WAN Failover Scenarios
Using Digi Wireless WAN Routers
February 2008 rev 1.1 Digi International 1 of 8
This document discusses several methods for using a Digi wireless WAN gateway to
provide WAN failover for IP connections in conjunction with another router designated
the primary route – for example connected to an MPLS network (see note 3 below).
Other options are available, but the ones discussed here are the most common. In these
examples the remote sites could be stores, restaurants, bank branches, substations, or any
remote office or branch location.
There are two ways to connect the Digi gateway to the primary router:
via a WAN Ethernet port (i.e., a port on a subnet separate from the LAN), or
via a LAN Ethernet port
An Ethernet WAN port provides the simplest option since failover on the router is usually
easier to configure. This mode also supports IP Pass-through where the mobile IP address
is passed through to the router.
Failover via a LAN port is usually more difficult since a floating static route or similar
must be configured with a higher metric to redirect traffic to the Digi’s Ethernet address.
VRRP however is not overly complex and is designed specifically for failover.
It is important to note, that in cases other than VRRP, the Digi device itself normally does
not do anything to initiate or terminate the failover connection. It is up to the primary
router to redirect traffic in the event of primary WAN failure.
Also note that Digi wireless WAN gateways are designed to maintain an always-on
connection which helps facilitate quicker failover.
The configuration of the Digi gateway depends on the network design and the mode
dictated by the network. There are five main modes of operation:
1. NAT mode (the default) without IPsec VPN: in this mode either security is not
required, or the devices or workstations provide the security, or a private wireless
plan is used.
2. NAT mode plus IPsec VPN and/or GRE: this is likely the required mode for retail
stores, banks, etc. where end-to-end encryption and/or tunneling are required.
3. Pass-through mode is where the Digi gateway connects to a designated WAN
Ethernet port on the router and some or all data is passed.
4. NAT Disabled: rarely used; static or dynamic routes are applied to the Digi
gateway. This is usually only possible where the carrier provides a private plan –
i.e., the traffic does not route via the Internet. IPsec VPN may be used if security
requirements, such as PCI compliance, require it. The examples below show the
more common VPN tunnel modes.
5. VRRP. Here the Digi device helps not only with “last-mile” failover, but can also
backup the primary router itself.