Solved: Thanks for the

haris puthiyottil · ‎03-14-2015

Hello,

I have below setup.

I have a server in DMZ which is having private IP address Nat'd to 98.x.x.5. In the router there are two links coming from different ISPs and have 2 default routes pointing towards respective ISPs. If somebody access the server from internet through which ISP the traffic would be coming into the router

Also I need to use LAN traffic going through ISP1 and DMZ traffic through ISP2. How the default route can be modified in the router to get it work

Jon Marshall · ‎03-14-2015

If the traffic is being initiated from internet cloud towards the DMZ server through ISP2. would the return traffic takes the same path(according to the stateful inspection table) or through the ISP3.

What path the traffic takes back to the internet is determined by your router.

It has nothing to do with the state table on the firewall.

If it has equal cost paths then it could choose any of the ISPs. That doesn't mean the connection won't work, it just means you are not necessarily using the same link in both directions.

In terms of PBR, yes there is an overhead with anything you add to a router but it should be minimal in terms of it's effects.

All you can do is apply it and then monitor the resources of the router especially the CPU which is the one most likely to be affected.

Jon

View solution in original post

Jon Marshall · ‎03-14-2015

From the internet traffic will come in via ISP2 because they own that IP address and are advertising it as part of their block.

The path the traffic takes back to the internet though could be either depending on which default route your router chooses.

If you want to send certain traffic down one link and certain traffic down another then you need to look into PBR on the router.

You will probably also need to use IP SLA tracking with your PBR for failover.

Jon

haris puthiyottil · ‎03-14-2015

Thanks for the clarification

Suppose I have a policy in firewall to allow the internet traffic from DMZ server through third ISP(ISP3) not through ISP2

If the traffic is being initiated from internet cloud towards the DMZ server through ISP2. would the return traffic takes the same path(according to the stateful inspection table) or through the ISP3.

If I use PBR,will it affect the performance of bandwidth intensive traffic

Jon Marshall · ‎03-14-2015

If the traffic is being initiated from internet cloud towards the DMZ server through ISP2. would the return traffic takes the same path(according to the stateful inspection table) or through the ISP3.

What path the traffic takes back to the internet is determined by your router.

It has nothing to do with the state table on the firewall.

If it has equal cost paths then it could choose any of the ISPs. That doesn't mean the connection won't work, it just means you are not necessarily using the same link in both directions.

In terms of PBR, yes there is an overhead with anything you add to a router but it should be minimal in terms of it's effects.

All you can do is apply it and then monitor the resources of the router especially the CPU which is the one most likely to be affected.

Jon

haris puthiyottil · ‎03-14-2015

That sound good.

So return traffic has nothing to do with the firewall policy right

Jon Marshall · ‎03-14-2015

It doesn't in the sense of the state table no.

In terms of which link to use for return traffic then the destination IP would be the public IP and you could match on that and make sure it is sent down the right link.

For traffic initiated from inside the firewall eg. general internet access you could NAT the source IPs to a specific ISP IP and then use PBR to match that IP and send it down the correct link to the internet.

So you can use the firewall to change IPs to make your PBR more effective if you need to although you may not need to.

Jon

Multiple default routes