Agreed. If transparent failover is your top
priority, BGP is the better solution. If you host web servers internally
that need to be reached from the outside world, BGP also prevents you from
having to play games with DNS to provide access to those servers in the event of
link failure. BGP has plenty of negatives (uneven load sharing,
complex configuration, requires AS number and cooperation from both ISPs, giant
routing tables that eat gobs of router CPU and RAM, etc.), but it is still the
only solution that provides transparent failover for both inbound and outbound
sessions in the event of link failure.
RainWall as a multi-homing solution is really most
effective as cheap protection and link load balancing for outbound Internet
access and email (with multiple MX records). If you don't care so much
that connections have to be re-established after failover, it's a viable
option. Otherwise, BGP is the way to go.
If this will be a cluster
configuration -- that is, allowing session failover, and if necessary,
vpn-failover, then the two boxes will be defined as a cluster, therefore each
internal subnet must be hidden behind one ip. If you decide to break the
state synchronization by configuring the two boxes as totally separate
entities, and allowing yourself to enforce different hide addresses for the
same subnet on two boxes, you will run into problems with dynamically
generated web pages when failover occurs, because the source address for a
session will change and the remote server will be unable to swap the remote
association.
Don't get me wrong, Rainfinity is a great product, but to do this solution
flawlessly, you should still listen to the first response
"Mark L. Decker" wrote:
Actually, there is a way to do
this (at least for outbound access and mail) without BGP, but it requires
two firewalls in a RainWall cluster. You connect one firewall to ISP A
and the other firewall to ISP B, and both to the same internal subnet.
The firewall A does NAT using range from ISP A, and firewall B does NAT
using range from ISP B. Then you set up the RainWall Ping Monitor to
watch the ISP links. If link to ISP A goes down, RainWall can
automatically disable firewall A, and move its internal IP address to
firewall B, thereby redirecting users out to ISP B. This also allows
load sharing of outbound traffic between the two links. It does not
help in the case of inbound access to an internally hosted webserver, but
mail will still work if you use multiple MX records. Failover is
automatic, but not transparent (because src/dest pair changes). Not a
perfect solution, but then neither is BGP.Mark L.
DeckerRainfinity[email protected](408)
382-4870
This can only be handled by BGP and
cooperation between the ISP's. FireWall-1 will not change it's
security policy/nat policy when a wan link drops.
Gunjan Mathur at 9netave wrote:
I have two WAN links using PPP with
static routes >from diff. ISP, Now I want if my one links goes down then
automatical second link handel all the things and if both are up then load
balancing will happen.
and I'm using NATting of my LAN
traffic on firewall with one ISP's IP range. If the link of this ISP goes down then all my
LAN users are unable to access the net,b'caz of this NATting. How I configure my structure in such a way if
one the link of NATting ISP's is down then second link handel the traffic.
GM
|