Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Dual WAN Router

Posted on 2011-03-02
Medium Priority
Last Modified: 2012-06-27

We are putting in dual connections into a new office.  A fiber and T1 line.  We would like to use the T1 line as a fail over from the fiber connection.   There will be 15 VPN connections to other offices and we need to assure these will also fail over when the WAN connection shifts.

We were looking at a Juniper SSG 140.  Will this router support this configuration correctly?  Any recommendations on other routers with dual WAN funtionality.  

We are a Juniper office and would like to keep with Juniper unless there is a compelling reason to switch.

Thank you.

Question by:networkadmin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 35022392
We have had success with the Ecessa PowerLink Pro series - it supports up to 15 WANs and does a good job with load-balancing and failover.



Expert Comment

ID: 35022461
Get a SonicWALL TZ firewall with an optional port that can be configured however you want. It's the cheapest, most effective solution and if your needs change then you can set the optional to some other purpose like VLAN, LAN2, WAN2 or whatever.

LVL 24

Expert Comment

ID: 35023409
>We were looking at a Juniper SSG 140.  Will this router support this configuration correctly?  Any recommendations on other routers with dual WAN funtionality

not with a click of a buttom; to properly failover ISPs, you will need some type fo SLA monitoring that can send ICMP to your ISP default gateway (This will detect RIB/Routing failuers); dual default routes that one will track the primary sla monitor (Physical and VPN Tunnel). It can get really hairy if have you have not completed the config before.

The link should have everything that you need for info

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

LVL 33

Expert Comment

ID: 35024365
to expound on Billy's comment from the sonicwall perspective, 15 site to site vpn connections is a lot of IPSEC processing. i'd certainly recommend an NSA series starting at the 2400. this is more to raise the concern of the processing needed to encrypt/decrypt 15 vpn connections worth of traffic than it is to push a sonicwall appliance.

regarding the failover, i know that the sonicwall can handle failover and it uses active probing to confirm a down connection. the sonicwall allows me to put in two destination public IP addresses. so, if i have failover at both ends and i've specified the two public IP addresses, the sonicwall is going to try one and then the other to establish the vpn. if i have only failover at one end, then i have both public IPs specified in the SA. if the failover end...well, fails over, the other end will try the first public IP and if that fails, it will try the other. OR, the failover side will try to raise the VPN and the other end will allow the failed over public IP to connect with the secondary public IP.

make sense?

@Billy :: looking at the PDF you provided, it looks like the juniper has a configuration for this as well.
LVL 11

Expert Comment

by:Pieter Jordaan
ID: 35025693

pfSense is free, and way better than anything you can buy.
I replaced all our Cisco devices with pfSense machines.
The fail-over works really well.

Install it on an old workstation with three network cards.
The web interface is really easy to configure. You can buy the book on amazon for version 1.2.3. There is no book yet for version 2 which was released two days ago.



Author Comment

ID: 35029487
We have tested NSA 240's in the past for other applications but have not used the WAN fail-over.  Do you think the NSA 240 is a better product than the Juniper SSG 140?  I have had really good luck with Juniper devices in the past.

LVL 33

Expert Comment

ID: 35029553
i'm using the NSA 240 currently for WAN failover and not having challenges with it. actually, i'm performing load balance with spillover. i'm going to be biased though as i've never used a juniper. i hear a lot of good things about them. the only appliance i'd recommend you stay away from like the plague is watchguard. i've used that hardware and can say without a doubt, that i'd rater chew my arms off than have to work on one them.

Author Comment

ID: 35053850
Will the both WAN1 and WAN2 VPN's on the NSA 240 be connected at all times or when WAN1 goes down with WAN2 VPN's negotiate and start tunneling traffic?

How long will the fail-over take on the NSA 240?

Tempted to try one out as we have heard positive things about them from multiple people.

Any advice would be nice on the NSA 240.

Thank you.

LVL 33

Accepted Solution

digitap earned 2000 total points
ID: 35055994
no, only one will connect at a time. if the interface goes down or loses connectivity, then the sonicwall will failover to the secondary WAN connection. once the failover settles in, then the sonicwall try to connect on the primary IP configured on the SA. if that fails to establish a connection, it will move to the secondary IP.

failover will depend on how the failover is configured. you can configure a probe to examine if the connection is up. it pings an external source and if the source doesn't respond, it goes into a failover state. i believe your users ARE going to see a drop in connectivity.

when setting up the SA policies on the sonicwall, i'd make sure to enable the keep alive which is on the last tab. when the failover occurs, this enabled feature will force the sonicwall to try and bring up the tunnel. normally, the tunnel will only come up if traffic tries to go across the tunnel or if the other end starts negotiating. this will ensure that the tunnel comes up as quickly as possible.

here is a KB on configuring failover:

if you wanted a look at the firmware before purchasing, here is a link to the 240 online demo:


be aware that alot of the features are enabled due to all the licenses being available on a demo unit. this will at least let you poke around in the failover area.

hope that helps!

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question