regarding NAT between two ISP

Unanswered Question
May 26th, 2010
User Badges:

Hi All

I have two internet routers connected to two different ISPs and both have different public IP pool. These routers are connected to one L2 switch and then firewall is attached to this switch.I have NAT firewall's IP on both routers. Now I want to load balance the traffic for this.Actually both routers have 5 mb link each, so I want to provide 10 mbps to my LAN. If I use HSRP or other L2 protocol then it will provide only redundancy not the load-balancing.Plz help me to sort out this.Its urgent.



Thanks and regards,

Taran

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ganesh Hariharan Wed, 05/26/2010 - 04:17
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi All

I have two internet routers connected to two different ISPs and both have different public IP pool. These routers are connected to one L2 switch and then firewall is attached to this switch.I have NAT firewall's IP on both routers. Now I want to load balance the traffic for this.Actually both routers have 5 mb link each, so I want to provide 10 mbps to my LAN. If I use HSRP or other L2 protocol then it will provide only redundancy not the load-balancing.Plz help me to sort out this.Its urgent.



Thanks and regards,

Taran


Hi Taran,


Need some information as you said firewall is connected with l2 switch whee your routers are connected,how firewall is routing to both ISP in current situation is firewall is having two separate ports to both the routers and what is the type of firewall you are using.



Ganesh.H

tarnhundal Wed, 05/26/2010 - 04:49
User Badges:

Hi Ganesh,


Both the routers are connected to L2 switch directly then there is also a frewall ie checkpoint connected to this switch. In present scenario static route has been defined on checkpoint towards a router pointing a default gateway ie router's IP address but now i got second router and attached to this switch.I have to mention one gateway on firewall .I cant run glbp because my host is one ie firewall so it cant load balance and with hsrp I need two gateways to do it but I have one switch and one frewall. My firewall has two ports connected to same switch but its running in active standby mode so  traffic flow is on one port.


Thanks

Taran

Latchum Naidu Wed, 05/26/2010 - 09:20
User Badges:
  • Blue, 1500 points or more

Hi,


This may help you or give some inputs..


your scenarion

1. 2 ISP's connected to one unmanaged switch.

2. your two routers connected to the same switch.

3. your checkpoint connected to the same switch.


Now you can create hsrp between the two routers and use VIP as default gateway in checkpoint. If not..


Why two ports from firewall connected to samw switch?



Regards,

Naidu.

tarnhundal Wed, 05/26/2010 - 21:34
User Badges:

Hi Naidu,


thanks for reply.Actually I have used this scenario but the thing is it will not load balance , only it will create only redundancy because default gateway is only one assigned to checkpoint , we need two VIPs for this.plz suggest other solution.



Thanks

Taran

rajatsetia Wed, 05/26/2010 - 23:37
User Badges:
  • Bronze, 100 points or more

Hi Tarun,


Not sure about checkpoint, if you can confirm few points about checkpoint like it will load balance traffic if it has multiple routes of same metric for its destination


If yes, you can try this option


- No HSRP between routers

- On firewall define two static default routes (no defualt gateway) pointing towards two IP Address of LAN interface of both routers

     ** firewall is supposed to load balance traffic between two equal metric static routes and damp the route if next hop is not reachable


Two important things if your firewall supports this arrangement


- Implement WAN tracking so that if WAN interface goes down, it should bring down the LAN interface, otherwise firewall will end up forwarding traffic to both routers but in case of WAN failure half of the traffic will be black holed

- You may have to check for PBR in case any of your LAN traffic has to be binded with specific public IP address pool, i.e. you have route a particular LAN traffic towards specific ISP router.


Hope this helps


Kind Regards,

tarnhundal Thu, 05/27/2010 - 02:47
User Badges:

HI Rajat,


What u mention here is right .  I am not running hsrp now but in checkpoint I cant put two static routes because its running in active standby mode and I dont think that two routes will work in it.

For tracking system I have implemented sla .


Thanks

Taran

rajatsetia Thu, 05/27/2010 - 05:36
User Badges:
  • Bronze, 100 points or more

Hi,


Kindly pardon my limited knowledge of checkpoint but I donnt think configuring two deault routes in a firewall is a problem even if it has a standby partner.



