On 12/23/10 10:06 AM, Jamie Begin wrote: > Hello -- > > Our existing firewall is provided and managed by a telco company that > also provides a T1 circuit and MPLS. The firewall has a small subnet on > the public side and a 10.0.0.0/24 <http://10.0.0.0/24> address on the > private side. All clients on the LAN use the firewall as their default > gateway. Additionally, some of the public addresses are static NATed > back to a few servers within the LAN. > > Since 1.54mb/s is getting pretty tight for Internet access, we'd like to > supplement our connectivity with an inexpensive broadband connection. A > cable modem won't come with the SLA of bringing in an additional > circuit, but considering the difference in cost, it's something we can > live with. The problem is that (obviously) the telco won't allow us to > connect another provider into their managed firewall. What I'd like to > do is put a secondary firewall (a Linux box with Shorewall) behind the > existing firewall. Using three interfaces, I could interconnect the > LAN, broadband, and existing firewall. I've read through the multi-ISP > docs, but I don't know if the additional layer of NATing (performed by > the existing firewall) is going to cause me problems. > > What would be the best way to make a "drop in" solution that would not > require changes to the existing firewall? Would it make sense to bridge > the LAN and existing firewall interfaces?
Don't know if your physical network will allow this solution, but what I would consider is to: a) Leave the NATed servers in the 10.0.0.0/24 network and in the same LAN connected to your existing firewall. b) Add a Shorewall box to that lan and place all of the rest of your systems in a LAN behind the Shorewall box. c) Connect your broadband to a second NIC on the Shorewall box. d) Connect the rest of your local systems to a third NIC on the Shorewall box. You will now have a setup that is quite similar to what is described at http://www.shorewall.net/MultiISP.html#Complete. You can then configure Shorewall to use the broadband connection for outgoing connections from your LAN and to only do double NAT if the broadband connection is down. Hope that helps. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
