The USG100 uses WAN Trunks for WAN failover and managing multiple ISP connections. WAN interfaces 1 and 2 are by default members of the first WAN Trunk. Instead of one WAN interface active and the other in a standby mode, the USG100 keeps both interfaces active and balances the traffic.
“Link Sticking” is enabled by default on WAN Trunks. This feature ensures that traffic from internal devices to a specific external server is not load balanced across multiple WAN interfaces. This will prevent connection problems to servers that track source IP addresses.
Options for WAN connections include Least Load First, Weighted Round Robin (WRR), and Spillover. In all three algorithms, configuring egress and ingress bandwidth on each WAN interfaces is useful to ensure optimal utilization.
With Least Load First, the USG100 will send traffic over the WAN interface with lower traffic utilization, calculated based on configured bandwidth and measure utilization, effectively maximizing traffic over both WAN interfaces.
WRR utilizes a configured weight value on each WAN interface. If WAN2 has a weight of 2 and WAN1 has a weight of 1, twice as much traffic will be sent out WAN2.
With Spillover, the USG100 will send traffic to one interface until measured utilization equals configured bandwidth values, then rollover to the next interface.
Enabling the Traffic Statistics option allows for viewing graphical reports on WAN or LAN interface utilization, as shown in Figure 9. This tool provides a means to see traffic levels by interface, as well as observe traffic types by Port and Protocol.
Figure 9: Traffic Statistics
Configuring the USG100's firewall is very similar to configuring routing. The firewall is managed with rules constructed from interfaces and objects, defining which traffic is permitted and denied. As with most firewalls, the USG100 blocks the majority of incoming traffic and allows outgoing traffic.
For example, even though there is a DMZ port, I found I had to add a rule to the firewall to allow external traffic to reach devices connected to the DMZ port. In line 1 of Figure 10 below, you can see that I added a simple rule to allow all traffic from any source to the DMZ interface. Prior to adding that rule, I couldn't receive calls on my VoIP phone even though it was in the USG's DMZ.
Figure 10: Firewall configuration
A common element to most firewalls is port forwarding, which is for directing external traffic using a specific protocol to some internal server or device. On the USG100, port forwarding is done by creating Virtual Servers.
To forward Remote Desktop Connections (RDC) to my Windows PC, I first created a Host object identifying the IP address of my Windows PC, which I called “WindowsMachine” shown in Figure 11 below. Second, I created a Virtual Server rule to forward the traffic from the WAN1 interface to that Host object with the specific port used by RDC, 3389. This did the trick, enabling me to access my Windows machine over the Internet.