Content

Introduction

Requirements

Configuration

Configuration for Controller Mode to Allow Certain Networks Through the Backup WAN

Configuration in Controller Mode to Allow Specific IP Addresses Through the Backup WAN

Configuration in Standalone Mode to Allow Specific Networks and IP Addresses Through the Backup WAN

Verification

Conclusion

QA

Introduction

In dual-WAN environments where one WAN connection is designated as a backup link, it is often necessary to control which devices and networks are permitted to use the backup connection during a failover event. This guide demonstrates how to use Policy Routing to allow only specific devices, networks, or IP addresses to route traffic through the backup WAN.

For example, in a coffee shop environment, critical systems such as POS terminals can be prioritized to maintain payment processing and business operations, while non-essential traffic such as guest Wi-Fi remains restricted from using the backup WAN. This approach helps preserve bandwidth usage on the secondary connection while ensuring essential services remain operational during an outage.

Requirements

• Omada Gateway

Configuration

This guide demonstrates two common methods for allowing only certain networks and devices to utilize the backup WAN through Policy Routing.

The first scenario applies to environments where devices are separated into different VLANs or subnets, allowing specific networks to be routed through the backup WAN during a failover event.

The second scenario applies to environments where devices reside within the same subnet, requiring the use of IP Groups to selectively allow specific hosts or devices through the backup WAN.

Both methods provide greater control over WAN utilization while ensuring critical devices maintain connectivity during an outage.

Note: In this guide, 2.5G WAN1 is the Primary WAN, and WAN/LAN3 is the Backup WAN

Configuration for Controller Mode to Allow Certain Networks Through the Backup WAN

Step 1. Log into your controller and navigate to your Site > Network Config > Transmission > Routing.

Step 2. Navigate to Policy Routing and click Create New Routing.

Step 3. Create the Allow Rule.

Fill in the parameters for the network allowed to pass through the backup WAN when the primary WAN goes down.

Make sure that for the allow rule, you enable Use the other WAN port if the current one is down.

Click Create when complete.

Name: Enter a name to identify the policy routing entry.

Status: Click the checkbox to enable the policy routing entry.

Protocols: Select the protocols, and the policy routing entry will apply to the traffic when it conforms to the selected protocols. The policy routing entry takes effect only when the traffic matches the criteria of the entry including the protocols.

WAN: Select the Primary WAN port, and the traffic will be forwarded through the selected port. Select multiple WAN ports for load balancing as needed. The available VPN client options are PPTP and L2TP.

Use the other WAN port if the current one is down: With this feature enabled, the traffic will be forwarded through another WAN port when the current WAN port is down.

Routing Legend: Specify the source and destination of the traffic which the policy routing entry applies to. The policy routing entry takes effect only when the traffic matches the criteria of the entry including the source and destination.

Network: Select the network interfaces for the traffic source.

IP Group: Select the IP Group for the traffic source or destination. You can create a new IP Group in this page, or go to Network Config > Profile > Groups to create one.

IP Port Group: Select the IP Port Group for the traffic source or destination. You can create a new IP Port Group in this page, or go to Network Config > Profile > Groups to create one.

Location Group: Select the Location Group for the traffic destination. You can create a new Location Group in this page, or go to Network Config > Profile > Groups to create one.

Domain Group: Select the Domain Group for the traffic destination. You can create a new Domain Group in this page, or go to Network Config > Profile > Groups to create one.

Step 4. Click Create New Routing to create the deny rule.

Step 5. Fill in the proper parameters for the non-critical networks that will not be utilizing the backup WAN port when the primary goes down.

Do not enable Use the other WAN port if the current one is down.

Click Create when complete

Configuration in Controller Mode to Allow Specific IP Addresses Through the Backup WAN

Step 1. When allowing certain hosts to utilize the backup WAN, you are going to need to enable Link Backup and create an IP Group.

Please follow this article to create a Link Backup on your Omada Controller:

How to Configure Link Backup on Omada Gateway via Omada Controller | Omada Network Support

Step 2. Next we need to create an IP Group to specify the IP address that is allowed to go through the backup WAN.

Navigate to Network Config > Profile > Groups.

Next click Create New Group.

Fill in the parameters.

Under IP Subnet, we specified 2 different IP addresses with a 32-bit subnet mask to allow only those specific devices.

After filling out the parameters, click Apply.

Name: Enter a name to identify the created group profile.

Type: Select the type of group for the profile and specify corresponding parameters.

IP Subnets: Specify the IP addresses and subnets for the group.

Step 3. Next, create an allowed rule. Navigate to Network Config> Transmission > Routing.

Go to Policy Routing > Create New Routing.

Fill in the parameters.

Here are the parameters for the devices allowed to go through the backup WAN.

We enable both WAN ports, and for the Source Type, we select IP Group.

Click Create when finished.

