Solved

Dual WAN or Failover Broadband thoughts.

Posted on 2006-11-16
20
525 Views
Last Modified: 2013-12-29
I am looking at setting up a redundant broadband connection and I need some help in my thought processes.   We are trying to do this with very minimal expenditure.    Here is my configuration idea and I would like to know if anyone sees a problem with this.  


Incoming Connections -  T1 and Cable

Existing Config already uses a block of switch ports to allow dual firewalls to run on the backside of the switch accessing the single T1.   The existing primary firewall is already configured with an address from our block of internet addresses.  It is set to allow traffic from the existing T1 router.   I would like to add the cable connection to this scheme.  To do so I would attach the cable modem to a nat router to get the cable ip changed over one of our available existing internet IP addresses.  This would create a dual route out of the switch to the internet. Would this create a routing loop or would it allow me to access both connections and just have them as a shared connection?  I can set the firewall to allow communications from the secondary IP address I believe.    
0
Comment
Question by:blackfox_01
  • 7
  • 7
  • 4
  • +2
20 Comments
 
LVL 3

Expert Comment

by:KVR_Solutions
ID: 17960194
Here is a link to a question similar to yours: http://www.experts-exchange.com/Networking/Q_22061722.html

As I've mentioned in that article, the best bang for the buck is the SonicWall TZ170. You can let the router/firewall handle the load balancing and wan failover. Total price would be 713 dollars from www.sonicguard.com.

Ira @ KVR
0
 
LVL 1

Author Comment

by:blackfox_01
ID: 17960446
Well I looked at the TZ170 and I do like the options it gives me and it gets great reviews but I was charged with trying to do this with the existing hardware we have first,  then to offer options if it cannot be done.  With your prior experience do you think this will work?  
0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17960521
Seriously, SEARCH the solutions here.  This question gets asked perhaps twice a day, every day.  The questions are the same, the answers are the same.
0
 
LVL 3

Expert Comment

by:KVR_Solutions
ID: 17960587
It's not likely that you'll be able to get your cable modem changed over to one of your existing IPs. ISPs are typically limited in what IP addresses they can use (unless they are requesting something like a /24). Anyway, the only way that I can see this working for you is if your current firewall/router supports WAN failover or WAN Load Balancing.
0
 
LVL 3

Expert Comment

by:KVR_Solutions
ID: 17960590
You could always get the TZ170, then sell your existing hardware on ebay.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17960970
I agree with pjtemplin, this question is asked a lot.  There are solution that will work if all traffic is initiated from you to the Internet.

However if you host your own severs and have people coming into you, you will have problems.  Cable and DSL ("broadband") are NOT meant to be a backup for leased line connections if you are hosting severs.
0
 
LVL 1

Author Comment

by:blackfox_01
ID: 17964649
Thank you for all the comments.  I don't think my existing hardware will net much on ebay.  As far as implications to servers I am hosting go, that introduces a couple of items I was not looking at.  We are about to install a ebill server.   This will be accessed by people on the internet and sits in the DMZ.   If I understand giltjr correctly,  If a person is trying to get to that server then we cannot have duplicate paths from the internet to get there, correct?  So that would mean that we would have to have a router like the TZ120 to give me that failover.   If the system should failover that would mean that we would lose connection to the ebill server until routes on the internet updated with the new route to the server correct?  
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17964843
In regards to the e-bill sever, no you are incorrect.  Your "T1" IP address will not be able to be routed over your cable connection at all.  At least I have never heard any Internet provider allowing a broadband connection to be used to route IP addresses that are part of a non-broadband connection.

That is your problem.  On the broadband connection you will have a whole different block of IP addresses.
0
 
LVL 1

Author Comment

by:blackfox_01
ID: 17965613
Ok so here is a thought but I am not sure this would work.  What if I plug the cable modem into a router that has the cable modem ip on its external interface and then setup the other interface on my block of T1 IP's.  Essentally NAT the Cable Address to the T1 block?  Would this create a routing loop?
0
 

Expert Comment

by:agreatround
ID: 17966254
You could use round robin DNS on the public ips Set 2 DNS entries with whoever hosts your DNS

ebill1.yourdomain.com = 11.12.12.12 for the t1
ebill2.yourdomain.com = 13.13.13.13 for the cable

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 57

Accepted Solution

by:
giltjr earned 175 total points
ID: 17968146
Round robin DNS is not for availability.  If one of the IP addresses is down, then 1/2 of all connections will fail.

There are some boxes that claim they will do this by using dynamic round robin DNS and removing the entry for the IP address that is "out of sevice."  The problem is they assume that all DNS severs honor the TTL value for caching entries and they set the TTL very low, a few seconds.  This way the DNS severs don't cache the results of the queries for a long time.  The problem with that assumption is a lot of DNS severs have started ignoring the TTL and cache entries for anywhere from 24 to 72 hours.  This is why most ISP's tell you than any DNS updates to existing entries may take 24-72 hours to propagate through the Internet.

