Multiple gateways??? Redundant connection suggestions.

[Patrick]

My pix is a 506(?) not the low end, but next one up. It only has 
internal and external. Rather than try and get it to route and 
stuff--and possibly expose my internal net, I have my DMZ outside of it. 
I only have one internal net. The two nets come to play because ISP one 
gave me 5 ip's and ISP two gave me a whole class-C. Idealy I would like 
to load balance a little, and of course fail over. I am guessing 
something to do with adding a matrix on my gateway entrys.

I can force it to go to one gateway or another. If I put both entries as 
standard 0.0.0.0 it does not recognise requests from both. In other 
words its not pulling up web pages, etc. I thought the internet was 
designed to be able to return data down a second path if needed. I guess 
with the spoofing there is probably safeguards in place so it is not 
replying down the default gateway for requests that came from the 
non-default. And the boxes are obviously not returning requests to the 
gateway it came from.

I could add two nics to my linux box, but This is not regular routing 
where you can say net1 here and net2 here. It would have 2 default 
routes 0.0.0.0 ... But since each nic would reply to its own traffic it 
would not have to guess about gateways. Which is why I am thinking of 
running 2 nets on the physical DMZ segment It gets "messy". Having two 
different ip nets on the same physical segment is suposed to work you 
just need a router if you want them to talk to each other which would 
not be a big deal if all the machines have an address in each.

>
>
> +--------+    +-------+
> | ISP 1  |    | ISP 2 |
> +--------+    +-------+
>      |            |
>       ------------
>             |
>       +-----+----+
>       |Firewall  |
>       +-----+----+
>       |       |   |
> +------+---+  |  +------+--------+
> |    DMZ   |  |  |Internal Net 2 |
> +-----+----+  |  +------+--------+
>               |
>           +-----+----------+
>           | Internal Net 1 |
>           +-----+----------+
>
> The above shows the firewall protecting all nets from the bad ol' 
> internet.  The firewall (especially if a Linux box w/ multiple NICs) 
> can  also route between the 2 internal nets and the DMZ.  The Linux 
> box can act as a bridge between the 2 internal nets to segment 
> traffic.  You could setup pinholes to allow access as necessary 
> between nets or into the DMZ(to get to servers).  These are going to 
> be IPtables rules.
> Internal Net 1 (192.168.1.x  192.168.1.1 Gateway)
> Internal Net 2 (192.168.2.x  192.168.2.1 Gateway)
> DMZ Net        (192.168.3.x  192.168.3.1 Gateway)
> 3 NICs for internal and DMZ nets and 2 more somethings to connect the 
> ISPs.  You may want to add your PIX in to the mix between the firewall 
> and the 2 ISPs and let it do the load balance (requires 3 ports).  If 
> it had 4, it could have the DMZ dangling off it too, but that would 
> make it more complicated.
>  
>
>
>
> ----------------------------------------------
> Somewhere there is a village missing an idiot.