Link to home
Start Free TrialLog in
Avatar of blackfox_01
blackfox_01Flag for United States of America

asked on

Dual WAN or Failover Broadband thoughts.

I am looking at setting up a redundant broadband connection and I need some help in my thought processes.   We are trying to do this with very minimal expenditure.    Here is my configuration idea and I would like to know if anyone sees a problem with this.  


Incoming Connections -  T1 and Cable

Existing Config already uses a block of switch ports to allow dual firewalls to run on the backside of the switch accessing the single T1.   The existing primary firewall is already configured with an address from our block of internet addresses.  It is set to allow traffic from the existing T1 router.   I would like to add the cable connection to this scheme.  To do so I would attach the cable modem to a nat router to get the cable ip changed over one of our available existing internet IP addresses.  This would create a dual route out of the switch to the internet. Would this create a routing loop or would it allow me to access both connections and just have them as a shared connection?  I can set the firewall to allow communications from the secondary IP address I believe.    
Avatar of KVR_Solutions
KVR_Solutions
Flag of United States of America image

Here is a link to a question similar to yours: https://www.experts-exchange.com/questions/22061722/Multiple-ISP's-and-failover.html

As I've mentioned in that article, the best bang for the buck is the SonicWall TZ170. You can let the router/firewall handle the load balancing and wan failover. Total price would be 713 dollars from www.sonicguard.com.

Ira @ KVR
Avatar of blackfox_01

ASKER

Well I looked at the TZ170 and I do like the options it gives me and it gets great reviews but I was charged with trying to do this with the existing hardware we have first,  then to offer options if it cannot be done.  With your prior experience do you think this will work?  
Avatar of pjtemplin
pjtemplin

Seriously, SEARCH the solutions here.  This question gets asked perhaps twice a day, every day.  The questions are the same, the answers are the same.
It's not likely that you'll be able to get your cable modem changed over to one of your existing IPs. ISPs are typically limited in what IP addresses they can use (unless they are requesting something like a /24). Anyway, the only way that I can see this working for you is if your current firewall/router supports WAN failover or WAN Load Balancing.
You could always get the TZ170, then sell your existing hardware on ebay.
Avatar of giltjr
I agree with pjtemplin, this question is asked a lot.  There are solution that will work if all traffic is initiated from you to the Internet.

However if you host your own severs and have people coming into you, you will have problems.  Cable and DSL ("broadband") are NOT meant to be a backup for leased line connections if you are hosting severs.
Thank you for all the comments.  I don't think my existing hardware will net much on ebay.  As far as implications to servers I am hosting go, that introduces a couple of items I was not looking at.  We are about to install a ebill server.   This will be accessed by people on the internet and sits in the DMZ.   If I understand giltjr correctly,  If a person is trying to get to that server then we cannot have duplicate paths from the internet to get there, correct?  So that would mean that we would have to have a router like the TZ120 to give me that failover.   If the system should failover that would mean that we would lose connection to the ebill server until routes on the internet updated with the new route to the server correct?  
In regards to the e-bill sever, no you are incorrect.  Your "T1" IP address will not be able to be routed over your cable connection at all.  At least I have never heard any Internet provider allowing a broadband connection to be used to route IP addresses that are part of a non-broadband connection.

That is your problem.  On the broadband connection you will have a whole different block of IP addresses.
Ok so here is a thought but I am not sure this would work.  What if I plug the cable modem into a router that has the cable modem ip on its external interface and then setup the other interface on my block of T1 IP's.  Essentally NAT the Cable Address to the T1 block?  Would this create a routing loop?
You could use round robin DNS on the public ips Set 2 DNS entries with whoever hosts your DNS

ebill1.yourdomain.com = 11.12.12.12 for the t1
ebill2.yourdomain.com = 13.13.13.13 for the cable

ASKER CERTIFIED SOLUTION
Avatar of giltjr
giltjr
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you for the explanation.  Makes perfect sense to me now.    I appreciate the time it took to put this together so I understand.  So does this mean that I will not be able to use the Cable as a backup to the T1 at all?   Ok maybe what I need to do is route all outbound traffic through the cable connection and allow only incoming traffic on the T1.   This kind of defeats the redundant option though.  To make this work I would really need to have 2 T1's from my isp, correct?   And then set up some sort of redundant setup with the isp to move traffic to the other T1 in event of a failure.

It sounds like I really need to purchase a new firewall that will allow me to ahve 2 high speed connections coming in so that in the event of a failure all outbound traffic can be moved to the other connection,  and in the event of a lengthy failure I could go out and have the MX record changed to route through the backup connection.  It would still leave me down as far as inbound traffic goes until the changes took effect but at least my outbound traffic would stay active,  correct?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
about 80 with 2 subnets,  and the new ebill server that is being brought up now.  I work for an electric utility that uses the firewall for communications with a remote monitoring site as well as our substations so this thing has to stay up and active all the time.  
Ok, because if you want to plan for future expansion I would suggest the Watchguard x550-e with the Fireware Pro OS upgrade. Total cost should be about $2000.00.

Check it out on: www.guardsite.com
Well my current firewall is a Watchguard and I have been very happy with it.  It does a great job and is easy to manage.   Thank you for all the suggestions and the training.   I really appreciate the help.  
No problem. If you have any further questions on the configuration of the x550e (should you choose to buy it), open a question on EE and email me the link at ira.bell@kvrsolutions.com.

Good luck!
BTW what model do you currently have?
Actually for the MX records you could setup two MX entries with different preferences, one entry for "T1" IP and one for "cable" IP.  When the sending e-mail sever get two MX records it is supposed to try the higher preference one first and if that fails it tries the next highest preference one.  The lower the number the higher the preference.

So you put T1 higest (mailt1.yourdomain.com perference 5) and Cable lower (mailcable.yourdomain.com perference 10).  The sending e-mail server SHOULD (if written properly) try "mailt" first and if it can't connect to it it will then try "mailcable".
That makes it much easier to set this up.  That would allow for a much more dynamic solution.    It would also allow me to place a preference on my end that would give us a higher connection speed and would dedicate the T as priority inbound.