Doing Dual ISP Load Balancing with Ubiquiti EdgeRouter

Ever since I moved to a new house, I’ve been stuck to a pretty bad ISP. With no fiber, a few kilometers away from the DSL termination pop (so a max of 10Mbit on ADSL), it just leaves cable. Speeds aren’t terrible, I get a 400Mbit line for E 60,- p/m. Latency spikes and jitter are horrible, but that can be expected on a cable network. Especially fun when doing internet calls. 😉

All in all, I haven’t been enjoying my internet connection for a while and I wanted to do something about it.

Dual Connection

After dismissing the thought of moving house again, I decided to get an extra low speed, but quality connection. ADSL with a trusted provider turned out to be the best option. I planned on using VeloCloud to balance between the connections, but the new connection was actually delivered a few weeks early. I didn’t have the VeloCloud design ready yet, but did wanted to hook up the new connection and test it out.

Enter the Ubiquiti EdgeRouter I already had in place, as it appears it is able to load balancing between multiple connections.

Ubiquiti EdgeRouter

The EdgeRouter is a really good router for the network enthusiast, as it is packed with features that you can geek out with. One of those is the ability to create load balancing groups between connections, for outgoing network traffic. I linked to an article from Ubiquity themselves but found it lacking commentary and it missed a couple of extra things I wanted to do, so I decided to do a write-up of my setup.

Wanted Topology

This is the topology I was going for:

This was already in place for the cable provider, so all I did here was bring in the ADSL provider to a VLAN and transport that up to my EdgeRouter.

EdgeRouter Configuration

Let’s get into the weeds and begin with the interface configuration. All configuration is going to be done by the CLI by the way, most of this cannot be done via the UI.


As pictured earlier, I’m using VLANs to transport the internet connections to the EdgeRouter. This means the interface configuration looks like this:

A couple things to note:

  • Both connections have a DHCP IP address attached, but you can do this with a static IP as well.
  • The default-route-distance determines how to install the default route in the global routing table. In this case I opted to use the cable provider as the primary connection by giving it a lower distance then the ADSL connection.
  • I didn’t want the DHCP client to update my DNS servers for the EdgeRouter (because I have my own) and specified dhcp-options name-server no-update.

Extra Configuration

Just to make sure I paint a full picture, below is an overview of some extra configuration (firewall & NAT) which is needed to get this working:

WAN Load Balancing Configuration

So far we’ve only connected 2 connections which uses the cable connection as a primary connection and failover to the ADSL connection when the cable fails. This is also a long failure, because the DHCP lease needs to expire before the routing switches over. This is one of the issues that the WAN load balancing within the EdgeRouter fixes by doing monitoring on the connection.

First, let’s configure a load balancing group:

Here, I’ve divided up the connections with weights so the cable connection gets used for 90% of the load and the ADSL connection gets 10% of the load. This is due to the difference in speeds. Furthermore, both connections will be monitored by doing a ping to every 5 seconds (by default it marks it as failed when 3 pings are missed).

Once you have this config in place, you can verify the monitor is working by executing this:

Now that you have the load balancing in place, it needs to take effect. You do this by defining a firewall modify ruleset which points to the load balancing group:

A couple things to note:

  • Rule 10, 20 & 30 make sure it doesn’t load balance between internal ranges (LAN to LAN) and not load balance towards the actual IPs of the external interfaces. (I specified a /24 there because those can change). It’s weird that the EdgeRouter doesn’t exclude these by default, yes.
  • Rule 70 is the one that actually redirects traffic to the load balancing group.
  • Interface eth1.10 is one of my internal networks. You need this line on any internal network you’d like to load balance.

Once the load balancing group is applied to an internal interface, you can verify that is it balancing traffic by executing this:

The WAN Out/In counters will go up the more they route traffic and the table 201 and 202 are filled with the routes for the different connections.


Of course, I wanted to make some exceptions to generally load balancing and failover. One of these examples was that my download server always used up the cable connection (with its 400Mbit) instead of bothering the ADSL line and that my own computer was to use the ADSL line as primary, only failing over to cable if the ADSL line goes down. The latter was important because the ADSL line is much better when it comes to voice calls, webinars, etc.

To facilitate a configuration where something used the ADSL connection as primary and the cable connection as secondary, I had to create a new load balancing group:

You’ll only notice 2 differences: I removed the weights and added failover-only to eth0.99 (which is the cable connection). This gives the result that eth0.98 will always be used unless the ping test fails, which will make it failover to eth0.99.

