Screen OS

Given a ScreenOS 6.3.0 firewall with this configuration:

unset flow reverse-route clear-text
set interface "ethernet0/0" zone "Trust" 
set interface ethernet0/0 ip 192.168.1.1/24 
set interface ethernet0/0 nat 
set interface ethernet0/0 ip manageable 
set interface ethernet0/2 ip 10.0.0.1/24 
set interface ethernet0/2 mip 10.9.9.10 host 192.168.1.10 netmask 255.255.255.255 vr trust-vr
set interface ethernet0/2 mip 10.8.8.10 host 192.168.1.10 netmask 255.255.255.255 vr trust-vr
set route 0.0.0.0/0 interface ethernet0/2 gateway 10.0.0.254

(and assuming appropriate policies) is there a way to control which MIP the firewall selects for outbound connections initiated by 192.168.1.10?  (presumably because I want the upstream 10.0.0.254 to do different things with the packet depending on what its source IP is).

Hi,

I cant think of a way to control the MIP selection.

Thanks.

Hardeep

Hi,

I do not know if ScreenOS will use the first configured MIP or the MIP with the lower IP for this, but anyway, you will not be able to control this selection as explained by Hardeep.

If you need more flexibility and control over the NAT you should use policy based src- and dst-NAT.

I also never recommend to use NAT mode on interfaces. It is absolutelly unflexible.

OK, my scenario is this: I have two ISP uplinks, each giving me a different IP space.  Each ISP will only route the IP space they have assigned me.

So in order for the server to be reachable by both ISPs, I need two MIPs for the same server, one on each interface.  Inbound traffic will work fine with the 'unset flow reverse-route clear-text' option in use.

But for outbound (think an email server sending a message) I need a way to select an appropriate MIP depending on which outbound link I want the system to use, and I want this to be resiliant so that if the link the firewall prefers goes down overnight I don't have to manually flip something to keep the mail flowing.

Basically I'm trying to avoid having to buy a link-balancer appliance (or two since I'll need a cluster).

Is there a way to do this?

Hi,

If MIPs are configured on different interfaces the correct MIP is always selected automatically. This is the MIP configured on the egress interface. Everything depends on routing. The preffered ISP link is the one which has a lower metric on the default route and the MIP configured on its interface is used. To initiate a routing failover to the secondary ISP and switch to another MIP, if the primary ISP has failed, you should configure IP tracking on the first interface. It's better to ping a remote but good reachable IP for this. Sure, you can also monitor the CPE router IP but it is not always a good solution. The ISP may have routing problems in the backbone while the CPE router IP stays pingable.

IP tracking puts the interface in the status Down and deactivates its routes if tracking has failed. The default route with the higher metric takes over the traffic and uses the second MIP.

You can also use a primary-backup interface method. The difference is that the backup interface is always down under the normal conditions.

You will not be able to implement a good load balancing solution without an additional device (because of NAT). Theoretically it's possible to configure load balancing on a per session basis with Equal Cost Multipath routing (ECMP, up to 4 routes with the same metric) but any application, that establishes multiple sessions, will fail.

What is possible is load sharing. Source based and/or policy based routing can be used to statically distribute traffic over the both links.

This is a pretty good summary of what I discovered on my own, just wanted to check taht I had not missed anything.

Thanks.