05-04-2016 08:20 AM - edited 03-08-2019 05:37 AM
The subject is cable modems and FWs that are NOT in an HA set up..
Imagine I have a pair of FWs that are NOT in an HA set up because they cant be ...for whatever reason.
So, I have cable modem internet access and the 2 FWs are connected to that one cable modem.
Also, with regard to those 2 FWs, each will have its OUTSIDE (PUBLIC) interface sitting on the same subnet, but different IP addresses, of course (since they're not in an HA pair)
So, imagine FW 1 = 50.50.50.1 and FW 2 = 50.50.50.2
Given the LAN routing in place, FW 1 is the ONLY one that is actively sending traffic to the Internet, while FW 2 is standby...so, FW2 is just sitting idle
Then FW1 dies and LAN traffic gets rerouted to FW2 and traffic gets SNAT'ed to 50.50.50.2 heading out to the Internet.
Does this break anything in terms of connectivity? At first I thought I would need a router between the FWs and the modem, but I dont if the FWs are on the same subnet..
So, what I mean by that is that the default gateway/L3 interface for the subnet 50.50.50.0/29 is sitting on the ISP router and the cable modem is just providing L2 adjacency between my FW and the ISP router..
If thats the case, then, once FW2 starts sending (or FW2 sends a gratuitous ARP), the ISP's router should build an ARP entry for the 50.50.50.2 (FW2) address, do the MAC layer rewrite, and then L2/MAC forwarding is used to get through the modem to FW2...
NO? Am I missing something?
05-04-2016 07:12 PM
Current NAT'd session will break, but then start working again when initiated.
Any inbound NATing to servers will break.
You shouldn't have any serious issues.
05-05-2016 05:57 AM
Philip...sorry to bug you, but can you provide a little more detail? Can you explain a little more...is my understanding correct?
05-05-2016 08:02 AM
Do you have inbound internet sessions, or only outbound from your internal addresses?
Outbound sessions would "lose" connectivity when FW1 goes down, but presuming your FW2 can somehow takeover internally when FW1 is down, it can then initiate new sessions outbound. As they originate also from within the ISP address space, the return packets from the NEW sessions initiated will make it from the ISP -> FW2 -> clients.
Existing sessions will be "lost", as they should be returned via FW1 and those preestablished sessions. Users may have to hit refresh or log in to sessions again; or simply lose some images (depending on what they were doing at the time).
Any INBOUND sessions (if you have them) would presumably not work, as their destinations would have a public DNS entry and address of FW1 (or be directed from the ISP router) to an address that doesn't exist until the designated forwarding address inbound exists again.
05-05-2016 01:54 PM
Yes,
05-05-2016 08:45 AM
Just a quick question, how would FW 2 be in a standby state if it is not HA pair to begin with? and how would your modem knows( unless it is a managed one) how to reroute inbound traffic to FW 2?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide