Networking
--
Questions
--
Followers
Top Experts
Dual ISP Network Routing
I have a network design issue. I have two firewalls, with two different ISP Providers. Outbound traffic is no problem. I have default routes "RIP'd" to use Firewall A first, and if it goes down, then Firewall B. This works, I've tested.
My problem is that I have hosts on the internal network that need to be accessed from the Internet. I've configured a 1:1 NAT on each firewall, and tested these and they work. The problem is that only one works at a time. If the default route of the central router is pointed to Firewall A, then I can access the hosts (like Syslog) using the ip addresses that pertain to ISP A. I cannot access that host from ISP B. However, if I fail over from ISP A to ISP B, the default route in the central router will now point to Firewall B, thanks to the RIP protocol. I can now access the same host (no changes to anything needed) using ISP B's ip address, and cannot access the host via ISP A.
Also, if I set the host's gateway to be one or the other firewall, then I can access that host from the Internet via the same ISP, but not the other. (e.g. I can access Mario via ISP B's ip address, but not ISP A's adress). I know there must be some route that needs to be added, but I can't seem to stumble upon it. Any help on this would be most appreciated.
simpledualisp.jpg
My problem is that I have hosts on the internal network that need to be accessed from the Internet. I've configured a 1:1 NAT on each firewall, and tested these and they work. The problem is that only one works at a time. If the default route of the central router is pointed to Firewall A, then I can access the hosts (like Syslog) using the ip addresses that pertain to ISP A. I cannot access that host from ISP B. However, if I fail over from ISP A to ISP B, the default route in the central router will now point to Firewall B, thanks to the RIP protocol. I can now access the same host (no changes to anything needed) using ISP B's ip address, and cannot access the host via ISP A.
Also, if I set the host's gateway to be one or the other firewall, then I can access that host from the Internet via the same ISP, but not the other. (e.g. I can access Mario via ISP B's ip address, but not ISP A's adress). I know there must be some route that needs to be added, but I can't seem to stumble upon it. Any help on this would be most appreciated.
simpledualisp.jpg
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Hi,
What kind of firewall do you have?
What kind of firewall do you have?
One is a Cisco ASA 5510, the other in pfSense. I've also tried using vyatta and ClarkConnect instead of the pfSense, same results. It doesn't seem to me to be a firewall issue, but a routing issue. The inbound route matches with the default outgoing route, then I can get in via that ISP. I've tried different static routes in then central router without any luck, also.
Better way if you use same firewall .... and use Active/failover feature of cisco
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Yes, I know. But I don't have any spare ports on the Cisco, and it really is our primary ISP. I would still like to get this way working. Invested too much time to quit on it now. Do you have any ideas?
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
So you're implying that if Firewall A is online, the packets coming in through Firewall B are hitting the internal server, but since the default route in the central router is for Firewall A, they are being returned via Firewall A. Thus the no connectivity. Makes sense. Also accounts for the fact that as the default route is changed (via RIP) in the central router to Firewall B, that connection now becomes "magically" active with no other modifications.
Since I can't set up policy routing on the central router, I wouldn't be able to have both connections "live" at the same time. However, inbound fail over could still work (remember I'm not looking for load-balancing, just failover). ISP A would be our primary ISP for everything, and ISP B would only be active if ISP A was offline. All that would need to be changed is the default route in the central router from ISP A to ISP B (assuming that similiar configurations existed in both firewalls). Since the default route is learned from RIP, RIP would be the mechanism to change the default route. Cool!
Thanks for clearing things up for me.
Since I can't set up policy routing on the central router, I wouldn't be able to have both connections "live" at the same time. However, inbound fail over could still work (remember I'm not looking for load-balancing, just failover). ISP A would be our primary ISP for everything, and ISP B would only be active if ISP A was offline. All that would need to be changed is the default route in the central router from ISP A to ISP B (assuming that similiar configurations existed in both firewalls). Since the default route is learned from RIP, RIP would be the mechanism to change the default route. Cool!
Thanks for clearing things up for me.
SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
One last comment.
It is possible to do the require routing with Linux FW.
This is done by adding ID's to the connection tracking as a connection start, and then selecting different routing tables based on the ID of a existing connection.
It is possible to do the require routing with Linux FW.
This is done by adding ID's to the connection tracking as a connection start, and then selecting different routing tables based on the ID of a existing connection.
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Networking
--
Questions
--
Followers
Top Experts
Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.