[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Multiple WAN Links.

To: 'CryptoTech' <cryptotech@gmx.de>, 'Gunjan Mathur at 9netave' <gmathur@chat4help.com>
Subject: RE: [FW1] Multiple WAN Links.
From: Mark L. Decker <mdecker@rainfinity.com>
Date: Thu, 2 Nov 2000 14:42:41 -0800
Cc: fw-1-mailinglist@lists.us.checkpoint.com


    [ Part 1, Text/PLAIN (charset: ISO-8859-1 "Latin 1")  52 lines. ]
    [ Unable to print this part. ]

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Actually, there is a way to do this (at least for outbound access and
mail) without BGP, but it requires two firewalls in a RainWall cluster. 
You connect one firewall to ISP A and the other firewall to ISP B, and
both to the same internal subnet.  The firewall A does NAT using range
from ISP A, and firewall B does NAT using range from ISP B.  Then you set
up the RainWall Ping Monitor to watch the ISP links.  If link to ISP A
goes down, RainWall can automatically disable firewall A, and move its
internal IP address to firewall B, thereby redirecting users out to ISP
B.  This also allows load sharing of outbound traffic between the two
links.  It does not help in the case of inbound access to an internally
hosted webserver, but mail will still work if you use multiple MX
records.  Failover is automatic, but not transparent (because src/dest
pair changes).  Not a perfect solution, but then neither is BGP.
 
Mark L. Decker
Rainfinity
mdecker@rainfinity.com
(408) 382-4870
-----Original Message-----
From: owner-fw-1-mailinglist@lists.us.checkpoint.com
[mailto:owner-fw-1-mailinglist@lists.us.checkpoint.com]On Behalf Of
CryptoTech
Sent: Thursday, November 02, 2000 6:12 AM
To: Gunjan Mathur at 9netave
Cc: fw-1-mailinglist@lists.us.checkpoint.com
Subject: Re: [FW1] Multiple WAN Links.

      This can only be handled by BGP and cooperation between the
      ISP's.  FireWall-1 will not change it's security policy/nat
      policy when a wan link drops.

      Gunjan Mathur at 9netave wrote:
            I have two WAN links using PPP with static routes
            >from diff. ISP,
            Now I want if my one links goes down then
            automatical second link handel all
            the things and if both are up then load balancing
            will happen.

            and I'm using NATting of my LAN traffic on
            firewall with one ISP's IP range.
            If the link of this ISP goes down then all my LAN
            users are unable to access
            the net,b'caz of this NATting.
            How I configure my structure in such a way if one
            the link of NATting ISP's
            is down then second link handel the traffic.
             
             

            GM

Prev by Date: Re: [FW1] SR over @HOME connection (See Notice Below)
Next by Date: RE: [FW1] SR over @HOME connection (See Notice Below)
Prev by thread: Re: [FW1] Multiple WAN Links.
Next by thread: Re: [FW1] Multiple WAN Links.
Index(es):
- Date
- Thread