Multiple gateways??? Redundant connection suggestions.

Fri Mar 5 02:26:27 CST 2004

Patrick wrote:

> Ok I guess that was confusing. I do not have my own ASN and thus I do 
> not have my own Public network. Instead I have 2 public network address 
> spaces owned by 2 different ISP's .
> 
> +--------+    +-------+
> | ISP 1  |    | ISP 2 |
> +--------+    +-------+
>   |             |
>   |             |
> +--+-------------+---+
> |My DMZ Network 5 PCs|
> +---------+----------+
>          |
>   +------+---+
>   |PIX       |
>   +-----+----+
>         |
>      Internal Net
> 
> Do I put 2 gateways on my DMZ PC's and the PIX
> Do I put a linux box with a nic for each gateway and the DMZ
> Do I put 2 IP nets on the same physical net (DMZ both 192.168.1.0 and 
> 192.168.2.0)
> Do I just set 1/2 the systems to ISP 1 and the other to ISP 2
> 

I'll give is a shot.
Do you already have the dialup or any of this working and you just want 
to add to it?  Can't the PIX do more or is it a 2-3 port unit?  How are 
you attaching to the internet?  Pardon my ASCII art.

+--------+    +-------+
| ISP 1  |    | ISP 2 |
+--------+    +-------+
      |            |
       ------------
             |
       +-----+----+
       |Firewall  |
       +-----+----+
       |       |   |
+------+---+  |  +------+--------+
|    DMZ   |  |  |Internal Net 2 |
+-----+----+  |  +------+--------+
               |
           +-----+----------+
           | Internal Net 1 |
           +-----+----------+

The above shows the firewall protecting all nets from the bad ol' 
internet.  The firewall (especially if a Linux box w/ multiple NICs) can 
  also route between the 2 internal nets and the DMZ.  The Linux box can 
act as a bridge between the 2 internal nets to segment traffic.  You 
could setup pinholes to allow access as necessary between nets or into 
the DMZ(to get to servers).  These are going to be IPtables rules.
Internal Net 1 (192.168.1.x  192.168.1.1 Gateway)
Internal Net 2 (192.168.2.x  192.168.2.1 Gateway)
DMZ Net        (192.168.3.x  192.168.3.1 Gateway)
3 NICs for internal and DMZ nets and 2 more somethings to connect the 
ISPs.  You may want to add your PIX in to the mix between the firewall 
and the 2 ISPs and let it do the load balance (requires 3 ports).  If it 
had 4, it could have the DMZ dangling off it too, but that would make it 
more complicated.
You are going to need DNS on each internal net if you have a lot of 
machines or running on the firewall box.  I think you could have one for 
both, but then if you allow that traffic you are defeating the purpose 
of segmenting.  Definitely DHCP server on each net.  Same box on Net 1 
could run DHCP and DNS.  For just 5 boxes in the DMZ, if they need to 
talk to each other you can just build a hosts file.
I would assume the two ISPs are T1 or something.

A lot of this depends on the amount of machines on each net, the reason 
for the segment, existing equipment.  I have a headache now.

----------------------------------------------
Somewhere there is a village missing an idiot.