Ubiquiti EdgeRouter dual wan setup

[pipedoi]

Hello

i have a question for those who use Ubiquiti EdgeRouter products. We need to do a dual wan auto-failover setup. We have 2 internet suppliers and we want to have one mail connection and only when this is not available to auto route all the traffic to the backup connection and what is very important, when main connection is back online, move again to that. Now the question is if we can achieve this with EdgeRouter 6P. We wanted to buy the EdgeRouter Pro 8 but it seems that it is out of stock everywhere. Also we need to create VPN server on the router that allows Android 12 / iOS 16 to connect. Thank you very much for helping.

[Dieselboy]

I dont know about that product specifically but you should be able to validate the capabilities by checking the configuration documents, the product information as well as confirming with your supplier. If you cannot validate the capabilities then I would suggest to procure a different product for your needs.

Regarding your requirement, inbound mail delivery from the internet to an internal server is (usually) separate and unique and unrelated to internet access failover of multiple WAN connections. As long as the firewall device can accept traffic on either WAN1 or WAN2 and forward this internally to the mail server then it is supposed to track the session in a basic database table and allow the return traffic to respond to the initiating client via the same WAN interface. The traffic must not enter WAN1, reach the server and then exit WAN2 because this will then break TCP and the initiator will deny the return traffic from WAN2. As long as you have set up mail delivery to two destinations correctly, you do not need to implement any failover for inbound mail in my experiences.

All a failover usually does is change the default gateway of the firewall from WAN1 ISP to WAN2 ISP. There's no default gateway involved for inbound connections from the internet as the state table tells the firewall how to route the traffic back to the internet. At least, with proper business-grade equipment in my experience.

As for VPN server, there are many options out there these days if you want to have a separate server that is not your main router/firewall. The benefits of doing this is, an all-in-one firewall device may increase cost whereas if you separate the requirement for VPN server functionality then it could increase your options for a firewall as you no longer have a requirement to involve VPN server functionality. Though, I would suggest to query if you actually really need a VPN anyway. Usually, applications service over HTTPS these days, which is encrypted anyway. You can easily generate and install certificates on the android device to have a level of client authentication though with HTTPS and multi-factor-authentication is usually enough except in cases where you want to physically hide the application server away from accessibility of everyone else on the internet. As MFA auth. is really only as good as the application servers implementation of security in the first place.

Hope it helps.

[deanwebb]

If you don't yet have a VPN, consider a CASB like Netskope or Zscaler.

For managing multiple links, look for products with SD-WAN capability. Good news is that a CASB like Netskope or Zscaler may just have that capability, as well.