Multi ISP with multiple routers.
Posted on 2008-10-02
I am being asked to setup 2 cisco 2811 routers to create a redundent connection to the internet and from the internet to hosted servers inside the dmz. I have the outboud traffic handled with HSRP no problems it works.
For inbound traffic to hosted services I have 2 ISP circuits with statis public IPs. Currently I am running HSRP on the WAN interfaces for both these circuits on each of 2 2811s. So each router is connected to the 2 ISPs (as you can imagine I am having to waste some of my public ips in this config) if the primary router fails the secondary router will take over for both isp circuits.... yes it actually works right now. and inbound connections heal pretty quickly(RDP). Yes ARP is a problem sometimes because of the timeout on the downstream ISP routers but it works so far.
The problem is as I stated before this wastes IPs and it is a complex setup and can be a bear to troubleshoot if there is a problem. What I would like to do is hook one isp up to one router and one isp up to the other router.
Here is where I get stuck... I know that if a packet comes in on ISP 1 it needs to go back out the ISP 1 and the same for ISP 2 traffic. But the watchguard I have sitting behind the 2811s allows for only one gateway per interface to be configured as best as I can tell and it currently points to the HSRP virtual ip as the gateway.
I realise to some of you reading this that this is a problem with my current config and you are rght... I fixed by using a route map and configuring multiple IPs on the watchguard, so when a packet comes in on ISP 1 it goes to .5 and .6 for ISP 2 and on the way out the packet's next hop is set by this ip as well to make sure they go back out the correct circuit.
I could use this method to solve this problem with the new setup so that the packet's next hop would be out the ISP 1 circuit or set it to the router that is connected to ISP 2 so that is can send it on... but I would like to not have to do that because that means the Primary router will be looking at every outbound packet and either forwarding it or passing back over to the other router to forward.
How would this affect performace for ISP 2 traffic?
Is there a better way to do this?
I dont have to have specific config commands but concepts or ideas on how to accomplish this with 2 cisco 2811 dual wan routers and a Watchguard 550e firewall.
Any suggestions from cisco or watchguard folks would be great!
NOTE: Cant use BGP we are a small company and probably could get approval for an ASN or IP block.