05-26-2010 03:05 AM - edited 03-04-2019 08:36 AM
Hi All
I have two internet routers connected to two different ISPs and both have different public IP pool. These routers are connected to one L2 switch and then firewall is attached to this switch.I have NAT firewall's IP on both routers. Now I want to load balance the traffic for this.Actually both routers have 5 mb link each, so I want to provide 10 mbps to my LAN. If I use HSRP or other L2 protocol then it will provide only redundancy not the load-balancing.Plz help me to sort out this.Its urgent.
Thanks and regards,
Taran
05-26-2010 04:17 AM
Hi All
I have two internet routers connected to two different ISPs and both have different public IP pool. These routers are connected to one L2 switch and then firewall is attached to this switch.I have NAT firewall's IP on both routers. Now I want to load balance the traffic for this.Actually both routers have 5 mb link each, so I want to provide 10 mbps to my LAN. If I use HSRP or other L2 protocol then it will provide only redundancy not the load-balancing.Plz help me to sort out this.Its urgent.
Thanks and regards,
Taran
Hi Taran,
Need some information as you said firewall is connected with l2 switch whee your routers are connected,how firewall is routing to both ISP in current situation is firewall is having two separate ports to both the routers and what is the type of firewall you are using.
Ganesh.H
05-26-2010 04:49 AM
Hi Ganesh,
Both the routers are connected to L2 switch directly then there is also a frewall ie checkpoint connected to this switch. In present scenario static route has been defined on checkpoint towards a router pointing a default gateway ie router's IP address but now i got second router and attached to this switch.I have to mention one gateway on firewall .I cant run glbp because my host is one ie firewall so it cant load balance and with hsrp I need two gateways to do it but I have one switch and one frewall. My firewall has two ports connected to same switch but its running in active standby mode so traffic flow is on one port.
Thanks
Taran
05-26-2010 09:20 AM
Hi,
This may help you or give some inputs..
your scenarion
1. 2 ISP's connected to one unmanaged switch.
2. your two routers connected to the same switch.
3. your checkpoint connected to the same switch.
Now you can create hsrp between the two routers and use VIP as default gateway in checkpoint. If not..
Why two ports from firewall connected to samw switch?
Regards,
Naidu.
05-26-2010 09:34 PM
Hi Naidu,
thanks for reply.Actually I have used this scenario but the thing is it will not load balance , only it will create only redundancy because default gateway is only one assigned to checkpoint , we need two VIPs for this.plz suggest other solution.
Thanks
Taran
05-26-2010 11:37 PM
Hi Tarun,
Not sure about checkpoint, if you can confirm few points about checkpoint like it will load balance traffic if it has multiple routes of same metric for its destination
If yes, you can try this option
- No HSRP between routers
- On firewall define two static default routes (no defualt gateway) pointing towards two IP Address of LAN interface of both routers
** firewall is supposed to load balance traffic between two equal metric static routes and damp the route if next hop is not reachable
Two important things if your firewall supports this arrangement
- Implement WAN tracking so that if WAN interface goes down, it should bring down the LAN interface, otherwise firewall will end up forwarding traffic to both routers but in case of WAN failure half of the traffic will be black holed
- You may have to check for PBR in case any of your LAN traffic has to be binded with specific public IP address pool, i.e. you have route a particular LAN traffic towards specific ISP router.
Hope this helps
Kind Regards,
05-27-2010 02:47 AM
HI Rajat,
What u mention here is right . I am not running hsrp now but in checkpoint I cant put two static routes because its running in active standby mode and I dont think that two routes will work in it.
For tracking system I have implemented sla .
Thanks
Taran
05-27-2010 05:36 AM
Hi,
Kindly pardon my limited knowledge of checkpoint but I donnt think configuring two deault routes in a firewall is a problem even if it has a standby partner.
Let me tell you what I have understood from the problem statement
You have two router and both connected to different ISPs
e.g. RTR-ISP1 and RTR-ISP2
and they are connected to a layer 2 switch towards the LAN side
say their LAN IPs are
RTR-ISP1 - x.x.x.1/24
RTR-ISP2 - x.x.x.2/24
Also you have two firewalls working Active-Standby Mode also connected to sam Layer 2 switch and all routers & firewalls are in same VLAN
Firewall-A
Firewall-B
IP Address of firewall Outside Interface (one connected to Layer switch)
Firewall-A - x.x.x.3/24
Firewall-B - x.x.x.4/24
Virtual IP - x.x.x.10/24
As far as NAT is concerned I guess you have x.x.x.10 being NATed at both the routers
Now what I am trying to say is that you can configure two default routes on both firewall pointing towards routers as next hop for load balancing
i.e. one defualt route will have x.x.x.1 and other defualt route will have x.x.x.2 as next hop
So firewall should be able to load balance the uplink traffic towards both the routers and both routers will do NAT for firewall IP with their public address pool.
Kindly let me know if got something worng here about the setup
Kind Regards,
05-31-2010 01:10 AM
HI
Thanks for reply. Actually what u suggest is correct but the thing is I cant create VIP over firewall because I am using Ndurant hardware with checkpoint so it doesnt support VIP. otherwise your design it fine, so what u say ?
Thanks
Taran
05-31-2010 03:44 AM
Hi Taran,
when you say Firewall does not support VIP, it is fine. Can you plese tell me how HA works in your firewall .
what are IP addresses configured on your firewall and what will happen when primary fails ? and what is router's next hop IP Address towards LAN segment ?
Kind Regards,
05-31-2010 04:48 AM
Hi
Standby firewall will be active after primary gets fail. Actually , I am not managing the firewall. I have done one thing as a R&D . I am running GLBP on both routers and switch has default-gateway of that VIP. Now I have done NAT on both routers with firewall's IP. Now I have seen that there is load-balancing but there is different thing which I noted that internet is shuffling between the routers.So continue flow is not there.I have seen one thing that GLBP cant load balance because its learning only one MAC ie firewall's . to perform load-balancing it should have atleast two MAC addresses . can u help me in this.
Thanks
Taran
05-26-2010 10:53 PM
Hi Ganesh,
Both the routers are connected to L2 switch directly then there is also a frewall ie checkpoint connected to this switch. In present scenario static route has been defined on checkpoint towards a router pointing a default gateway ie router's IP address but now i got second router and attached to this switch.I have to mention one gateway on firewall .I cant run glbp because my host is one ie firewall so it cant load balance and with hsrp I need two gateways to do it but I have one switch and one frewall. My firewall has two ports connected to same switch but its running in active standby mode so traffic flow is on one port.
Thanks
Taran
Hi Taran,
With the above architecture you have only one option to have policy based routing using Check point, as Checkpoint will be the single point of interface which will be connected with both the ISP via direct connection.
What version of checkpoint are you using with platform?
Hope to Help !!
Ganesh.H
05-27-2010 02:23 AM
Hi,
Do default route to both ISP's like below. I hope that will work out here....
ip route 0.0.0.0 0.0.0.0 ISP1
ip route 0.0.0.0 0.0.0.0 ISP2
Regards,
Naidu.
05-27-2010 03:00 AM
Naidu
I have done this already on both routers but the main requirement is to do NAT of both isp IPs so that I can get total bandwidth.
regards,
Taran
05-27-2010 02:49 AM
Hi Ganesh
Even two ports have been connected to switch of checkpoint but it acts in active standby so only one port will be used at a time.
thanks
Taran
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: