Multiple gateways??? Redundant connection suggestions.
Patrick
pert at tas-kc.com
Fri Mar 5 03:35:05 CST 2004
My pix is a 506(?) not the low end, but next one up. It only has
internal and external. Rather than try and get it to route and
stuff--and possibly expose my internal net, I have my DMZ outside of it.
I only have one internal net. The two nets come to play because ISP one
gave me 5 ip's and ISP two gave me a whole class-C. Idealy I would like
to load balance a little, and of course fail over. I am guessing
something to do with adding a matrix on my gateway entrys.
I can force it to go to one gateway or another. If I put both entries as
standard 0.0.0.0 it does not recognise requests from both. In other
words its not pulling up web pages, etc. I thought the internet was
designed to be able to return data down a second path if needed. I guess
with the spoofing there is probably safeguards in place so it is not
replying down the default gateway for requests that came from the
non-default. And the boxes are obviously not returning requests to the
gateway it came from.
I could add two nics to my linux box, but This is not regular routing
where you can say net1 here and net2 here. It would have 2 default
routes 0.0.0.0 ... But since each nic would reply to its own traffic it
would not have to guess about gateways. Which is why I am thinking of
running 2 nets on the physical DMZ segment It gets "messy". Having two
different ip nets on the same physical segment is suposed to work you
just need a router if you want them to talk to each other which would
not be a big deal if all the machines have an address in each.
>
>
> +--------+ +-------+
> | ISP 1 | | ISP 2 |
> +--------+ +-------+
> | |
> ------------
> |
> +-----+----+
> |Firewall |
> +-----+----+
> | | |
> +------+---+ | +------+--------+
> | DMZ | | |Internal Net 2 |
> +-----+----+ | +------+--------+
> |
> +-----+----------+
> | Internal Net 1 |
> +-----+----------+
>
> The above shows the firewall protecting all nets from the bad ol'
> internet. The firewall (especially if a Linux box w/ multiple NICs)
> can also route between the 2 internal nets and the DMZ. The Linux
> box can act as a bridge between the 2 internal nets to segment
> traffic. You could setup pinholes to allow access as necessary
> between nets or into the DMZ(to get to servers). These are going to
> be IPtables rules.
> Internal Net 1 (192.168.1.x 192.168.1.1 Gateway)
> Internal Net 2 (192.168.2.x 192.168.2.1 Gateway)
> DMZ Net (192.168.3.x 192.168.3.1 Gateway)
> 3 NICs for internal and DMZ nets and 2 more somethings to connect the
> ISPs. You may want to add your PIX in to the mix between the firewall
> and the 2 ISPs and let it do the load balance (requires 3 ports). If
> it had 4, it could have the DMZ dangling off it too, but that would
> make it more complicated.
>
>
>
>
> ----------------------------------------------
> Somewhere there is a village missing an idiot.
More information about the Kclug
mailing list