ScreenOS Firewalls (NOT SRX)
Reply
Contributor
JulioCassettez
Posts: 77
Registered: ‎12-08-2010
0
Accepted Solution

Dual ISP Question

I'm trying to figure out the best way to use 2 ISP's at the same time for redundancy.

 

I believe ECMP will cause problems for me because I'm using NAT.  Source routing will be problematic because I have multiple inside interfaces (internal subnets wouldn't be able to see each other).  I could use PBR.  But I think simple static routes could work.

 

Instead of using default routes, I'll do this:

 

0.0.0.0/2 to ISP a pref 1
0.0.0.0/2 to ISP b pref 2

64.0.0.0/2 to ISP b pref 1
64.0.0.0/2 to ISP a pref 2

128.0.0.0/2 to ISP a pref 1
128.0.0.0/2 to ISP b pref 2

192.0.0.0/2 to ISP b pref 1
192.0.0.0/2 to ISP a pref 2
 
(use IP tracking to fallback to secondary route in case ISP fails)
That leaves me with a few questions. 
1.  If I also host inbound services (a web server I give people access to from the internet), will asymmetric traffic give me problems?  Ie, if somebody *from* ISP a connects to my web server, and my return route is to ISP b, will traffic break?  Both ISP's will be in the same zone.  Or do the interfaces actually have to be the same as well?
2.  Or, when the return traffic flows through the netscreen (2nd packet of the tcp session) will the netscreen ignore the routing table and see that it had an existing session and send it back out the same interface the first packet came in on?
Super Contributor
nikolay.semov
Posts: 171
Registered: ‎03-15-2012
0

Re: Dual ISP Question

The existing session should determine where the return traffic will go. I'm just wondering if the reverse route lookup during session setup will be satisfied with an inactive route...
Super Contributor
lanman
Posts: 70
Registered: ‎11-27-2010

Re: Dual ISP Question

Inbound services will probably work fine. You can check how the firewall handles reverse routing by issuing the command:

 

get flow | include clear-text

 

The default setting is "prefer reverse route", which means that the firewall will first try to find a route back to the originating host. If there is no active route, then packets are sent back through the incoming interface to the MAC-address where packets came from (upstream router).

You can change the default behavior as follows:

 

set flow reverse-route clear-text always (always do a reverse route lookup)

unset flow reverse-route clear-text (no route lookup, always use the cached MAC-address)

 

Steve


Contributor
JulioCassettez
Posts: 77
Registered: ‎12-08-2010
0

Re: Dual ISP Question

Excellent.  Thanks for the response!

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.