On Thu, 2010-12-23 at 13:06 -0500, Jamie Begin wrote: > Hello -- Hi,
> Our existing firewall is provided and managed by a telco company that also > provides a T1 circuit and MPLS. The firewall has a small subnet on the > public side and a 10.0.0.0/24 address on the private side. All clients on > the LAN use the firewall as their default gateway. Additionally, some of > the public addresses are static NATed back to a few servers within the LAN. OK. > Since 1.54mb/s is getting pretty tight for Internet access, we'd like to > supplement our connectivity with an inexpensive broadband connection. A > cable modem won't come with the SLA of bringing in an additional circuit, > but considering the difference in cost, it's something we can live with. Fair enough, and you have the T1 in case the cable connection goes down. > The problem is that (obviously) the telco won't allow us to connect another > provider into their managed firewall. What I'd like to do is put a > secondary firewall (a Linux box with Shorewall) behind the existing > firewall. Using three interfaces, I could interconnect the LAN, broadband, > and existing firewall. Right. Treat the existing connection as just a regular ISP. > I've read through the multi-ISP docs, but I don't > know if the additional layer of NATing (performed by the existing firewall) > is going to cause me problems. Hrm. I wouldn't think you will have any more problems than you already have. That is, if the NAT on your existing firewall works 100% for you, then a second NAT should not introduce any more issues than you would have had without the existing NAT you have. > What would be the best way to make a "drop in" solution that would not > require changes to the existing firewall? You should not need to change the existing firewall if you just drop your shorewall in behind it and treat the existing firewall/connection as just another Internet provider. > Would it make sense to bridge the > LAN and existing firewall interfaces? I wouldn't. The only thing I might try to do is to get a real IP/subnet on the LAN side of your existing connection rather than an unroutable address -- so that your existing connection is fully routed and not NATted. Now, if you wanted a LAN's worth of addresses from your provider I could imagine they'd squawk at that but you really only need 1, although a few more (so 3-4) might end up coming in handy for you if you can get them. For a managed service such as you have, it should not be a problem for your provider to put a small routed network on the LAN side of their router. I think I'd also ask them to turn off the filtering on their router, since you are going to do that with Shorewall anyway. b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
