This tutorial will show you how to configure WAN failover on Zyxel USG Series using "Spillover" on the trunk.
After completing these steps, your device should be able to swap to the passive interface whenever an interruption of the connectivity is detected.
1. Configuring the WAN trunk
1. Access your device by entering its IP address in the browser address line and login by using the device’s credential
2. Make sure you have a second WAN connection available.
3. Navigate to
Configuration > Network > Interface > Trunk
4. Add a new User Configured Trunk.
5. Choose "Spillover" as Algorithm and "Outbound" as Index. Set your main WAN Connection as "Active" and the Backup as "Passive". Change the Spillover value on your main connection to a value higher than the default so it can change the WAN connection when the USG can't reach it.
8. After setting up the new Trunk, you now need to change the Default Trunk Selection to the newly created Spillover Trunk.
2. Enable Connectivity check on the active WAN trunk
1. Navigate to
Configuration > Network > Interface > Ethernet
2. Select the WAN interface that is set to be your main connection. In this example, wan1 interface is used. as the active interface. Click edit on the button to open the interface settings and scroll to Connectivity check section.
3. Configure the settings:
- Check Period: 5 seconds (How many seconds pass between connection check attempts.)
- Check Timeout: 1 second (How many seconds to wait for a response before the attempt is considered a failure)
- Check Fail Tolerance:1 time (How many failures need occur before the USG stops routing through the gateway)
- Check this address: It's recommended to use this option to check the connectivity, as this will use an IP address in the internet (such Google DNS server 18.104.22.168).
Note: If the Default gateway is used, the local connection to the ISP device might work while the issue could be located in other part of the ISP network, leaving the USG without access and not detecting this as an issue
There is also a second way to achieve a failover on your firewall by policy routes:
This should be enough to make your WAN failover work.