Dual WAN load balancing vs failover: which one you actually need
Most businesses who ask me for dual WAN load balancing actually want failover. They're not chasing speed; they want the EFTPOS, the phones and the cloud apps to stay up when the NBN drops. Failover does exactly that: the second connection sits idle until the first one dies, then carries the load until it comes back. Load balancing runs both links live and splits your traffic between them, which sounds strictly better and usually disappoints. I've built both, on MikroTik and on pfSense, and about nine jobs in ten end up as failover. Here's what each one really does, when balancing genuinely earns its keep, and the traps on both paths.
What each one actually does
Failover is a spare tyre. You have a primary link and a backup, and the backup does nothing while the primary is healthy. The router watches the primary, and the moment it decides that link is dead, everything moves to the backup. When the primary recovers, everything moves home again. At any given moment your traffic leaves through one connection, from one public IP.
Load balancing keeps both links live all the time and deals new connections out across them. The key word is connections. Balancing splits sessions, not packets: each download, video call or browser tab picks a link when it starts and stays on it. Your traffic leaves from two public IPs at once, which matters more than most people expect.
Why load balancing disappoints people
The expectation is simple maths: a 100Mbps link plus a 50Mbps link should feel like 150Mbps. It doesn't, because a single session rides a single link. Your big file download tops out at whichever link it landed on. A speed test does the same, which is usually the moment the phone rings.
Then there's the two-IP problem. Plenty of services tie your session to your public IP. Internet banking is the classic: half your connections arrive from one address and half from the other, the bank decides something is off, and you're logged out or flagged. VoIP is worse. A call is set up through one IP, and if the audio flaps to the other link mid-call, the call goes one-way or drops. The fix is policy rules pinning banking and voice to one link, and once you've pinned everything sensitive, you've mostly rebuilt failover with extra steps.
When load balancing is the right call
Balancing shines when the load is lots of people doing lots of small things. An office of twenty or thirty staff has hundreds of parallel sessions open: mail, browser tabs, cloud sync, a guest WiFi full of phones. Spread across two links, that aggregate load really does get 150Mbps of headroom, and the 2pm slowdown disappears. The test I use: if the complaint is "the internet crawls for everyone in the afternoon", balancing can fix it. If the complaint is "my upload is too slow", it can't. Buy a faster link for that.
When failover is right: almost everyone else
A small business doesn't lose money because the internet is 40 percent slower. It loses money because the internet is down, the terminal is offline and the phones are dead. If that describes your risk, you want failover: a boring, cheap second link that does nothing 364 days a year and saves the day on day 365. Pair your main business NBN service with a mobile backup, test it properly, and you've removed your single most expensive outage.
The detection problem: how the router knows a link is dead
This is where most DIY dual WAN setups quietly fail. Failover only works if the router can tell the link is down, and the obvious method, pinging the gateway, is wrong. The gateway is usually the NBN connection box or modem on your wall, and that box answers ping happily while the carrier behind it is completely dead. Gateway up, internet down, and the router keeps shovelling traffic into a black hole. The failover never fires and you find out from an angry phone call.
The right way is to check something out on the actual internet through each specific link: a couple of well-known public addresses, tested independently per WAN. Use more than one target, because one site being down is not an outage. And require several consecutive misses before declaring the link dead, because a single lost ping is just Tuesday. The opposite failure is flapping: a marginal link bouncing up and down every minute drags every session back and forth with it, which is worse than staying on the backup. A good setup fails over quickly and fails back cautiously.
Mixing NBN with 4G or 5G
A mobile service is the natural second link, and for failover it's excellent, because it only carries traffic during an outage and a modest data allowance covers you. Two gotchas though. First, data caps and balancing don't mix: balance across NBN and 5G and the mobile link carries real traffic all month, so the bill arrives before the benefit does. Second, CGNAT. Mobile carriers almost never hand you a public IP, so while you're running on the backup, anything inbound stops working: the VPN into the office, remote access to cameras, anything you host on-site. Outbound keeps flowing and staff barely notice, but if inbound services matter, plan around it or pay for a fixed-IP mobile service.
MikroTik vs pfSense in practice
Both do this properly. I've run dual WAN on MikroTik routerboards and on pfSense boxes for years, and the difference is philosophy, not capability.
MikroTik ties link health to the routing table. Check-gateway marks a route dead when its gateway stops responding, and recursive routing takes it further: a route can depend on reaching a far-off internet target through that specific link, which sidesteps the gateway-up-internet-down trap neatly. It's powerful and it's terse, and six months later the config reads like it. RouterOS rewards people who use it weekly.
pfSense wraps the same job in gateway groups. Each WAN gets a monitor IP out on the internet, gateways are grouped into tiers, and traffic follows the group: same tier means balance, different tiers means failover. Same logic, friendlier handles, and much easier to hand to the next person.
On sizing, the honest answer: at NBN speeds this is not a hardware problem. An RB4011-class MikroTik or a small pfSense box runs dual WAN for a whole office with headroom to spare. Spend the savings on the second link and an hour of proper failure testing.
FAQ
What is the difference between dual WAN load balancing and failover?
Failover keeps the second connection idle until the primary fails, then moves all traffic across until it recovers. Load balancing keeps both connections live and spreads sessions across them. Failover buys uptime; balancing buys aggregate capacity for many simultaneous users. Most small businesses want failover.
Will dual WAN load balancing double my internet speed?
No. Balancing splits connections across links, not packets, so a single download or video call rides one link at that link's speed. Links of 100Mbps and 50Mbps give 150Mbps of combined headroom across many sessions, but one transfer never sees more than 100Mbps. For one fast task, buy a faster primary link.
Can I use 4G or 5G as a backup for the NBN?
Yes, and as a failover link it works well because it only carries traffic during an outage. Two catches: data caps make balancing over mobile expensive, and CGNAT means no public IP, so inbound services like a VPN into the office or remote camera access stop working while you are on the backup.
How does the router know the internet connection is down?
Not by pinging the gateway. The gateway is usually the NBN box on your wall, and it answers ping even when the carrier behind it is dead. A proper setup tests targets out on the internet through each specific link, uses more than one target, and only fails over after several consecutive misses.
Is MikroTik or pfSense better for dual WAN?
Both handle failover and balancing properly. MikroTik ties link health to routes with check-gateway and recursive routing, which is powerful but assumes RouterOS experience. pfSense wraps the same logic in gateway groups with tiers and monitor IPs, which is easier to hand over. Pick the one your support person actually knows.
Do I need expensive hardware for a dual WAN setup?
No. An RB4011-class MikroTik or a small pfSense box handles dual WAN at NBN speeds with plenty of headroom. The hardware is the cheap part. The configuration and the failure testing are where the effort belongs, so spend it there.
The bottom line
Failover keeps you trading through an outage; load balancing adds headroom for a busy office. If you're not sure which one you need, you need failover. Set the detection up properly so the router checks the real internet and not just the box on the wall, keep the mobile backup for emergencies rather than daily traffic, and test it by actually pulling the plug. Do that once, properly, and the next NBN outage in your street is someone else's bad day.
Running a business on one internet connection is a bet that it never fails. If you'd rather not make that bet, we design and build business networks with failover that has actually been tested, on gear sized for the job rather than the invoice. Tell us what an hour offline costs you and we'll spec the second link to match.