Thread: Force 2 network segments to use different ISP
View Single Post
  #1 (permalink)  
Old 2007-08-08
pakito pakito is offline
Junior Member
  
Join Date: 2007-08-07
Posts: 3
Rep Power: 0
pakito has an average reputation (10+)
Default Force 2 network segments to use different ISP
Hi everybody ! Thank you for all the informations that I already found on this forum, although unfortunately it didn't solve this specific problem :

We have 2 ISP (ISP A and ISP B)
We use 1 network segment (172.27.0.0/16), where some users are assigned a specific IP range (172.27.254.0/24)

I want the IP range 172.27.254.0/24 to go out through ISP B always, while all the traffic go out through ISP A always.
If ISP A go down, all trafic must be sent through ISP B, and same thing if ISP B go down.

I used the secureknowledge & the posts on this forum to configure NAT like this (where DYN_ISP* is a dynamic object and xlat_ISP* is an external IP of the firewall):
orig________________________________translated
source___________dest________source________dest
172.27.254.0/24___DYN_ISP_B___xlat_ISP_B____Original
172.27.254.0/24___DYN_ISP_A___xlat_ISP_A____Original
172.27.0.0/16_____DYN_ISP_A___xlat_ISP_A____Original
172.27.0.0/16_____DYN_ISP_B___xlat_ISP_B____Original

I configured cpisp_update as described in sk25152 to refresh the dynamic objects, and it works fine.

The firewall (Checkpoint NGX R60 HFA 5 running on SPLAT) is configured for load balancing between the two ISPs.

When I send a paquet from 172.27.254.3 to internet, the load balancing take over the NAT and send it through ISP_A interface, or through ISP_B interface, resulting in frequent paquet loss ! :(

fw monitor shows the following output:
[Expert@myfw]# fw monitor -e "accept dst=194.2.0.20;"
eth5:i[60]: 172.27.254.3 -> 194.2.0.20 (ICMP) len=60 id=25337
ICMP: type=8 code=0 echo request id=768 seq=25600
eth5:I[60]: 172.27.254.3 -> 194.2.0.20 (ICMP) len=60 id=25337
ICMP: type=8 code=0 echo request id=768 seq=25600
eth3:o[60]: 172.27.254.3 -> 194.2.0.20 (ICMP) len=60 id=25337
ICMP: type=8 code=0 echo request id=768 seq=25600
eth3:O[60]: xlat_ISP_B -> 194.2.0.20 (ICMP) len=60 id=25337
ICMP: type=8 code=0 echo request id=10001 seq=25600
>>> Ping not working (NATed packet going to the wrong interface)

Then for the second paquet:
eth5:i[60]: 172.27.254.3 -> 194.2.0.20 (ICMP) len=60 id=25337
ICMP: type=8 code=0 echo request id=768 seq=25600
eth5:I[60]: 172.27.254.3 -> 194.2.0.20 (ICMP) len=60 id=25337
ICMP: type=8 code=0 echo request id=768 seq=25600
eth3:o[60]: 172.27.254.3 -> 194.2.0.20 (ICMP) len=60 id=25337
ICMP: type=8 code=0 echo request id=768 seq=25600
eth4:O[60]: xlat_ISP_B -> 194.2.0.20 (ICMP) len=60 id=25337
ICMP: type=8 code=0 echo request id=10001 seq=25600
>>> Ping working (NATed packet going through the good interface)

How can I manually prevent load balancing to occur, but still be able to use both ISP at the same time ??

Thank you for reading all this, hope you can help me on this problem, and if you have any questions please post them here :)

Checkpoint rocks !

Pakito
Reply With Quote