OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: two ISP's with two Firewalls.

From: Warren J. Beckett (warrena-generic.com)
Date: Mon Nov 01 2004 - 18:45:53 CST

On Mon, 2004-11-01 at 14:08 -0800, Sean Hafeez wrote:
> Hum. I think a question like this has been asked 100 or so times.
>
> Look, there are a bunch of hacks to do stuff like this but none are
> clean and 100%. At the end of the day I only have one answer - BGP,
> and I have been building large networks for over 15 years now. At the
> end of the day do something, anything to get this setup with BGP. You
> life will be much easier.
>
> Sorry if that is unhelpfull.

Hi there,

I agree completely with your points except about the number of times the
question has been asked :-P

BGP would be the best solution but it was not available to use for no
other reason than Politics.

That aside I have managed to get it all working using PFSYNC. The
missing ingredient was "synproxy state" on the inbound TCP connections.

And for what it is worth I completely threw my toys out of the cot over
this. Communication is such a wonderfully thing, but so rarely used.

Cheers,

Warren.

>
>
>
> On Sat, 30 Oct 2004 14:19:52 +0100, Warren J. Beckett
> <warrena-generic.com> wrote:
> > I have been racking my brain to solve a mess that the management have
> > started.
> >
> > We have an existing ISP and a /27 routable address space that we NAT on
> > a Cisco PIX. The network is exists over 4 locations linked by leased
> > line and wireless using Cisco routers running OSPF. Each location has to
> > primary and backup connection all handled via OSPF.
> >
> > My Plan was and still very much is to replace the ageing PIX with an
> > OBSD Firewall as I have had create success in the past along with some
> > of the Cisco routers. I would like to us a OBSD firewall for the new ISP
> > as well. I was thinking of using a Soekris systems for both the
> > firewalls and the routers.
> >
> > What has happened is management have signed a contract for another ISP
> > for additional bandwidth and would like to use both ISP's.
> >
> > Here at the details:
> >
> > * Office A has the PIX and connection A ( mentioned above )
> > * Office B has the will have connection B. ( Locations B is the only
> > place we can get the second connection )
> > * Each ISP has allocated us a separate /27 address block
> > * There is no relation ship between the ISPs
> > * Be can not use BGP to run one IP address Block for both connections.
> > * We have the IP's address from connection A mapped to internal servers
> > that our clients connect to.
> > * ISP B can provide a "default route" by OSPF.
> >
> > What we would like to be able to do is:
> > Use both to create a more resiliently connection for our external
> > clients to our internal syetems so they are able to connect via either
> > connection.
> >
> > What would be nice:
> > To be able to balance the data across both ISPs.
> >
> > Making this work as a reluctant connection from the perspective of
> > internal users is easily done, but to do the same external clients
> > connecting to internal systems has got me stumped.
> >
> > To expand on the above.
> >
> > OpenBSD Firewall_A maps address External Address EA_1 to Internal_1
> > OpenBSD Firewall_B maps address External Address EB_1 to Internal_1
> >
> > Obviously when a connection occurs to a server Internal_1 via
> > Firewall_A, but returns via Firewall_B EA_1 , the natting at Firewall_B
> > would binat to the wrong address of address of EB_1 breaking the
> > session.
> >
> > I was thinking there someway to TAG incoming packets, and use PFSYNC
> > between the firewalls, then decide the bimap to use based on the TAG.
> > But reading the documentation I don't think this is possible.
> >
> > Perhaps a solution is stearing me in the face, just a matter of looking
> > outside the BOX i have but around my self.
> >
> > I know there are DNS vendors that can provide semi intelligent incoming
> > load balancing, but unless I deal with the internal issues this will not
> > work.
> >
> > As a gripe I will say this is a perfect example of what happens when
> > management rush of and do something without consulting the people that
> > have to make it work :-( This is almost a typical Dilbert theme.
> >
> > Any advice would be well received.
> >
> > Thanks in Advance,
> >
> > Warren.
>
>
> !DSPAM:4186c0de309101173415460!