NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Multiple WAN Links.



Another option is Radware's Linkproof appliance which handles multiple ISP connections without requiring BGP.

Pat Scopelliti

> ----------
> From: 	Mark L. Decker[SMTP:[email protected]]
> Reply To: 	[email protected]
> Sent: 	Thursday, November 02, 2000 11:17 PM
> To: 	'CryptoTech'
> Cc: 	'Gunjan Mathur at 9netave'; [email protected]
> Subject: 	RE: [FW1] Multiple WAN Links.
> 
> Agreed.  If transparent failover is your top priority, BGP is the better solution.  If you host web servers internally that need to be reached from the outside world, BGP also prevents you from having to play games with DNS to provide access to those servers in the event of link failure.  BGP has plenty of negatives (uneven load sharing, complex configuration, requires AS number and cooperation from both ISPs, giant routing tables that eat gobs of router CPU and RAM, etc.), but it is still the only solution that provides transparent failover for both inbound and outbound sessions in the event of link failure.
>  
> RainWall as a multi-homing solution is really most effective as cheap protection and link load balancing for outbound Internet access and email (with multiple MX records).  If you don't care so much that connections have to be re-established after failover, it's a viable option.  Otherwise, BGP is the way to go.
> 
> 	-----Original Message-----
> 	From: CryptoTech [mailto:[email protected]]
> 	Sent: Thursday, November 02, 2000 7:40 PM
> 	To: [email protected]
> 	Cc: 'Gunjan Mathur at 9netave'; [email protected]
> 	Subject: Re: [FW1] Multiple WAN Links.
> 
> 
> 	If this will be a cluster configuration -- that is, allowing session failover, and if necessary, vpn-failover, then the two boxes will be defined as a cluster, therefore each internal subnet must be hidden behind one ip.  If you decide to break the state synchronization by configuring the two boxes as totally separate entities, and allowing yourself to enforce different hide addresses for the same subnet on two boxes, you will run into problems with dynamically generated web pages when failover occurs, because the source address for a session will change and the remote server will be unable to swap the remote association. 
> 
> 	Don't get me wrong, Rainfinity is a great product, but to do this solution flawlessly, you should still listen to the first response 
> 
> 	"Mark L. Decker" wrote: 
> 
> 		 Actually, there is a way to do this (at least for outbound access and mail) without BGP, but it requires two firewalls in a RainWall cluster.  You connect one firewall to ISP A and the other firewall to ISP B, and both to the same internal subnet.  The firewall A does NAT using range from ISP A, and firewall B does NAT using range from ISP B.  Then you set up the RainWall Ping Monitor to watch the ISP links.  If link to ISP A goes down, RainWall can automatically disable firewall A, and move its internal IP address to firewall B, thereby redirecting users out to ISP B.  This also allows load sharing of outbound traffic between the two links.  It does not help in the case of inbound access to an internally hosted webserver, but mail will still work if you use multiple MX records.  Failover is automatic, but not transparent (because src/dest pair changes).  Not a perfect solution, but then neither is BGP.Mark L. DeckerRainfinity [email protected]> 
> 			-----Original Message----- 
> 			From: [email protected] [ mailto:[email protected]]On Behalf Of CryptoTech 
> 			Sent: Thursday, November 02, 2000 6:12 AM 
> 			To: Gunjan Mathur at 9netave 
> 			Cc: [email protected] 
> 			Subject: Re: [FW1] Multiple WAN Links. 
> 			 
> 			This can only be handled by BGP and cooperation between the ISP's.  FireWall-1 will not change it's security policy/nat policy when a wan link drops. > 
> 
> 			Gunjan Mathur at 9netave wrote: > 
> 
> 				I have two WAN links using PPP with static routes >from diff. ISP, 
> 				Now I want if my one links goes down then automatical second link handel all 
> 				the things and if both are up then load balancing will happen. 
> 
> 				and I'm using NATting of my LAN traffic on firewall with one ISP's IP range. 
> 				If the link of this ISP goes down then all my LAN users are unable to access 
> 				the net,b'caz of this NATting. 
> 				How I configure my structure in such a way if one the link of NATting ISP's 
> 				is down then second link handel the traffic. 
> 				  
> 				  
> 
> 				GM 
> 				  
> 				 
> 
> 


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.