ISP Load Balancing with Ubiquiti EdgeRouter X

On this post we will describe, how to implement ISP Load Balancing with Ubiquiti EdgeRouter X. If you don’t know about this device, I strongly recommend it to check it out, it is a low cost but powerful Router from Ubiquiti, ideal for small offices or as a home router. The Operating System (EdgeOS) is a fork from Vyatta. It includes several features like Routing, Firewall, NAT, VPN and ISP Load Balancing. The best thing is the cost of this device, it can be purchased at Amazon from around 95 dollars.

ISP Load Balancing Ubiquiti EdgeRouter

EdgeRouter – WAN Load-Balancing

There are two ways of implementing WAN Load balancing on the router, one is using the GUI and other is using the CLI. I would say, the only disadvantage I see with the EdgeRouter from Ubiquiti is the GUI, there are several bugs or stuff that you cannot really do with the GUI. It seems it is also a common issue that the GUI and the actual configuration go out of sync. So, although there is a WAN Load balancing Wizard accessible through the GUI, we strongly recommend to perform this configuration using the CLI.

ISP Load Balancing Configuration using the CLI

In order to proceed with the configuration, you need to gain CLI access to the device. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

Now, after accesing the device through the CLI you can proceed with the configuration. We storngly recommend to take a backup from the current configuration, should you need to rollback the changes. To take a backup, on the GUI you need to go to the “System” menu, go to the “Configuration Management & Device Maintenance” section and then click on the Download button under the Back-up Config section.

EdgeRouter configuration backup

After taking a backup, you can proceed with the configuration following the steps below:

Enter configuration mode

configure

Create a firewall network group specifying the private IP address ranges

set firewall group network-group PRIVATE_NETS network 192.168.0.0/16
set firewall group network-group PRIVATE_NETS network 172.16.0.0/12
set firewall group network-group PRIVATE_NETS network 10.0.0.0/8

On the step above, you can create all the RFC1918 network IP ranges or just the network segment corresponding to your internal network.

Create a firewall modify policy with exclusion rules for the WAN interface addresses and the network group created earlier.

set firewall modify balance rule 10 action modify
set firewall modify balance rule 10 destination group network-group PRIVATE_NETS
set firewall modify balance rule 10 modify table main
set firewall modify balance rule 20 action modify
set firewall modify balance rule 20 destination group address-group ADDRv4_eth0
set firewall modify balance rule 20 modify table main
set firewall modify balance rule 30 action modify
set firewall modify balance rule 30 destination group address-group ADDRv4_eth1
set firewall modify balance rule 30 modify table main

At this point, this step will add Firewall rules, to exclude the private networks we define in the step 2 and the IP address belonging to the WAN interfaces (eth0 and eth1 in our example). The ADDRv4_eth0 and ADDRv4_eth1 are replaced automatically by the router for the IP addresses for the WAN interfaces.

Add a firewall rule entry that sends all other traffic to a load balancing group.

set firewall modify balance rule 110 action modify
set firewall modify balance rule 110 modify lb-group ISPLOADBALANCING

On this step, we create the entry to indicate the router we want to load balance (lb-group).

Apply the firewall to the LAN interface in the ingress/in direction.

set interfaces ethernet eth2 firewall in modify balance

On this step, we configure the ingress interface that we will listen for traffic to be balanced outband. The ingress interface is your LAN interface, the interface is the one with the IP address configured as default router for your clients. In our example eth2.

Create a Load-Balance group that includes the two WAN interfaces.

set load-balance group ISPLOADBALANCING interface eth0
set load-balance group ISPLOADBALANCING interface eth1

Here we indicate the router we will use eth0 and eth1, which are our WAN interfaces for the outband load balancing.

Define the weight for each WAN Link

set load-balance group ISPLOADBALANCING interface eth0 route-test initial-delay 15
set load-balance group ISPLOADBALANCING interface eth0 route-test interval 5
set load-balance group ISPLOADBALANCING interface eth0 route-test type ping target 8.8.8.8
set load-balance group ISPLOADBALANCING interface eth0 weight 80
set load-balance group ISPLOADBALANCING interface eth1 route-test initial-delay 15
set load-balance group ISPLOADBALANCING interface eth1 route-test interval 5
set load-balance group ISPLOADBALANCING interface eth1 route-test type ping target 8.8.8.8
set load-balance group ISPLOADBALANCING interface eth1 weight 20

On this step, we define the weight for each link, we have set a weight of 80 for the interface eth0 and 20 for the interface eth1, meaning that the 80% of the traffic wil go through the interface eth0 and 20% through the interface eth1. We also set a probing interval of 5 second and we are pinging the Google DNS (8.8.8.8) to check if the link is UP.

Commit the changes and save the configuration.

commit; save

Troubleshooting

This section show the commands, you can use to troubleshoot the load balancing setup.

You can verify the current Load-Balancing status with:

show load-balance status
 Group ISPLOADBALANCING
  interface : eth0
  carrier : up
  status : active
  gateway : 203.0.113.1
  route table : 201
  weight : 50%
  flows
  WAN Out : 55
  WAN In : 0
  Local Out : 986
interface : eth1
  carrier : up
  status : active
  gateway : 192.0.2.1
  route table : 202
  weight : 50%
  flows
  WAN Out : 49
  WAN In : 0
  Local Out : 416

The watchdog is using to verify the interface reachability status:

show load-balance watchdog
 Group ISPLOADBALANCING
 eth0
  status: Running
  pings: 29
  fails: 3
  run fails: 1/2
  route drops: 2
  ping gateway: ping.ubnt.com - REACHABLE
  last route drop : Mon Dec 10 11:48:02 2018
  last route recover: Mon Dec 10 11:58:52 2018
eth1
  status: Running
  pings: 29
  fails: 0
  run fails: 0/2
  route drops: 1
  ping gateway: ping.ubnt.com - REACHABLE
  last route drop : Thur Dec 13 17:04:13 2018
  last route recover: Thur Dec 13 17:06:18 2018

View the main and Load-Balancing routing tables:

show ip route
 S *> 0.0.0.0/0 [1/0] via 203.0.113.1, eth0
 S *> 0.0.0.0/0 [1/0] via 192.0.2.1, eth1
 C *> 203.0.113.0/24 is directly connected, eth0
 C *> 192.0.2.0/24 is directly connected, eth1
 C *> 192.168.1.0/24 is directly connected, eth3
show ip route table 201
 S *> 0.0.0.0/0 [1/0] via 203.0.113.1, eth0
 C *> 203.0.113.0/24 is directly connected, eth0
 C *> 192.168.1.0/24 is directly connected, eth3
show ip route table 202
 S *> 0.0.0.0/0 [1/0] via 192.0.2.1, eth1
 C *> 192.0.2.0/24 is directly connected, eth1
 C *> 192.168.1.0/24 is directly connected, eth3

We hope this post helps you configuring ISP/WAN load balancing using the Ubiquiti EdgeRouter, if you have any questions or issues, don’t hesitate to get in touch!.