Step 4. Click on Create New Routing to create the route for the denied routing policy.

Create the routing for the denied route.

Fill in the parameters for the denied networks or IP groups.

In this deny config only the primary WAN is specified and the Source Type is Network with the networks selected.

Click Create once complete.

Configuration in Standalone Mode to Allow Specific Networks and IP Addresses Through the Backup WAN

Step 1. Create the IP group for the subnet or specific address.

After logging into the routers local UI navigate to Preferences > IP Group > IP Address > and click Add.

Step 2. Here, specify the IP addresses that will participate in the policy.

In this example, the allowed and denied IP addresses are on the same subnet.

If the rule routes different networks, choose the IP Address/Mask option for each LAN.

Click OK when complete.

Name: Enter the name of the IP address entry.

IP Address Type:

IP Address: Range: Specify a starting IP address and an ending IP address. A rule that references the IP address entry will be applied to the IP addresses within the range in the entry.

IP Address/Mask: Specify a network address and a subnet mask. A rule that references the IP address entry will be applied to the IP addresses within the range in the entry.

Description: Enter a brief description for the IP address entry to facilitate your management. It can be 50 characters at most.

Step 3. Go to IP Group and click Add and fill in the parameters.

The example below shows a group for the Allowed_backup. After completing this group, create another group for the denied IP addresses specified in the previous step.

In total, there should be two IP groups.

Group Name: Enter the name of the IP group.

Address Name: Select the IP address entry, and you can select more than one entry for one IP group. A rule that references the IP group will be applied to all the IP addresses in the group.

Description: Enter a brief description for the address group to facilitate your management. It can be 50 characters at most.

Step 4: Next navigate to Transmission > Routing > Policy Routing > and click Add.

Alt text: Create the policy route for the IP group that is allowed through the backup WAN

Step 5. Fill in the parameters for the IP group allowed to pass through the backup WAN.

For the Mode, make sure to choose Priority so that when the specified WAN fails, it will turn over to the next available WAN.

Click OK once complete.

Name: Enter a name to identify the policy routing rule.

Service Type: Specify the service type for the rule.

Source Type: Only IP Group can be selected. Then specify the IP group rule for source.

Source: Specify the source IP range for the rule. Select IP groups you have created from the drop-down list. With Any selected, the rule will apply to all clients. If no desired IP groups have been created, go to Preferences > IP Group page to create one.

Destination Type: You can select IP Group, Location Group, or Domain Group. Then specify the rule for destination.

Destination:

Select IP Group: From the drop-down list, select an IP Group to specify the destination address range for the rule. The IP Group referenced here can be created at Preferences > IP Group.

Select Location Group: From the drop-down list, select one or multiple Location Groups to which the destination IP addresses belong. The Location Group referenced here can be created at Preferences > Location Group.

Select Domain Group: From the drop-down list, select one or multiple Domain Groups to which the destination IP addresses belong. The Domain Group referenced here can be created at Preferences > Domain Group.

WAN: Select the WAN port, and the traffic will be forwarded through the selected port.
Select multiple WAN ports for load balancing as needed. The available VPN client options are PPTP and L2TP.

Effective Time: Specify the effective time for the rule. If no desired time ranges have been configured, go to Preferences > Time Range page to create one.

Mode: Specify the policy routing mode for the rule.

Priority: In Priority Mode, the rule depends on the online detection result. If any WAN port that you specify is online, the rule will take effect. If all the WAN ports that you specify are offline, the rule will not take effect.

Only: In Only Mode, the rule always takes effect regardless of the WAN port status or online detection result.

Description: Enter a brief description for the rule.

ID: Assign a number to the rule to reorder the list. A smaller number means a higher priority for the rule to take effect.

Status: Check the box to enable the policy routing entry.

Step 6: Next, create a new policy route for the denied IP group.

Click Add and fill in the parameters.

When creating the route for the IP group that is denied, make sure that Mode is set to Only.

Click OK once complete.

Verification

Verification is performed using two devices: one that is permitted to utilize the backup WAN and another that is denied access.

During the ping test, the “Request timed out” message indicates the device temporarily loses connectivity while the WAN failover process occurs. The permitted device will begin receiving replies again once the backup WAN becomes active, while the denied IP group will remain in a timed-out state.

For the denied IP group, it is possible to briefly receive 3–4 successful replies during the transition period. However, once the Policy Routing rule is fully applied and initialized, the device will return to a timed-out state.

Allowed IP Group:

Denied IP Group:

Conclusion

This guide demonstrated how to configure selective WAN failover using Link Backup and Policy Routing. By allowing only critical networks or devices to utilize the backup WAN, administrators can maintain essential connectivity while conserving bandwidth usage on the secondary connection.

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.

QA

Q1: What should I do if my policy route is not working?

A1: Make sure the device you are testing is in the subnet of the policy route policy