Multi-WAN link balancing

Multi-WAN (MWAN) provides outbound traffic balancing and failover across multiple WAN links. It comes as a default feature for HSG, CMG and HSA, without special licensing requirement.

Added onto mbox powerful performance and multiple GE ports, MWAN offers a simple and cost-effective choice for enterprises to efficiently aggregate the total bandwidth available from multiple upstream ISP links with highest resiliency. If you have multiple internet connections, and want to fully utilize the total available bandwidth with failover, or even control which traffic goes through which WAN link, mbox CMG is the ideal choice for this type of requirement.

You can do load-balancing based on weights between links (weights are relative to each WAN link capacity), or just do failover with multiple levels of primary and backup interfaces. For example, Different sources can have different primary or backup WANs, eg. group 1 use WAN1 as primary and WAN2 as backup; group2 use WAN1 as backup and WAN2 as primary etc etc.

In summary, MWAN does below

  1. provides outbound WAN traffic load balancing over multiple WAN links based on weight assignment. It also supports specific outbound traffic rules to customize which outbound connections should use which WAN link, based on source IP, destination IP,destination port(s), protocols etc (is like PBR with failover support).
  2. monitors each WAN connection using repeated ping tests (to each interface default gateway only) and can automatically failover outbound traffic to other alive interfaces if one interface loses connectivity.
  3. supports unlimited WAN links (the limit is the available hardware GE interfaces!)

Special NOTES:

  • MWAN load-balancing is performed on a per-IP connection basis. So if you do a speed test or ftp test to a single server, you won't see significant improvement. The balancing benefits will show up when the same hosts are accessing multiple destinations or when multiple hosts start to access the Internet, where the user traffic are spread across different links.
  • if you're doing load balancing, you set same metric for each interface; if you want interfaces just to backup each other (active/standby), you set lower metric for the active interface and higher for the standby interface.
  • MWAN also supports "persistent" balancing, where the same source ip address within the timeout limit will use the same WAN link as prior session. This supports some "cookie" based type of applications, where the remote servers expect unchanged source IP addresses for the same cookie session. Especially some https sites with HIPS in-line detection will require "persistent" rule otherwise the HIPS will produce false alarms or even drop the requests. Note: it's recommend to keep "persistent" rules as minimum as possible because each persistent rule can consume a lot of system resources in a large network.
  • you need to restart MWAN service (mwan stop and mwan start) after each configuration change. Note: it's recommended to restart the whole box because for large networks with hundreds of thousands of connections the mwan stop/start may not be able to clean up all legacy connections.
  • some ISPs don't allow other DNS servers to pass through their networks, so sometimes you may not be able to browse Internet when you swing/balance to those ISP links while using incorrect/unaccepted DNS server IP. This is due to DNS resolution issue. In this case, you'd need to use an internal DNS server for name resolutions.

In this configuration example, we are simulating 3 ISP links (ISP1 - 10Mbps, ISP2 - 20Mbps, ISP3 - 30Mbps).


  • Before start any MWAN configuration, test each link by pinging it's default gateway.
  • Plan mwan-group and assign each WAN interface to the target mwan-group. You can potentially put each interface into different mwan-group for different balance/active-standby purposes (applied into mwan-rules).
  • Configure default route for each link
  • Configure firewall-access rules to permit outbound access to through each WAN link
  • Configure firewall-snat rules to hide/PAT all source address to the WAN interface public IP
  • Define mwan-rule to specify which interesting traffic to use which target mwan-group
  • start MWAN (mwan start)


In this example, we are configuring 3 x ISP links, connected to eth0, eth1, eth2 respectively.

  • eth0 and eth1 to do load balancing. Both of them are having the same metric value of 1, with balancing policy, eth0: 33%, eth1: 66% (as in ration of 1:2).
  • eth2 has higher metric value of 2, so it will always be standby/back, unless both eth0 and eth1 fail.

Note: the weight for eth2 is not relevant to eth0 & eth1 (only effective if there's another interface in the same mwan-group and having the same metric value of 2)


!hostname CMG-MWAN!interface eth0 description "to ISP1 Internet" enable ip address !configure mwan-group and assign interface to the group mwan-group 0 track metric 1 weight 1!interface eth1 description "to ISP2 Internet" enable ip address mwan-group 0 track metric 1 weight 2!interface eth2 description "to ISP3 Internet" ip address mwan-group 0 track metric 2 weight 3!interface eth3 description "to LAN - HSG" enable ip address!!configure default-gateway for each WAN interfaceip route nexthop route nexthop route nexthop!ip dhcp-server description "DHCP for LAN users" dns router domain range static epson-printer 64:EB:8C:F9:30:C4 start!
firewall-input 10 permit all tcp dport 22!!configure firewall rules to permit outbound access through each WAN interfacefirewall-access 10 permit outbound eth0firewall-access 11 permit outbound eth1firewall-access 12 permit outbound eth2!!hide all internal source addresses to WAN IP addressfirewall-snat 10 overload outbound eth0firewall-snat 11 overload outbound eth1firewall-snat 12 overload outbound eth2!mwan-rule 10 tcp dport 443 group 0 persistent remark "https traffic"mwan-rule 14 dst group 0 remark "default rule"!mwan start!

Config below is example snip when both WAN interfaces are getting dynamic/dhcp addresses from ISP. The mbox will auto learn default gateway via DHCP from each ISP, so there's no need to add any default routes. Example below:

!!hostname MWAN!interface eth0 description "to ISP1/PE01" enable ip address dhcp mwan-group 0 track timer 3 3 metric 1 weight 10!interface eth1 description "to ISP2/PE02" enable ip address dhcp mwan-group 0 track timer 3 3 metric 1 weight 20!interface eth2 description "to LAN/HSG" enable ip address!mwan-rule 11 tcp dport 443 group 0 persistent remark "https traffic"mwan-rule 14 dst group 0 remark "default rule"mwan start!firewall-access 10 permit outbound eth0firewall-access 11 permit outbound eth1!firewall-snat 10 overload outbound eth0firewall-snat 11 overload outbound eth1

However if one of the link is static (need to add default route), another link is DHCP (auto learn gateway from upstream ISP), you will need to manually add default route for both link (despite you may already auto learn default route from upstream ISP). For example, you may use a static fiber connection and a LTE connection, then you need to add default route as below:

ip route nexthop (static route for fiber connection)ip route nexthop 3g-lte0 (manual add route again for LTE connection)

Attached a similar senario when the other DHCP using dhcp is a PPPoE connection. Please download attached config example, for configuring MWAN with PPPoE interfaces.