regarding NAT between two ISP

Unanswered Question
May 26th, 2010

Hi All

I have two internet routers connected to two different ISPs and both have different public IP pool. These routers are connected to one L2 switch and then firewall is attached to this switch.I have NAT firewall's IP on both routers. Now I want to load balance the traffic for this.Actually both routers have 5 mb link each, so I want to provide 10 mbps to my LAN. If I use HSRP or other L2 protocol then it will provide only redundancy not the load-balancing.Plz help me to sort out this.Its urgent.

Thanks and regards,

Taran

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ganesh Hariharan Wed, 05/26/2010 - 04:17

Hi All

I have two internet routers connected to two different ISPs and both have different public IP pool. These routers are connected to one L2 switch and then firewall is attached to this switch.I have NAT firewall's IP on both routers. Now I want to load balance the traffic for this.Actually both routers have 5 mb link each, so I want to provide 10 mbps to my LAN. If I use HSRP or other L2 protocol then it will provide only redundancy not the load-balancing.Plz help me to sort out this.Its urgent.

Thanks and regards,

Taran

Hi Taran,

Need some information as you said firewall is connected with l2 switch whee your routers are connected,how firewall is routing to both ISP in current situation is firewall is having two separate ports to both the routers and what is the type of firewall you are using.

Ganesh.H

tarnhundal Wed, 05/26/2010 - 04:49

Hi Ganesh,

Both the routers are connected to L2 switch directly then there is also a frewall ie checkpoint connected to this switch. In present scenario static route has been defined on checkpoint towards a router pointing a default gateway ie router's IP address but now i got second router and attached to this switch.I have to mention one gateway on firewall .I cant run glbp because my host is one ie firewall so it cant load balance and with hsrp I need two gateways to do it but I have one switch and one frewall. My firewall has two ports connected to same switch but its running in active standby mode so  traffic flow is on one port.

Thanks

Taran

Latchum Naidu Wed, 05/26/2010 - 09:20

Hi,

This may help you or give some inputs..

your scenarion

1. 2 ISP's connected to one unmanaged switch.

2. your two routers connected to the same switch.

3. your checkpoint connected to the same switch.

Now you can create hsrp between the two routers and use VIP as default gateway in checkpoint. If not..

Why two ports from firewall connected to samw switch?

Regards,

Naidu.

tarnhundal Wed, 05/26/2010 - 21:34

Hi Naidu,

thanks for reply.Actually I have used this scenario but the thing is it will not load balance , only it will create only redundancy because default gateway is only one assigned to checkpoint , we need two VIPs for this.plz suggest other solution.

Thanks

Taran

rajatsetia Wed, 05/26/2010 - 23:37

Hi Tarun,

Not sure about checkpoint, if you can confirm few points about checkpoint like it will load balance traffic if it has multiple routes of same metric for its destination

If yes, you can try this option

- No HSRP between routers

- On firewall define two static default routes (no defualt gateway) pointing towards two IP Address of LAN interface of both routers

     ** firewall is supposed to load balance traffic between two equal metric static routes and damp the route if next hop is not reachable

Two important things if your firewall supports this arrangement

- Implement WAN tracking so that if WAN interface goes down, it should bring down the LAN interface, otherwise firewall will end up forwarding traffic to both routers but in case of WAN failure half of the traffic will be black holed

- You may have to check for PBR in case any of your LAN traffic has to be binded with specific public IP address pool, i.e. you have route a particular LAN traffic towards specific ISP router.

Hope this helps

Kind Regards,

tarnhundal Thu, 05/27/2010 - 02:47

HI Rajat,

What u mention here is right .  I am not running hsrp now but in checkpoint I cant put two static routes because its running in active standby mode and I dont think that two routes will work in it.

For tracking system I have implemented sla .

Thanks

Taran

rajatsetia Thu, 05/27/2010 - 05:36

Hi,

Kindly pardon my limited knowledge of checkpoint but I donnt think configuring two deault routes in a firewall is a problem even if it has a standby partner.

