Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1531
  • Last Modified:

Dual WAN Router


We are putting in dual connections into a new office.  A fiber and T1 line.  We would like to use the T1 line as a fail over from the fiber connection.   There will be 15 VPN connections to other offices and we need to assure these will also fail over when the WAN connection shifts.

We were looking at a Juniper SSG 140.  Will this router support this configuration correctly?  Any recommendations on other routers with dual WAN funtionality.  

We are a Juniper office and would like to keep with Juniper unless there is a compelling reason to switch.

Thank you.

1 Solution
We have had success with the Ecessa PowerLink Pro series - it supports up to 15 WANs and does a good job with load-balancing and failover.

Get a SonicWALL TZ firewall with an optional port that can be configured however you want. It's the cheapest, most effective solution and if your needs change then you can set the optional to some other purpose like VLAN, LAN2, WAN2 or whatever.
>We were looking at a Juniper SSG 140.  Will this router support this configuration correctly?  Any recommendations on other routers with dual WAN funtionality

not with a click of a buttom; to properly failover ISPs, you will need some type fo SLA monitoring that can send ICMP to your ISP default gateway (This will detect RIB/Routing failuers); dual default routes that one will track the primary sla monitor (Physical and VPN Tunnel). It can get really hairy if have you have not completed the config before.

The link should have everything that you need for info

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

to expound on Billy's comment from the sonicwall perspective, 15 site to site vpn connections is a lot of IPSEC processing. i'd certainly recommend an NSA series starting at the 2400. this is more to raise the concern of the processing needed to encrypt/decrypt 15 vpn connections worth of traffic than it is to push a sonicwall appliance.

regarding the failover, i know that the sonicwall can handle failover and it uses active probing to confirm a down connection. the sonicwall allows me to put in two destination public IP addresses. so, if i have failover at both ends and i've specified the two public IP addresses, the sonicwall is going to try one and then the other to establish the vpn. if i have only failover at one end, then i have both public IPs specified in the SA. if the failover end...well, fails over, the other end will try the first public IP and if that fails, it will try the other. OR, the failover side will try to raise the VPN and the other end will allow the failed over public IP to connect with the secondary public IP.

make sense?

@Billy :: looking at the PDF you provided, it looks like the juniper has a configuration for this as well.
Pieter JordaanSenior Systems Administrator - Web hosting and Network Security.Commented:

pfSense is free, and way better than anything you can buy.
I replaced all our Cisco devices with pfSense machines.
The fail-over works really well.

Install it on an old workstation with three network cards.
The web interface is really easy to configure. You can buy the book on amazon for version 1.2.3. There is no book yet for version 2 which was released two days ago.

networkadminAuthor Commented:
We have tested NSA 240's in the past for other applications but have not used the WAN fail-over.  Do you think the NSA 240 is a better product than the Juniper SSG 140?  I have had really good luck with Juniper devices in the past.

i'm using the NSA 240 currently for WAN failover and not having challenges with it. actually, i'm performing load balance with spillover. i'm going to be biased though as i've never used a juniper. i hear a lot of good things about them. the only appliance i'd recommend you stay away from like the plague is watchguard. i've used that hardware and can say without a doubt, that i'd rater chew my arms off than have to work on one them.
networkadminAuthor Commented:
Will the both WAN1 and WAN2 VPN's on the NSA 240 be connected at all times or when WAN1 goes down with WAN2 VPN's negotiate and start tunneling traffic?

How long will the fail-over take on the NSA 240?

Tempted to try one out as we have heard positive things about them from multiple people.

Any advice would be nice on the NSA 240.

Thank you.

no, only one will connect at a time. if the interface goes down or loses connectivity, then the sonicwall will failover to the secondary WAN connection. once the failover settles in, then the sonicwall try to connect on the primary IP configured on the SA. if that fails to establish a connection, it will move to the secondary IP.

failover will depend on how the failover is configured. you can configure a probe to examine if the connection is up. it pings an external source and if the source doesn't respond, it goes into a failover state. i believe your users ARE going to see a drop in connectivity.

when setting up the SA policies on the sonicwall, i'd make sure to enable the keep alive which is on the last tab. when the failover occurs, this enabled feature will force the sonicwall to try and bring up the tunnel. normally, the tunnel will only come up if traffic tries to go across the tunnel or if the other end starts negotiating. this will ensure that the tunnel comes up as quickly as possible.

here is a KB on configuring failover:

if you wanted a look at the firmware before purchasing, here is a link to the 240 online demo:

be aware that alot of the features are enabled due to all the licenses being available on a demo unit. this will at least let you poke around in the failover area.

hope that helps!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now