firewall

Barracuda NG Firewall



5.4 5.2

 


How to Configure Multiple ISP Uplinks with Link Failover or Balancing

Last update: Friday, 15. Nov 2013

Nowadays, it is common to have multiple ISP uplinks and share the bandwidth between the links for redundancy and link balancing. The Barracuda NG Firewall can deliver traffic over every configured interface. Depending on the number of available lines, the Barracuda NG Firewall can perform line failover and line cycling across multiple connected ISPs.


This article describes how to configure line fallback and traffic balancing over two connected ISPs where the main ISP is connected through a static Internet connection and the backup line uses DHCP IP address assignment. To implement reliable and stable line fallback and balancing, it is essential to have a properly configured routing table. In scenarios with multiple ISP uplinks, it is highly recommended that you use source-based routing. Without source-based routing, IP packets may be sent to the Internet via the wrong ISP line.

In this article:

This article uses the following example settings.

ISPIP AddressGatewayNetwork Interface
ISP 162.99.0.6962.99.0.254port 3
ISP 2dynamically assigneddynamically assigneddhcp
ISP 1 (Static IP Assignment)

To set up an ISP with static IP address assignment, see How to Configure an ISP with Static IP.

ISP 2 (DHCP IP Assignment)

To set up an ISP with dynamic IP address assignment, see How to Configure an ISP with DHCP.

In a multiprovider setup, make sure that you enable the Own Routing Table, Use Assigned IP, Create Default Route, and Clone Routes settings. Note that some settings are only available by selecting Advanced View from the Configuration Mode menu in the left navigation pane. 

Routing Configuration

To guarantee a proper routing policy when using two ISPs that are connected to the Barracuda NG Firewall, you must have a properly configured routing table. The network routes for both providers are introduced when you configure the WAN uplinks as described in How to Configure an ISP with Static IP and How to Configure an ISP with DHCP.

In a multiprovider setup, additional source-based routes must be introduced. For additional information, see Source-Based Routing. In this scenario, you only need to add a source-based route for the ISP with static IP address assignment. During the setup for ISP 2 (DHCP), the required routes have already been introduced.

To configure a source-based route for ISP 1: 

  1. Open the Network page (Config > Full Config > Box > Network).
  2. From the Configuration menu in the left navigation pane, click Routing.
  3. Click Lock.
  4. In the Source Based Routing section, add a new source-based route with the following settings:
    • Source Networks: 62.99.0.0/24
    • Add a new route to the Routing Table Contents section:
      • Target Network Address: 62.99.0.0/24
      • Route Type: unicast
      • Gateway:62.99.0.254
      • Click OK.
    • Table Placement: postmain
    • Click OK.
  5. Click Send Changes and then click Activate.

Link Monitoring

The monitoring of WAN uplinks is typically realized by ICMP or LCP (dynamic links) probing of the provider gateway. WAN uplinks in the default configuration use this technique to determine if an uplink line is available. However, this method is not always reliable enough. Let's assume that an ISP has internal network issues and is currently not able to route customer's network traffic to the Internet. In this case, your ISP gateway may be reachable but traffic does not reach its destination in the Internet. Thus, your Barracuda NG Firewall recognizes this link as available and does not perform fallback. To prevent this case, Barracuda NG Firewalls are capable of monitoring any IP addresses beyond the ISP's gateway to verify if a connection to the Internet is available.

Configuration of link monitoring beyond the ISP gateway is done in the network routes configuration. The following steps must be completed for BOTH routes (default and source based):

  1. Open the route configuration page. Make sure that you switch to the advanced view mode.
  2. Add a target IP address to be used for monitoring into the Reachable IPs table.
  3. Click OK.
  4. Click Send Changes and then click Activate.
  5. Go to the Control > Box page and execute a network activation.

Fallback and Cycling

The configuration for fallback and line cycling is done through connection objects. Because firewall rules can use different connection objects, Barracuda NG Firewalls are capable of performing different connection policies for different types of network traffic.

The following example explains a firewall rule that allows traffic fallback for HTTP connections. HTTP and HTTPS traffic will be routed through ISP 1 by default. If the ISP 1 uplink fails, HTTP and HTTPS traffic is automatically routed through ISP 2.

Create a firewall rule for your network environment as described in How to Create a Pass Firewall Rule, and modify the Connection Method as described. 

  1. Open the Object Viewer and select the Connections tab.
  2. Right-click the table and select New Connection.
    1. Enter a Name for the new object. 
    2. From the NAT Address list, select From Interface.
    3. In the Interface Name field, enter the port that ISP 1 is connected to. In this example, ISP 1 is connected to port3.
    4. In the Failover and Load Balancing section, select FALLBACK from the Policy list.
    5. From the Alternative #1 list, select Interface and enter dhcp as the interface name.
    6. Click OK
  • Use this connection object as the Connection Method for the firewall rule.
    FallbackRuleObject.png

To perform cycling between both ISPs, select RAND or SEQ from the Policy list in the Failover and Load Balancing section of a connection object.

  • RAND (Randomize Source Address) randomly balances sessions between available uplinks. (E.g.: ISP1 - ISP2 - ISP2 - ISP1 - ISP2 - ISP2 - ...)
  • SEQ (Sequentially cycle Source Addresses) sequentially balances sessions between available uplinks. (E.g.: ISP1 - ISP1 - ISP2 - ISP1 - ISP2 - ISP1 - ...)

Configure Notification

You can use the eventing feature of the Barracuda NG Firewall to configure email notification or SNMP traps, in case of an ISP breakdown. ISP breakdowns are indicated by disabled or changed network routes in the NG Firewall's routing table. The according events are 62 (Route Changed) and 64 (Route Disabled). For a full list of available events, see Operational Events. Configure these events to send an email notification or trigger an SNMP trap. See Event Settings for details on how to configure email and SNMP notification.  


Feedback
If you have a technical issue with the product, please contact Barracuda Networks Technical Support. Did you find this article helpful: |