View Full Version : Traffic goes through ISP_B in Failover mode

johnny blaze
2010-08-12, 01:45
I have R65 with 1 Ethernet interface with ISP Redundancy (Failover) on VLANs. DYN objects are used based on skb25152
Everything works well except for Backup ISP accepts traffic that should be going through Primary ISP only as Secondary is more expensive.
Question: How can i disable usage of Secondary ISP unless Primary will go down. (As Fileover should ideally work IMHO)

Any comments or recommendations are welcomed,

2010-08-12, 02:23
You say that the Backup Line is accepting traffic, is this traffic that is leaving the firewall and the firewall is sending traffic down the secondary line or is this inbound traffic arriving on the secondary line.

I take it that the ISP Redundancy mode is set to Active / Backup.

Have you configured any monitoring on the ISP-Redundancy to check that the traffic can get past the next hop and actually out onto the Internet.

johnny blaze
2010-08-12, 05:00
Outgoing traffic is going through Primary, but incoming can come both ways.
For monitoring i've put gates ip's for each ISP.
REd. is Active/Backup

johnny blaze
2010-08-13, 00:54
should be configured somewhere - i don't want traffic to go via 2nd line!

johnny blaze
2010-08-18, 07:03
it seems like traffic picks the shortest route to servers.
anybody have any idea on described below?

2010-08-20, 09:15
Ok now that I have seen that traffic is coming in on second line then this is a DNS issue not a firewall issue

With active / backup ISP Redundancy then is really more for your OUTBOUND traffic, as that is the only time that the firewall chooses which line to use. As you have already said then the outbound traffic is all using the primary line.

In terms of inbound traffic the traffic will arrive on the line and subsequent vlan interface that has the IP subnet for the destination of the IP which is determined by DNS resolution or the src is typing the backup subnets IP rather then resolving the name.

If your public DNS resolution for your domain resolves the name to the secondary subnets ip then the traffic will arrive on the backup line. If the DNS resolves the name to the primary line then the traffic arrives on the primary lines.

As your security policy will have rules to allow traffic to come in on the secondary subnet range otherwise the failover will not work as the traffic will be dropped.

If you have your public DNS hosted outside of your environment then if they resolve to both then may get the traffic sent to secondary.

If you have the DNS proxy configured and host DNS yourself then will only give the Primary unless it fails at which point will give secondary subnet.

Obviously be careful if hosting DNS yourself as DNS proxy cannot do all types of DNS records eg MX records.

Your firewall is behaving correctly based upon the traffic it is recieving.

johnny blaze
2010-08-25, 00:50
This is regarding Mail.
Some(5-10%) client mail servers are sending mail to secondary IP while Primary is up...
It seems to be accepted by FW but gets nowhere as a result.

Any thoughts?

johnny blaze
2010-08-26, 00:12
This issue pushes me to disconnect secondary ISP from FW
And it doesn't look like ISP Redundancy it this case

johnny blaze
2010-08-26, 00:14
This issue pushes me to disconnect secondary ISP from FW
And it doesn't look like ISP Redundancy it this case
DNS records are right as when i'm disconnecting Primary ISP, traffic is accepted by Secondary IP and visible in Outlook (received by Exchange), but when both lines are up - some mail goes to Secondary IP and not arriving to Exchange connector.