[Shorewall-users] Trying to plan for new multi-isp setup

Fri, 02 Sep 2011 11:16:05 -0700 

I'm trying to plan out a new configuration for our new multi-isp setup.  Part 
of what is confusing me is the asymmetry between the two setups.  Our current 
ISP provides us with a router and our first public IP is used by its LAN port. 
  Our new provider is not providing a router and I want to user our shorewall 
box as the router.  I have 4 ports on it (currently configured for local, dmz, 
and net) and was planning on using the 4th for the new provider.  It will be 
part of a /30 subnet connecting to our ISP.  We also have a /27 subnet for 
public IPs.


So my thought is something like:


        ISP1/27       ISP2/30
           |p2p1          |p2p2
      +-----------------------+
      |     firewall/router   |---em2 dmz 192.168.201.1/29
      |                       |           ISP2/27
      +-----------------------+
                 |em1
         loc 10.10.0.1/16

We use nat for some servers on the local network and will want to have similar 
entries for the new ISP.  Does this work?  For outgoing packets, what external 
address is used?

#EXTERNAL       INTERFACE       INTERNAL        ALL             LOCAL
#                                               INTERFACES
ISP1/27 addr    p2p1            10.10.X.X       No              No
ISP2/27 addr    em2             10.10.X.X       No              No

The current dmz addresses for ISP1 are handled through proxyarp, but I figure 
the new ISP2 addresses could be used directly there.

I'll want the vast majority of traffic to go through ISP2, but some targeted 
services to use ISP1 and to have ISP1 as a fail-over.  Haven't started looking 
at that yet in detail.

Thanks for any thoughts/suggestions.

-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA/CoRA Division                    FAX: 303-415-9702
3380 Mitchell Lane                  [email protected]
Boulder, CO 80301              http://www.cora.nwra.com

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to