You can't NAT the cable IP address on the T1 either.  The problem is the ISP providing the T1 must route your Cable IP addresss through, and I doubt if they are going to do this


                       /------- T1 (1.1.1.1)    <---------> ISP1 <3.3.3.3)<------\
WEB1 < 5.5.5.5                                                                                          <--- "Internet" ----> "ME"
                       \------- CAB (2.2.2.2) <---------> ISP2 <9.9.9.9)<------/
   
Using the above diagram.  Say your public IP address is 5.5.5.5 and is owned by ISP1 which provides your T1.   When I want to get to 5.5.5. I go through a few routers within the Internet, but in the end the Internet says "to get to 5.5.5.5 I must forward to "3.3.3.3" because the Internet says that 5.5.5.5 is "owned" by 3.3.3.3.  Now 3.3.3.3 will pass to the router at your site  (1.1.1.1) and it passes to you.

If the T1 is down I can't get to you.  In order to allow the cable to be used as a backup, ISP1 and ISP2 would have to agree that ISP1 would notify the "Internet" and ISP2 that it no longer has a path to 5.5.5.5 and ISP2 would have to notify the "Internet" that it has a path to 5.5.5.5.

The inverse is true also.  That is if ISP2 owned 5.5.5.5, if the cable connection went down, the same notifications would need to take place.

This is technically possible, it happens all of the time, execpt that it happens for customers that have dedicated circuts (T1/E1 and above).  I have not heard of an agreement like this occuring when any of the connections is a "broadband" connection.

The above is a oversimplification of what needs to be done on order for two independent Internet connection to be backups for each other.  But the theory is what I am attempting to get across.  You can't control this, the "Internet" and your ISP's do.
0
 
LVL 1

Author Comment

by:blackfox_01
ID: 17968359
Thank you for the explanation.  Makes perfect sense to me now.    I appreciate the time it took to put this together so I understand.  So does this mean that I will not be able to use the Cable as a backup to the T1 at all?   Ok maybe what I need to do is route all outbound traffic through the cable connection and allow only incoming traffic on the T1.   This kind of defeats the redundant option though.  To make this work I would really need to have 2 T1's from my isp, correct?   And then set up some sort of redundant setup with the isp to move traffic to the other T1 in event of a failure.

It sounds like I really need to purchase a new firewall that will allow me to ahve 2 high speed connections coming in so that in the event of a failure all outbound traffic can be moved to the other connection,  and in the event of a lengthy failure I could go out and have the MX record changed to route through the backup connection.  It would still leave me down as far as inbound traffic goes until the changes took effect but at least my outbound traffic would stay active,  correct?
0
 
LVL 3

Assisted Solution

by:KVR_Solutions
KVR_Solutions earned 75 total points
ID: 17968371
Correct, as I said before you'll need to purchase a firewall/router that supports Load Balancing and/or WAN-Failover. How many nodes are on your network?
0
 
LVL 1

Author Comment

by:blackfox_01
ID: 17968408
about 80 with 2 subnets,  and the new ebill server that is being brought up now.  I work for an electric utility that uses the firewall for communications with a remote monitoring site as well as our substations so this thing has to stay up and active all the time.  
0
 
LVL 3

Expert Comment

by:KVR_Solutions
ID: 17968465
Ok, because if you want to plan for future expansion I would suggest the Watchguard x550-e with the Fireware Pro OS upgrade. Total cost should be about $2000.00.

Check it out on: www.guardsite.com
0
 
LVL 1

Author Comment

by:blackfox_01
ID: 17968524
Well my current firewall is a Watchguard and I have been very happy with it.  It does a great job and is easy to manage.   Thank you for all the suggestions and the training.   I really appreciate the help.  
0
 
LVL 3

Expert Comment

by:KVR_Solutions
ID: 17968531
No problem. If you have any further questions on the configuration of the x550e (should you choose to buy it), open a question on EE and email me the link at ira.bell@kvrsolutions.com.

Good luck!
0
 
LVL 3

Expert Comment

by:KVR_Solutions
ID: 17968536
BTW what model do you currently have?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17968679
Actually for the MX records you could setup two MX entries with different preferences, one entry for "T1" IP and one for "cable" IP.  When the sending e-mail sever get two MX records it is supposed to try the higher preference one first and if that fails it tries the next highest preference one.  The lower the number the higher the preference.

So you put T1 higest (mailt1.yourdomain.com perference 5) and Cable lower (mailcable.yourdomain.com perference 10).  The sending e-mail server SHOULD (if written properly) try "mailt" first and if it can't connect to it it will then try "mailcable".
0
 
LVL 1

Author Comment

by:blackfox_01
ID: 17968705
That makes it much easier to set this up.  That would allow for a much more dynamic solution.    It would also allow me to place a preference on my end that would give us a higher connection speed and would dedicate the T as priority inbound.  
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now