LAN to LAN Routing with Ubiquiti EdgeRouter Dual-WAN

January 21, 2015 Steve Talley Networking 1

The Ubiquiti EdgeRouter requires additional configuration if you wish to route between subnets on your LAN when the dual-WAN option is configured.
LAN to LAN routing will not work with the default load-balancing configuration. To enable this, the default load-balancing rule must be removed and added again. This is due to the default rule being number 1 – we need to set a rule to exclude LAN to LAN routing at a higher number than the default load balancing rule. (Please note that if you have already configured your load balancing rule with a number higher than 1, you can skip the following step and proceed to adding a new firewall rule.)

Add static route(s) for your other LAN subnets

If you haven’t already, add static routes for your other LAN subnets. Please note that this is only necessary if these routes are accessible via a different router. If your EdgeRouter is directly connected to these networks, do NOT add static routes, and skip to the next section.
How to add a static route, accessible via a different router:
In the following example, our EdgeRouter has the address 10.0.1.1. The networks 10.0.2.0/24, 192.168.1.0/24, and 192.168.2.0/24, are accessible by a different router with the address 10.0.1.254.

configure
set protocols static route 10.0.2.0/24 next-hop 10.0.1.254
set protocols static route 192.168.1.0/24 next-hop 10.0.1.254
set protocols static route 192.168.2.0/24 next-hop 10.0.1.254
commit

Add a firewall network group for the LAN subnets

The LAN subnets need to be added to a firewall network group. In the example below, the networks 10.0.2.0/24, 192.168.1.0/24, and 192.168.2.0/24 are added to a network group named LAN_NETWORKS:

configure
set firewall group network-group LAN_NETWORKS network 10.0.2.0/24
set firewall group network-group LAN_NETWORKS network 192.168.1.0/24
set firewall group network-group LAN_NETWORKS network 192.168.2.0/24
commit

Modify the dual-WAN firewall rules

First, display your current dual-WAN firewall rules with the following commands

configure
show firewall modify

It will look something like this (make note of the variables and change them as needed for your environment):

modify balance {
     rule 1 {
            modify {
                lb-group G
            }
     }
 }

If your load balancing rule is rule 1, you must delete it and recreate it because we need to make a rule before the load balance rule.
To delete rule 1 (or whatever rule the default load balancing rule is on your router):

delete firewall modify balance rule 1

Next, add a rule for the LAN to LAN networks so that they are handled by the main routing table, and not the load balancing table:

set firewall modify balance rule 10 destination group network-group LAN_NETWORKS
set firewall modify balance rule 10 action modify
set firewall modify balance rule 10 modify table main

Now recreate the original load balance firewall rule, but this time assign it to rule 20 so that it will be processed after the LAN to LAN routing rule:

set firewall modify balance rule 20 action modify
set firewall modify balance rule 20 modify lb-group G
commit

Make sure your LAN to LAN routing now works! If you have any trouble, you may need to reboot your router after applying this configuration.

Links and more reading

WAN Load balancing: https://community.ubnt.com/t5/EdgeMAX/WAN-load-balancing-except-for-some-traffic/td-p/703541
LAN to LAN exclusion section: http://community.ubnt.com/t5/EdgeMAX-Configuration-Examples/EdgeMAX-Dual-WAN-load-balance-feature-v1-4-0/ta-p/699501

1 Comment

  1. Thank you so much for this post !
    It seems to have another pb with multiwan
    All VLAN interfaces bandwidth statistics are false using multiwan
    what should I do to get them back ?

    Reply

Leave a Reply

Your email address will not be published.


*