From: Sean Hafeez (sah.listgmail.com)
Date: Mon Nov 01 2004 - 16:08:07 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hum. I think a question like this has been asked 100 or so times.

Look, there are a bunch of hacks to do stuff like this but none are
clean and 100%. At the end of the day I only have one answer - BGP,
and I have been building large networks for over 15 years now. At the
end of the day do something, anything to get this setup with BGP. You
life will be much easier.

Sorry if that is unhelpfull.

On Sat, 30 Oct 2004 14:19:52 +0100, Warren J. Beckett
<warrena-generic.com> wrote:
> I have been racking my brain to solve a mess that the management have
> started.
>
> We have an existing ISP and a /27 routable address space that we NAT on
> a Cisco PIX. The network is exists over 4 locations linked by leased
> line and wireless using Cisco routers running OSPF. Each location has to
> primary and backup connection all handled via OSPF.
>
> My Plan was and still very much is to replace the ageing PIX with an
> OBSD Firewall as I have had create success in the past along with some
> of the Cisco routers. I would like to us a OBSD firewall for the new ISP
> as well. I was thinking of using a Soekris systems for both the
> firewalls and the routers.
>
> What has happened is management have signed a contract for another ISP
> for additional bandwidth and would like to use both ISP's.
>
> Here at the details:
>
> * Office A has the PIX and connection A ( mentioned above )
> * Office B has the will have connection B. ( Locations B is the only
> place we can get the second connection )
> * Each ISP has allocated us a separate /27 address block
> * There is no relation ship between the ISPs
> * Be can not use BGP to run one IP address Block for both connections.
> * We have the IP's address from connection A mapped to internal servers
> that our clients connect to.
> * ISP B can provide a "default route" by OSPF.
>
> What we would like to be able to do is:
> Use both to create a more resiliently connection for our external
> clients to our internal syetems so they are able to connect via either
> connection.
>
> What would be nice:
> To be able to balance the data across both ISPs.
>
> Making this work as a reluctant connection from the perspective of
> internal users is easily done, but to do the same external clients
> connecting to internal systems has got me stumped.
>
> To expand on the above.
>
> OpenBSD Firewall_A maps address External Address EA_1 to Internal_1
> OpenBSD Firewall_B maps address External Address EB_1 to Internal_1
>
> Obviously when a connection occurs to a server Internal_1 via
> Firewall_A, but returns via Firewall_B EA_1 , the natting at Firewall_B
> would binat to the wrong address of address of EB_1 breaking the
> session.
>
> I was thinking there someway to TAG incoming packets, and use PFSYNC
> between the firewalls, then decide the bimap to use based on the TAG.
> But reading the documentation I don't think this is possible.
>
> Perhaps a solution is stearing me in the face, just a matter of looking
> outside the BOX i have but around my self.
>
> I know there are DNS vendors that can provide semi intelligent incoming
> load balancing, but unless I deal with the internal issues this will not
> work.
>
> As a gripe I will say this is a perfect example of what happens when
> management rush of and do something without consulting the people that
> have to make it work :-( This is almost a typical Dilbert theme.
>
> Any advice would be well received.
>
> Thanks in Advance,
>
> Warren.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]