The subject is cable modems and FWs that are NOT in an HA set up..
Imagine I have a pair of FWs that are NOT in an HA set up because they cant be ...for whatever reason.
So, I have cable modem internet access and the 2 FWs are connected to that one cable modem.
Also, with regard to those 2 FWs, each will have its OUTSIDE (PUBLIC) interface sitting on the same subnet, but different IP addresses, of course (since they're not in an HA pair)
So, imagine FW 1 = 126.96.36.199 and FW 2 = 188.8.131.52
Given the LAN routing in place, FW 1 is the ONLY one that is actively sending traffic to the Internet, while FW 2 is standby...so, FW2 is just sitting idle
Then FW1 dies and LAN traffic gets rerouted to FW2 and traffic gets SNAT'ed to 184.108.40.206 heading out to the Internet.
Does this break anything in terms of connectivity? At first I thought I would need a router between the FWs and the modem, but I dont if the FWs are on the same subnet..
So, what I mean by that is that the default gateway/L3 interface for the subnet 220.127.116.11/29 is sitting on the ISP router and the cable modem is just providing L2 adjacency between my FW and the ISP router..
If thats the case, then, once FW2 starts sending (or FW2 sends a gratuitous ARP), the ISP's router should build an ARP entry for the 18.104.22.168 (FW2) address, do the MAC layer rewrite, and then L2/MAC forwarding is used to get through the modem to FW2...
Do you have inbound internet sessions, or only outbound from your internal addresses?
Outbound sessions would "lose" connectivity when FW1 goes down, but presuming your FW2 can somehow takeover internally when FW1 is down, it can then initiate new sessions outbound. As they originate also from within the ISP address space, the return packets from the NEW sessions initiated will make it from the ISP -> FW2 -> clients.
Existing sessions will be "lost", as they should be returned via FW1 and those preestablished sessions. Users may have to hit refresh or log in to sessions again; or simply lose some images (depending on what they were doing at the time).
Any INBOUND sessions (if you have them) would presumably not work, as their destinations would have a public DNS entry and address of FW1 (or be directed from the ISP router) to an address that doesn't exist until the designated forwarding address inbound exists again.