I have an EdgeRouter Pro that I am setting up for dual wan with failover.
PrimaryISP should be used always when it is working - DHCP (192.168.200.0/24 network in test environment)
SecondaryISP should only be used if primary ISP is down - Static IP (192.168.10.0/24 network in test environment)
Everything worked fine when DHCP was set for both of them in testing. However when I set a static Ip on SecondaryISP the internet would not work on that connection. I figured that one out by setting a static route and that works. Here is the problem:
1. PrimaryISP goes down
2. Fails over to SecondaryISP as planned
3. PrimaryISP comes back up
4. Connection does not revert back to PrimaryISP ever unless I physically disconnect the cable of secondaryISP
If I check the load-balance watchdog it says that secondaryISP is set to failover only however that's not what is actually happening. It seems to just stay at whatever the last good connection was.
firewall {
all-ping enable
broadcast-ping disable
group {
network-group PRIVATE_NETS {
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify balance {
rule 10 {
action modify
description "do NOT load balance lan to lan"
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
table main
}
}
rule 20 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth0
}
}
modify {
table main
}
}
rule 30 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth1
}
}
modify {
table main
}
}
rule 100 {
action modify
modify {
lb-group G
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 21 {
action accept
description "Remote access to router"
destination {
port 22,80,443
}
log disable
protocol tcp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description "Primary WAN - PrimaryISP"
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 192.168.10.18/24
description "Backup WAN - SecondaryISP"
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth2 {
address 192.168.1.1/24
description "Vlan 5 - PBX Network"
duplex auto
firewall {
in {
modify balance
}
}
speed auto
}
ethernet eth3 {
address 10.1.136.2/24
description "Vlan 1 - Data"
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
speed auto
}
ethernet eth5 {
duplex auto
speed auto
}
ethernet eth6 {
duplex auto
speed auto
}
ethernet eth7 {
duplex auto
speed auto
}
loopback lo {
}
}
load-balance {
group G {
interface eth0 {
}
interface eth1 {
failover-only
}
lb-local enable
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 192.168.10.1 {
description SecondaryISP
distance 50
}
next-hop 192.168.200.1 {
description PrimaryISP
distance 2
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name DataLAN {
authoritative disable
subnet 10.1.136.0/24 {
default-router 10.1.136.2
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 10.1.136.74 {
stop 10.1.136.98
}
}
}
shared-network-name LAN {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
start 192.168.1.38 {
stop 192.168.1.243
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth2
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5000 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
rule 5002 {
description "masquerade for WAN 2"
outbound-interface eth1
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
host-name ubnt
login {
user admin {
authentication {
encrypted-password ****************
}
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
traffic-analysis {
dpi enable
export enable
}
}