To effect this new load balancing group for a specific client, I’ve used this snippet:

This inserts a rule in the existing ISP_BALANCE ruleset where the load balancing is being called, takes a source address-group (in this case named Martijn-iMac-Macbook) and uses that to decide to redirect the traffic to the new load balancing group. The address group simply contains the IP addresses that my iMac and Macbook have.

Another variation on this is doing this on a destination basis:

Here I make sure that a VPN tunnel endpoint on the internet (IP included in the address group LD-VPN-GW-EXT) always goes via the ADSL connection and fails back to the cable connection if needed.


While this is a temporary situation for me (while I figure out a network overhaul and include VeloCloud for this functionality), the EdgeRouter really does a good job with load balancing between multiple links and the possibilities to make exceptions based on source or destination are awesome.

Share the wealth!


  1. Dimitris Xalatsis

    October 25, 2018 at 11:19

    Very good article and to the point instructions! Wish the actual router’s manual was more like that!

  2. Thanks for that article! Before this I though – that’s too much for my mind – I’m not smart enough – but with your help I’ve now configured a few exceptions to my multi WAN routing and use important clients only on the reliable (but slow) ADSL connection (so I’m in a similar situation as you – only in my case the speedy 2nd WAN is LTE – but the quality for sure aint better 🙂
    thanks, greets from Austria, Mario

  3. Very useful article! Thanks for your such a good job!

  4. This is very good information. Is it possible to do this using a public IP address on the internal network? Like an FTP server or an email server? That is something I’m trying to figure out how to do.

    • Martijn

      September 6, 2019 at 12:54

      Sure, I’d suggest doing destination NAT for that. If you want to make it redundant, just put the DNAT on both ISP uplinks.

  5. Hi! Thanks for the Article. It’s very informative. But I’m trying to achieve something which I’m unable to.

    I use ER-X with Dual WAN (w/ Failover and Failback Scripts by BranoB) which facilitates that as soon as Main WAN comes back online, this script would stop using backup WAN and start using Main WAN.

    Now, the thing is. I myself have Two PC Setup.

    I want to use Main ISP on the PC #2 but I want to use Backup ISP on PC #1.

    EdgeRouter-X handles all the DHCP. So there is no NAT in-between.

    But, I don’t want to loose LAN between PC #1 and PC #2.

    How can I do so?


  6. John McCartan

    May 4, 2020 at 14:47

    Thanks much for the thorough explanation and the scripts.

    My situation is very similar. I am not doing vlan on inbound connections – Cable will be on eth0 and ADSL on eth1. I am going to try to adapt your script to meet my needs. If you have any tips – much appreciated as I am just learning… is it possible to accomplish the same scenario using 2 ports (eth0, eth1)? I am assuming so but as I stated, just learning so want to confirm.

    Another question I have that you might be able to help with:

    I will have the two connections (separate) inbound. I have a Synology that I am considering attempting link aggregation with… that might be down the line. The other port will feed my double nat’d EERO network. Using it for all my main functionality (wireless, DHCP, etc).

    1. Is this a good idea?
    2. I am trying to figure out – how I get to (ERX) from 192.168.4.x (EERO’s scope)?


  7. This was a real treasure trove. I had virtually the same routing needs, even though my topology is slightly different. I look forward to trying these config tricks. Thanks for the post!

  8. My need was to route all requests to a specific IP to a specific interface (ISP), and before finding this page, I had posted to the Ubiquity forums trying to get answers. Though I got responses, they still left me high/dry.

    Once I read your sentence “Another variation on this is doing this on a destination basis:” … that is what clicked. I was able to use the dashboard’s Config Tree and work backwards from what you did. The only thing missing on your article above is creating an address group:

    firewall/group/address-group and give the name and ips for that group.

    Thank you for this post.

    Link to my forum post:

  9. Awesome!!!
    This post helped me clearly understand and configure the concept of load balance / failover, source & destination PBR. Was able to achieve what I wanted. Used your post as a reference along with unifi help pages. My setup is for Starling – DSL LB-failover and DSL for devices that I do the MS teams and zoom calls. Did it all with the Edgerouter-x GUI, and just used CLI to check the watchdog & status.

    Thank you very much.

Leave a Reply

Your email address will not be published.

© 2022 Lostdomain

Theme by Anders NorénUp ↑