Let me tell you what I have understood from the problem statement

You have two router and both connected to different ISPs

e.g. RTR-ISP1 and RTR-ISP2

and they are connected to a layer 2 switch towards the LAN side

say their LAN IPs are

RTR-ISP1 - x.x.x.1/24

RTR-ISP2 - x.x.x.2/24

Also you have two firewalls working Active-Standby Mode also connected to sam Layer 2 switch and all routers & firewalls are in same VLAN

Firewall-A

Firewall-B

IP Address of firewall Outside Interface (one connected to Layer switch)

Firewall-A - x.x.x.3/24

Firewall-B - x.x.x.4/24

Virtual IP - x.x.x.10/24

As far as NAT is concerned I guess you have x.x.x.10 being NATed at both the routers

Now what I am trying to say is that you can configure two default routes on both firewall pointing towards routers as next hop for load balancing

i.e. one defualt route will have x.x.x.1 and other defualt route will have x.x.x.2 as next hop

So firewall should be able to load balance the uplink traffic towards both the routers and both routers will do NAT for firewall IP with their public address pool.

Kindly let me know if got something worng here about the setup

Kind Regards,

tarnhundal Mon, 05/31/2010 - 01:10

HI

Thanks for reply. Actually what u suggest is correct but the thing is I cant create VIP over firewall because I am using Ndurant hardware with checkpoint so it doesnt support VIP. otherwise your design it fine, so what u say ?

Thanks

Taran

rajatsetia Mon, 05/31/2010 - 03:44

Hi Taran,

when you say Firewall does not support VIP, it is fine. Can you plese tell me how HA works in your firewall .

what are IP addresses configured on your firewall and what will happen when primary fails ? and what is router's next hop IP Address towards LAN segment ?

Kind Regards,

tarnhundal Mon, 05/31/2010 - 04:48

Hi

Standby firewall will be active after primary gets fail. Actually , I am not managing the firewall. I have done one thing as a R&D . I am running GLBP on both routers and switch has default-gateway of that VIP. Now I have done NAT on both routers with firewall's IP. Now I have seen that there is load-balancing but there is different thing which I noted that internet is shuffling between the routers.So continue flow is not there.I have seen one thing that GLBP cant load balance because its learning only one MAC ie firewall's . to perform load-balancing it should have atleast two MAC addresses . can u help me in this.

Thanks

Taran

Ganesh Hariharan Wed, 05/26/2010 - 22:53

Hi Ganesh,

Both the routers are connected to L2 switch directly then there is also a frewall ie checkpoint connected to this switch. In present scenario static route has been defined on checkpoint towards a router pointing a default gateway ie router's IP address but now i got second router and attached to this switch.I have to mention one gateway on firewall .I cant run glbp because my host is one ie firewall so it cant load balance and with hsrp I need two gateways to do it but I have one switch and one frewall. My firewall has two ports connected to same switch but its running in active standby mode so  traffic flow is on one port.

Thanks

Taran

Hi Taran,

With the above architecture you have only one option to have policy based routing using Check point, as Checkpoint will be the single point of interface which will be connected with both the ISP via direct connection.

What version of checkpoint are you using with platform?

Hope to Help !!

Ganesh.H

Latchum Naidu Thu, 05/27/2010 - 02:23

Hi,

Do default route to both ISP's like below. I hope that will work out here....

ip route 0.0.0.0 0.0.0.0 ISP1

ip route 0.0.0.0 0.0.0.0 ISP2

Regards,

Naidu.

tarnhundal Thu, 05/27/2010 - 03:00

Naidu

I have done this already on both routers but the main requirement is to do NAT of both isp IPs so that I can get total bandwidth.

regards,

Taran

tarnhundal Thu, 05/27/2010 - 02:49

Hi Ganesh

Even two ports have been connected to switch of checkpoint but it acts in active standby so only one port will be used at a time.

thanks

Taran

Actions

This Discussion