Avatar of hypercube
hypercube
Flag for United States of America asked on

Switching internet gateway devices

I have an installation that I access remotely.  So, not killing remote access is important here.  Well, brief interruptions are OK but permanent ones would be very inconvenient.

I need to run some rather comprehensive tests on the SSG-5 which has been introducing some issues and has been temporarily replaced with an RV042.  I need to switch the SSG-5 back into the production role in order to test it.
(This is NOT about failover.  I want this to be manual.)

I have:
A block of public internet addresses.  They are accessed through a managed "internet switch'
A managed LAN switch.
A workstation on the LAN that is accessed via 3rd party VPN.
An RV042 in use as temporary internet gateway with it's own public IP and an internal LAN address of 10.0.0.1
An SSG-5 which had been in use as the internet gateway with it's own public IP and an internal LAN address of 10.0.0.2
10.0.0.1 is the gateway for all the site workstations, etc. and I want to leave this alone.  There is no DHCP enabled; all IP addresses are static.
I have other LAN addresses available if needed. Let's just say 10.0.0.3 and 10.0.0.4.

My preference is to manage the gateway devices from inside the LAN.

Here is the notion:
Start with both devices plugged into the internet switch and into the LAN switch.
Somehow switch between them re: being in the gateway role.
Either this means using some interim router as the gateway or changing their LAN IP addresses.

1) I'm not too sure about doing this but:
 What if I install another RV042 on the LAN and give *it* the gateway address and give the actual gateways other LAN addresses?
Then, add a route to this added router that will point 0.0.0.0 to one of the devices  mentioned above?
And change that route whenever a switchover is needed.
Would this all be on the LAN side? That's all I can imagine.

2)  Assign 10.0.0.1 to both devices and switch their access on the managed LAN switch by turning their respective ports on and off?
If I turn one port on before turning the other off then there will be an IP conflict BUT that will last only as long as the other port is on.  But, it could affect my remote connection in the interim even at that.
If I turn one port off befor turning the other on, then I'll lose the connection for sure.  So that seems not an option.

3) Enter multiple default gateways for my workstation IP.
Change the active gateway to a have new LAN IP; one that's listed as a gateway on my workstation.  Then I won't lose the remote connection (?).
Change the dormant gateway to have the gateway IP.
Change the old active gateway IP to a 4th IP that is not listed as a gateway anywhere - to avoid confusion on my workstation.

I don't like #1 as it inserts an "extra" device that's not really needed and would be involved in the testing.

I'm sure someone has had to deal with this situation.  What are things that work?
NetworkingRoutersNetworking Hardware-Other

Avatar of undefined
Last Comment
hypercube

8/22/2022 - Mon
pergr

When you want to make the switch, to test the SSG, should only your test work station be using it, or all devices on the LAN?
hypercube

ASKER
In this case, for testing, I need to subject the SSG-5 to the full traffic.  Otherwise I could simply enter the SSG-5 as the gateway for my workstation.
pergr

You could consider using VRRP between the RV042 and the SSG, so

10.0.0.1 Virtual IP
10.0.0.2 SSG
10.0.0.3 RV042

Then when making changes, you can either change the priority between the two, and have preempt, so that the 10.0.0.1 falls over to the other.

Alternatively, if your switch is managed, you can shut down the switch port to the RV042 and it would make the SSG take over, etc.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
hypercube

ASKER
I'm a little unclear as to how, on what?, would one implement VRRP.  
It sounds almost too good to be true without adding a device.
pergr

It is true that one often can do the job with protocols, instead of buying appliances - there's just no one selling protocols...

VRRP (Virtual Router Redundancy Protocol) is the open standard version very similar to the old Cisco HSRP protocol.

You configure your routers with addresses as above, and make a VRRP Group 1, which a virtual IP 10.0.0.1, and higher VRRP Priority on the Cisco for that VRRP Group. The Cisco will then start sending VRRP multicast packets, telling the other VRRP routers that for Group 1, it is taking the Virtual IP 10.0.0.1 and its priority.

The SSG is configured with the same group and virtual IP. When the SSG sees the VRRP messages from the Cisco, the SSG will just keep quiet since it sees the Cisco has a higher priority. However, if the VRRP messages stop coming, then the SSG will assume the Cisco is dead, so the SSG will start appearing as 10.0.0.1 on the LAN, and start sending the multicast signalling.

If you configure VRRP with 'preempt', then a router can take over from the old master when priorities change, otherwise without preempt the change-over will only happen when the master disappear.

Another feature of VRRP is that you can make also a Group 2, with Virtual IP 10.0.0.100, and configure the SSG with higher priority for that Group. Now you can configure half of your LAN devices with 10.0.0.1 as default gateway, and the other half with 10.0.0.100 (using DHCP perhaps), and you will get your traffic load balanced over the two routers - and if one router dies the other one will become master for both IPs and take all teh traffic.
pergr

One thing to remember is that with VRRP, according to the standard the master router should not respond to ping (ICMP) to the virtual IP address.

However, since that is very confusing for users , most vendors are responding to ping anyway.

On Junos based Juniper devices you have to specifically configure "accept data" for it to respond to ping. Not sure about the SSG, which is ScreenOS based.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
hypercube

ASKER
So far I've not found VRRP on an RV042 ... ?
hypercube

ASKER
But it does appear to be available on ScreenOS 6.2 and beyond.  But without it on the RV042 I don't see yet how this is supposed to work.
pergr

You are probably right. I thought I saw VRRP also for that cisco on some site but that was probably wrong.

The only protocol it supports seems to be RIP, so you would need to use that. If you have layer 3 switch you can put 10.0.0.1 on the switch, and run RIP between the firewalls and the switch. You would then advertise the default route in RIP from the firewall, with a lower metric from your prefered firewall. Then as you change that metric advertised from them, traffic will fall over.
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER CERTIFIED SOLUTION
hypercube

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
pergr

My commend about RIP, is very similar to your option 2, but it is using RIP instead of a manual change of default gateway.

Apart from that, you'll just have to chose one of your options, or buy some RIP or VRRP hardware.
hypercube

ASKER
This is what was done and worked....