Let me tell you what I have understood from the problem statement


You have two router and both connected to different ISPs


e.g. RTR-ISP1 and RTR-ISP2


and they are connected to a layer 2 switch towards the LAN side


say their LAN IPs are


RTR-ISP1 - x.x.x.1/24

RTR-ISP2 - x.x.x.2/24


Also you have two firewalls working Active-Standby Mode also connected to sam Layer 2 switch and all routers & firewalls are in same VLAN


Firewall-A

Firewall-B


IP Address of firewall Outside Interface (one connected to Layer switch)


Firewall-A - x.x.x.3/24

Firewall-B - x.x.x.4/24

Virtual IP - x.x.x.10/24


As far as NAT is concerned I guess you have x.x.x.10 being NATed at both the routers


Now what I am trying to say is that you can configure two default routes on both firewall pointing towards routers as next hop for load balancing


i.e. one defualt route will have x.x.x.1 and other defualt route will have x.x.x.2 as next hop


So firewall should be able to load balance the uplink traffic towards both the routers and both routers will do NAT for firewall IP with their public address pool.


Kindly let me know if got something worng here about the setup


Kind Regards,

tarnhundal Mon, 05/31/2010 - 01:10
User Badges:

HI

Thanks for reply. Actually what u suggest is correct but the thing is I cant create VIP over firewall because I am using Ndurant hardware with checkpoint so it doesnt support VIP. otherwise your design it fine, so what u say ?


Thanks

Taran

rajatsetia Mon, 05/31/2010 - 03:44
User Badges:
  • Bronze, 100 points or more

Hi Taran,


when you say Firewall does not support VIP, it is fine. Can you plese tell me how HA works in your firewall .


what are IP addresses configured on your firewall and what will happen when primary fails ? and what is router's next hop IP Address towards LAN segment ?


Kind Regards,

tarnhundal Mon, 05/31/2010 - 04:48
User Badges:

Hi


Standby firewall will be active after primary gets fail. Actually , I am not managing the firewall. I have done one thing as a R&D . I am running GLBP on both routers and switch has default-gateway of that VIP. Now I have done NAT on both routers with firewall's IP. Now I have seen that there is load-balancing but there is different thing which I noted that internet is shuffling between the routers.So continue flow is not there.I have seen one thing that GLBP cant load balance because its learning only one MAC ie firewall's . to perform load-balancing it should have atleast two MAC addresses . can u help me in this.



Thanks

Taran

Ganesh Hariharan Wed, 05/26/2010 - 22:53
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi Ganesh,


Both the routers are connected to L2 switch directly then there is also a frewall ie checkpoint connected to this switch. In present scenario static route has been defined on checkpoint towards a router pointing a default gateway ie router's IP address but now i got second router and attached to this switch.I have to mention one gateway on firewall .I cant run glbp because my host is one ie firewall so it cant load balance and with hsrp I need two gateways to do it but I have one switch and one frewall. My firewall has two ports connected to same switch but its running in active standby mode so  traffic flow is on one port.


Thanks

Taran


Hi Taran,


With the above architecture you have only one option to have policy based routing using Check point, as Checkpoint will be the single point of interface which will be connected with both the ISP via direct connection.


What version of checkpoint are you using with platform?


Hope to Help !!


Ganesh.H

Latchum Naidu Thu, 05/27/2010 - 02:23
User Badges:
  • Blue, 1500 points or more

Hi,


Do default route to both ISP's like below. I hope that will work out here....


ip route 0.0.0.0 0.0.0.0 ISP1

ip route 0.0.0.0 0.0.0.0 ISP2



Regards,

Naidu.

tarnhundal Thu, 05/27/2010 - 03:00
User Badges:

Naidu


I have done this already on both routers but the main requirement is to do NAT of both isp IPs so that I can get total bandwidth.


regards,

Taran

tarnhundal Thu, 05/27/2010 - 02:49
User Badges:

Hi Ganesh


Even two ports have been connected to switch of checkpoint but it acts in active standby so only one port will be used at a time.


thanks

Taran

Actions

This Discussion