Two Firewalls one ISP

mpellegrino12 · ‎05-01-2016

I will be replacing my firewall in the next few months and didn't want to do a forklift upgrade. I would rather install new firewalls to test before removing the old ones.

A watered down version of the current setup is the Core Switch does the routing and has a default route to firewall. Firewall then has a default route to ISP router (x.x.x.1 /24). What I want to do is add the new firewall with a different inside and outside interface IP (x.x.x.3) alongside existing firewall. With this I have 2 questions.

1) For traffic coming from new firewall how does ISP router know to route traffic back into that firewall and not send traffic to existing x.x.x.2 interface of old firewall. There is no route in ISP router that points directly to x.x.x.2, correct? Just a route to the /24 subnet?

2) For anyone else that has replace either firewall\edge router, what was your preferred method.

Current Setup

Desired Setup

Dennis Mink · ‎05-01-2016

see my interpretation below in italic

1) For traffic coming from new firewall how does ISP router know to route traffic back into that firewall and not send traffic to existing x.x.x.2 interface of old firewall. There is no route in ISP router that points directly to x.x.x.2, correct? Just a route to the /24 subnet?

-because the ISP and 2 FW are on the same segment, your ISP should be able to send traffic back to either .2 or .3 if that traffic is initiated from your network (depending on what FW is primary and secondary), remember the ISP will have a TCP/IP socket for that particular traffic, as per its arp table.

You will still need to talk to your provider to talk about redundancy though, I mean what sort of redundancy will you be aiming for? when you fw LAN link goes down? when the FW itself goes down? Your ISP will need to tract the status of either FW and fail routing over if needed, so that traffic initiated from the outside is routed into your network.

Please remember to rate useful posts, by clicking on the stars below.

mpellegrino12 · ‎05-01-2016

I really already have redundancy on current firewall setup just didnt put it in there to prevent diagram from being cluttered.

Redundancy is not what im looking for here. This is temporary setup to test new firewall config. I want to run my FWs in parallel of each other both in active state. Is this possible?

I understand traffic initiated from my network there will be a tcp/ip socket but what about traffic initiated from outside it would seem both FWs would receive the request causing some kind of loop.

Karsten Iwen · ‎05-02-2016

You have to distinguish two situations here:

1) The IPS-router only "sees" packets in the range x.x.x.0/24. That is achieved by NATing your traffic to a free IP of that range. The router and the firewalls use ARP to find the correct device on the outside subnet. In addition to that you have to tell the internal test-system to route it's packets to the test-firewall.

2) You want to use public IPs in your internal network and/or DMZ. In this case you have to tell your ISP to add host- or subnet-routes pointing to x.x.x.3.