Actually, there is a way to do this (at least for
outbound access and mail) without BGP, but it requires two firewalls in a
RainWall cluster. You connect one firewall to ISP A and the other firewall
to ISP B, and both to the same internal subnet. The firewall A does NAT
using range from ISP A, and firewall B does NAT using range from ISP B.
Then you set up the RainWall Ping Monitor to watch the ISP links. If link
to ISP A goes down, RainWall can automatically disable firewall A, and move
its internal IP address to firewall B, thereby redirecting users out to ISP
B. This also allows load sharing of outbound traffic between the two
links. It does not help in the case of inbound access to an internally
hosted webserver, but mail will still work if you use multiple MX
records. Failover is automatic, but not transparent (because src/dest pair
changes). Not a perfect solution, but then neither is
BGP.
Mark L. Decker
Rainfinity
This can only be handled by BGP and cooperation
between the ISP's. FireWall-1 will not change it's security policy/nat
policy when a wan link drops.
Gunjan Mathur at 9netave wrote:
I have two WAN links using PPP with static
routes >from diff. ISP, Now I want if my one links goes down then automatical second link
handel all the things and
if both are up then load balancing will happen.
and I'm using NATting of my LAN traffic on
firewall with one ISP's IP range. If the link of this ISP goes down then all my LAN users are unable
to access the net,b'caz of
this NATting. How I
configure my structure in such a way if one the link of NATting
ISP's is down then second
link handel the traffic.
GM
|