03-14-2015 05:22 AM - edited 03-07-2019 11:05 PM
Hello,
I have below setup.
I have a server in DMZ which is having private IP address Nat'd to 98.x.x.5. In the router there are two links coming from different ISPs and have 2 default routes pointing towards respective ISPs. If somebody access the server from internet through which ISP the traffic would be coming into the router
Also I need to use LAN traffic going through ISP1 and DMZ traffic through ISP2. How the default route can be modified in the router to get it work
Solved! Go to Solution.
03-14-2015 06:48 AM
If the traffic is being initiated from internet cloud towards the DMZ server through ISP2. would the return traffic takes the same path(according to the stateful inspection table) or through the ISP3.
What path the traffic takes back to the internet is determined by your router.
It has nothing to do with the state table on the firewall.
If it has equal cost paths then it could choose any of the ISPs. That doesn't mean the connection won't work, it just means you are not necessarily using the same link in both directions.
In terms of PBR, yes there is an overhead with anything you add to a router but it should be minimal in terms of it's effects.
All you can do is apply it and then monitor the resources of the router especially the CPU which is the one most likely to be affected.
Jon
03-14-2015 05:27 AM
From the internet traffic will come in via ISP2 because they own that IP address and are advertising it as part of their block.
The path the traffic takes back to the internet though could be either depending on which default route your router chooses.
If you want to send certain traffic down one link and certain traffic down another then you need to look into PBR on the router.
You will probably also need to use IP SLA tracking with your PBR for failover.
Jon
03-14-2015 06:43 AM
Thanks for the clarification
Suppose I have a policy in firewall to allow the internet traffic from DMZ server through third ISP(ISP3) not through ISP2
If the traffic is being initiated from internet cloud towards the DMZ server through ISP2. would the return traffic takes the same path(according to the stateful inspection table) or through the ISP3.
If I use PBR,will it affect the performance of bandwidth intensive traffic
03-14-2015 06:48 AM
If the traffic is being initiated from internet cloud towards the DMZ server through ISP2. would the return traffic takes the same path(according to the stateful inspection table) or through the ISP3.
What path the traffic takes back to the internet is determined by your router.
It has nothing to do with the state table on the firewall.
If it has equal cost paths then it could choose any of the ISPs. That doesn't mean the connection won't work, it just means you are not necessarily using the same link in both directions.
In terms of PBR, yes there is an overhead with anything you add to a router but it should be minimal in terms of it's effects.
All you can do is apply it and then monitor the resources of the router especially the CPU which is the one most likely to be affected.
Jon
03-14-2015 07:03 AM
That sound good.
So return traffic has nothing to do with the firewall policy right
03-14-2015 07:12 AM
It doesn't in the sense of the state table no.
In terms of which link to use for return traffic then the destination IP would be the public IP and you could match on that and make sure it is sent down the right link.
For traffic initiated from inside the firewall eg. general internet access you could NAT the source IPs to a specific ISP IP and then use PBR to match that IP and send it down the correct link to the internet.
So you can use the firewall to change IPs to make your PBR more effective if you need to although you may not need to.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide