Configure gateway load balancing and failover

Configure XG Firewall for load balancing and failover for multiple ISP uplinks based on the number of WAN ports available on the appliance.

Introduction

You can terminate multiple ISP uplinks on available physical interfaces in the form of gateways.

You can configure a gateway as active or backup.

  • Active-active: All gateways are in active state, and traffic is balanced between all of them. By default, XG Firewall adds a new gateway as an active gateway, so load balancing is automatically enabled between existing and newly added uplinks. XG Firewall use a weighted round-robin algorithm for load balancing, which maximizes the utilization of capacities across the various uplinks.
  • Active-backup: You configure one or more gateways as backup. This setup allows you to configure gateway failover for when an active gateway goes down.

Load balancing and failover is supported both for IPv4 and IPv6 traffic. You can use two IPv4 gateways or two IPv6 gateways.

The network diagram shows that one ISP link is terminated on Port B, and Port D is an unbound port. The following instructions show how to terminate another ISP uplink on Port D.


Example network diagram showing gateway load balancing

Add a new gateway

You need to configure an unbound physical port. This example uses PortD throughout.

To add a new gateway, do as follows:

  1. Go to Network > Interface.
  2. Select an unbound port and click it to edit its settings.

    Screenshot showing a new interface being created for an unbound physical port.
  3. Enter the following information for your new interface:
    • Network zone: Select WAN.
    • IPv4 configuration: Turn on if appropriate.
    • IP assignment
    • IPv4/Network mask
    • Gateway name
    • Gateway ID
  4. Click Save.

    Example settings for PortD:


    Screenshot showing example settings for a gateway.
    The gateway is added to the list of gateways.

Configure load balancing

You need to configure the load balancing for your new gateway.

XG Firewall adds a new gateway as an active gateway. Load balancing is automatically enabled between existing and new links.

XG Firewall uses a weighted round-robin algorithm for load balancing. This assigns a weight to a link. XG Firewall distributes traffic among the links in proportion to the weight assigned to them.

To assign a weight to a link:

  1. Go to Network > WAN link manager.
  2. Edit the gateway.

    Edit PortD gateway:


    Screenshot showing how to edit a gateway.
  3. Enter a weight.

    Example weight for PortD:


    Screenshot showing how to add a weight for the example gateway.

Configure gateway failover

You can deploy gateway failover in both active-active and active-backup configurations.

In active-active setup, if any of the active gateways fail, the traffic is redirected to the other active gateway. You can specify failover conditions to indicate how the failed gateway should be detected. When you add a gateway, XG Firewall adds a default failover rule: If XG Firewall can't ping the recently added gateway IP address, the gateway is considered down.


Screenshot showing the default failover rule.

During a link failure incident, XG Firewall regularly checks the health of the connection so that it can restore the connection faster when the internet service is restored. When the connection is restored and the gateway is up again, the traffic is rerouted through the active gateway automatically.

XG Firewall notifies administrators by email about all changes in gateway status. You can also see this in the log viewer.

In active-backup setup, if an active gateway fails, you should redirect the traffic to a backup gateway.

To deploy gateway failover, choose whether to configure failover conditions or redirect to a backup gateway.

  • To configure failover conditions, do as follows:
    1. Click Add to add a new failover rule. You can also edit an existing rule.
    2. Enter the details for the rule.

      This screenshot shows an example rule. The rule states that if XG Firewall can't ping the gateway IP, 172.16.16.15 or establish a TCP connection on port 80 to 4.2.2.2 then the gateway is considered down.


      Screenshot showing example failover rule settings.
  • To redirect the traffic to a backup gateway, do as follows:
    1. Go to Network > WAN link manager.
    2. Edit the gateway.

      Edit the Port D gateway:


      Screenshot showing how to edit a gateway.
    3. Select Backup as the type.
    4. Set the gateway to activate if any active gateway fails.
    5. Set it to inherit the weight from the failed gateway.

      Example backup settings for Port D:


      Screenshot showing backup gateway settings for Port D.
    6. Click Save.
      If an active gateway fails, the backup gateway is activated and inherits the weight of the failed gateway.