[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Multiple WAN Links.

To: 'CryptoTech' <cryptotech@gmx.de>
Subject: RE: [FW1] Multiple WAN Links.
From: Mark L. Decker <mdecker@rainfinity.com>
Date: Thu, 2 Nov 2000 20:17:24 -0800
Cc: 'Gunjan Mathur at 9netave' <gmathur@chat4help.com>, fw-1-mailinglist@lists.us.checkpoint.com


    [ Part 1, Text/PLAIN (charset: ISO-8859-1 "Latin 1")  84 lines. ]
    [ Unable to print this part. ]

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Agreed.  If transparent failover is your top priority, BGP is the better
solution.  If you host web servers internally that need to be reached
from the outside world, BGP also prevents you from having to play games
with DNS to provide access to those servers in the event of link
failure.  BGP has plenty of negatives (uneven load sharing, complex
configuration, requires AS number and cooperation from both ISPs, giant
routing tables that eat gobs of router CPU and RAM, etc.), but it is
still the only solution that provides transparent failover for both
inbound and outbound sessions in the event of link failure.
 
RainWall as a multi-homing solution is really most effective as cheap
protection and link load balancing for outbound Internet access and email
(with multiple MX records).  If you don't care so much that connections
have to be re-established after failover, it's a viable option. 
Otherwise, BGP is the way to go.
-----Original Message-----
From: CryptoTech [mailto:cryptotech@gmx.de]
Sent: Thursday, November 02, 2000 7:40 PM
To: mdecker@rainfinity.com
Cc: 'Gunjan Mathur at 9netave';
fw-1-mailinglist@lists.us.checkpoint.com
Subject: Re: [FW1] Multiple WAN Links.

      If this will be a cluster configuration -- that is, allowing
      session failover, and if necessary, vpn-failover, then the
      two boxes will be defined as a cluster, therefore each
      internal subnet must be hidden behind one ip.  If you decide
      to break the state synchronization by configuring the two
      boxes as totally separate entities, and allowing yourself to
      enforce different hide addresses for the same subnet on two
      boxes, you will run into problems with dynamically generated
      web pages when failover occurs, because the source address
      for a session will change and the remote server will be
      unable to swap the remote association.

      Don't get me wrong, Rainfinity is a great product, but to do
      this solution flawlessly, you should still listen to the
      first response

      "Mark L. Decker" wrote:
             Actually, there is a way to do this (at least
            for outbound access and mail) without BGP, but it
            requires two firewalls in a RainWall cluster. 
            You connect one firewall to ISP A and the other
            firewall to ISP B, and both to the same internal
            subnet.  The firewall A does NAT using range from
            ISP A, and firewall B does NAT using range from
            ISP B.  Then you set up the RainWall Ping Monitor
            to watch the ISP links.  If link to ISP A goes
            down, RainWall can automatically disable firewall
            A, and move its internal IP address to firewall
            B, thereby redirecting users out to ISP B.  This
            also allows load sharing of outbound traffic
            between the two links.  It does not help in the
            case of inbound access to an internally hosted
            webserver, but mail will still work if you use
            multiple MX records.  Failover is automatic, but
            not transparent (because src/dest pair changes). 
            Not a perfect solution, but then neither is
            BGP.Mark L.
            DeckerRainfinitymdecker@rainfinity.com(408)
            382-4870
                  -----Original Message-----
                  From:
                  owner-fw-1-mailinglist@lists.us.checkpoint.com
                  [mailto:owner-fw-1-mailinglist@lists.us.checkpoint.com]On
                  Behalf Of CryptoTech
                  Sent: Thursday, November 02, 2000
                  6:12 AM
                  To: Gunjan Mathur at 9netave
                  Cc:
                  fw-1-mailinglist@lists.us.checkpoint.com
                  Subject: Re: [FW1] Multiple WAN
                  Links.
                   
This can only be handled by BGP and cooperation between
the ISP's.  FireWall-1 will not change it's security
policy/nat policy when a wan link drops.

Gunjan Mathur at 9netave wrote:
      I have two WAN links using PPP with static
      routes >from diff. ISP,
      Now I want if my one links goes down then
      automatical second link handel all
      the things and if both are up then load
      balancing will happen.

      and I'm using NATting of my LAN traffic on
      firewall with one ISP's IP range.
      If the link of this ISP goes down then all
      my LAN users are unable to access
      the net,b'caz of this NATting.
      How I configure my structure in such a way
      if one the link of NATting ISP's
      is down then second link handel the
      traffic.
       
       

      GM

Prev by Date: Re: [FW1] Multiple WAN Links.
Next by Date: RE: [FW1] RE: FW Licensing issues
Prev by thread: Re: [FW1] Multiple WAN Links.
Next by thread: RE: [FW1] Multiple WAN Links.
Index(es):
- Date
- Thread