ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
JulioCassettez
Contributor
JulioCassettez
Posts: 51
Registered: ‎12-08-2010
0
Accepted Solution

Dual ISP Question

Options

‎04-29-2012 11:34 PM

I'm trying to figure out the best way to use 2 ISP's at the same time for redundancy.

 

I believe ECMP will cause problems for me because I'm using NAT.  Source routing will be problematic because I have multiple inside interfaces (internal subnets wouldn't be able to see each other).  I could use PBR.  But I think simple static routes could work.

 

Instead of using default routes, I'll do this:

 

0.0.0.0/2 to ISP a pref 1
0.0.0.0/2 to ISP b pref 2

64.0.0.0/2 to ISP b pref 1
64.0.0.0/2 to ISP a pref 2

128.0.0.0/2 to ISP a pref 1
128.0.0.0/2 to ISP b pref 2

192.0.0.0/2 to ISP b pref 1
192.0.0.0/2 to ISP a pref 2
 
(use IP tracking to fallback to secondary route in case ISP fails)
That leaves me with a few questions. 
1.  If I also host inbound services (a web server I give people access to from the internet), will asymmetric traffic give me problems?  Ie, if somebody *from* ISP a connects to my web server, and my return route is to ISP b, will traffic break?  Both ISP's will be in the same zone.  Or do the interfaces actually have to be the same as well?
2.  Or, when the return traffic flows through the netscreen (2nd packet of the tcp session) will the netscreen ignore the routing table and see that it had an existing session and send it back out the same interface the first packet came in on?
Message 1 of 4 (657 Views)
 
Reply
Trusted Contributor
nikolay.semov
Posts: 160
Registered: ‎03-15-2012
0

Re: Dual ISP Question

Options

‎04-30-2012 04:45 AM

The existing session should determine where the return traffic will go. I'm just wondering if the reverse route lookup during session setup will be satisfied with an inactive route...
Message 2 of 4 (653 Views)
 
Posted from Palm Pre2
Reply
Trusted Contributor
lanman
Posts: 62
Registered: ‎11-27-2010

Re: Dual ISP Question

Options

‎04-30-2012 01:53 PM

Inbound services will probably work fine. You can check how the firewall handles reverse routing by issuing the command:

 

get flow | include clear-text

 

The default setting is "prefer reverse route", which means that the firewall will first try to find a route back to the originating host. If there is no active route, then packets are sent back through the incoming interface to the MAC-address where packets came from (upstream router).

You can change the default behavior as follows:

 

set flow reverse-route clear-text always (always do a reverse route lookup)

unset flow reverse-route clear-text (no route lookup, always use the cached MAC-address)

 

Steve


Message 3 of 4 (640 Views)
 
Reply
JulioCassettez
Contributor
JulioCassettez
Posts: 51
Registered: ‎12-08-2010
0

Re: Dual ISP Question

Options

‎05-03-2012 09:55 AM

Excellent.  Thanks for the response!

Message 4 of 4 (602 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.