Force 2 network segments to use different ISP

[pakito]

Hi everybody ! Thank you for all the informations that I already found on this forum, although unfortunately it didn't solve this specific problem :

We have 2 ISP (ISP A and ISP B)
We use 1 network segment (172.27.0.0/16), where some users are assigned a specific IP range (172.27.254.0/24)

I want the IP range 172.27.254.0/24 to go out through ISP B always, while all the traffic go out through ISP A always.
If ISP A go down, all trafic must be sent through ISP B, and same thing if ISP B go down.

I used the secureknowledge & the posts on this forum to configure NAT like this (where DYN_ISP* is a dynamic object and xlat_ISP* is an external IP of the firewall):
orig________________________________translated
source___________dest________source________dest
172.27.254.0/24___DYN_ISP_B___xlat_ISP_B____Original
172.27.254.0/24___DYN_ISP_A___xlat_ISP_A____Original
172.27.0.0/16_____DYN_ISP_A___xlat_ISP_A____Original
172.27.0.0/16_____DYN_ISP_B___xlat_ISP_B____Original

I configured cpisp_update as described in sk25152 to refresh the dynamic objects, and it works fine.

The firewall (Checkpoint NGX R60 HFA 5 running on SPLAT) is configured for load balancing between the two ISPs.

When I send a paquet from 172.27.254.3 to internet, the load balancing take over the NAT and send it through ISP_A interface, or through ISP_B interface, resulting in frequent paquet loss ! :(

fw monitor shows the following output:
[Expert@myfw]# fw monitor -e "accept dst=194.2.0.20;"
eth5:i[60]: 172.27.254.3 -> 194.2.0.20 (ICMP) len=60 id=25337
ICMP: type=8 code=0 echo request id=768 seq=25600
eth5:I[60]: 172.27.254.3 -> 194.2.0.20 (ICMP) len=60 id=25337
ICMP: type=8 code=0 echo request id=768 seq=25600
eth3:o[60]: 172.27.254.3 -> 194.2.0.20 (ICMP) len=60 id=25337
ICMP: type=8 code=0 echo request id=768 seq=25600
eth3:O[60]: xlat_ISP_B -> 194.2.0.20 (ICMP) len=60 id=25337
ICMP: type=8 code=0 echo request id=10001 seq=25600
>>> Ping not working (NATed packet going to the wrong interface)

Then for the second paquet:
eth5:i[60]: 172.27.254.3 -> 194.2.0.20 (ICMP) len=60 id=25337
ICMP: type=8 code=0 echo request id=768 seq=25600
eth5:I[60]: 172.27.254.3 -> 194.2.0.20 (ICMP) len=60 id=25337
ICMP: type=8 code=0 echo request id=768 seq=25600
eth3:o[60]: 172.27.254.3 -> 194.2.0.20 (ICMP) len=60 id=25337
ICMP: type=8 code=0 echo request id=768 seq=25600
eth4:O[60]: xlat_ISP_B -> 194.2.0.20 (ICMP) len=60 id=25337
ICMP: type=8 code=0 echo request id=10001 seq=25600
>>> Ping working (NATed packet going through the good interface)

How can I manually prevent load balancing to occur, but still be able to use both ISP at the same time ??

Thank you for reading all this, hope you can help me on this problem, and if you have any questions please post them here :)

Checkpoint rocks !

Pakito

[Robby Cauwerts]

What you're looking for (partially) is source routing.
This can be done on SPLAT.
Search this forum/google for "source routing" and you'll find configuration guidelines.

But I'm not sure if this will give you redundancy when one ISP goes down.

Br.
Robby

[pakito]

Hi Robby!

Thanks for your quick answer :) I checked the posts already and implemented source routing at the OS level using this thread (Force one ISP with ISP REDUNDANCY)
My rule was :
echo 200 ISP_B >> /etc/iproute2/rt_tables
ip rule add from xlat_ISP_B table ISP_B
ip route add default via rtr_ISP_B dev eth4 table ISP_B
ip route flush cache

But I didn't see any change after that.

I'm sure there is a way to statically define the cache_misp for source routing, as it is already possible for specific services. Does anybody know ?

Thank you!

Pakito

[pakito]

Hi fixed my problem.
When enabled, ISP redundancy feature overrides OS configuration as far as source routing is concerned. I disabled ISP redundancy and created OS level rules for all my source routing.

Now I need to find a script to implement ISP high availability at the OS level. Seems like I have a lot of work to do!