09-16-2010 02:39 AM
I'm setting up a dual ISP setup at a customer and this on a SRX100HM, first of all I will explain you a bit about the set-up of our 2 isp's, because that is a bit a strange setup:
ISP 1 - Belgacom
This ISP installs a modem at the customer site and behind that modem they install a router with a private network on it, on our site this is the network 192.168.254.0 /24, this means that I have to use this private netwerk as WAN IP on the SRX interface. The router of the ISP has the address 192.168.254.1 and the SRX has the addres 192.168.254.2
ISP2 - Telenet
This ISP assigns the STATIC ip that we have by a DHCP server, we need to give them the MAC adress of the device that is attached at the modem of this ISP , and they always assigns the same IP adres. This means that we never know exactly what the next hop is, because this is a problem as we'll use Filter Based Forwarding on the SRX, we've also installed an additional router behind the ISP with a private netwerk 192.168.253.0/24, the setup is now the same as at ISP1, we did this because when you configure FBF you need to give up a next-hop and qualified next hop to get it works, because we don't know them as they assign them staticly we implemented this setup.
Yesterday I did the necessary configuration for the filter based forwarding, and as tested in the test lab the setup works smoothly, when we disconnect the cable at the SRX - the next hop becomes unavailable - all the traffic goes over to the other ISP, nice !..
When you'll take benefit of a dual ISP setup? Yes off course when one of the 2 ISP fails you can failover the the other one, and that is not working.. In the filter based forwarding we check that the next hop is available, if true the traffic is routed to that ISP, if false the traffic is routed to the other ISP, but because those next hops are private networks they are always available, also when the connection to the internet is DOWN, this setup will only works when one of the 2 private routers fails..
So the biggest problem is that we can't use Internet IPs for our next hops, this means that the SRX can't 'check' that the internet network is available..
Does anybody know how we can change the configuration on the firewall, that he will not only check the next hop (in our case this is a private network) to take the decission to fail over, but uses a internet ip that is expected as always online ? In screenos, you had something called "TrackIp", is that still available, and how to implement that in our setup.
Below you find a picture of the network overview:
Thanks in advance !