Re: 2 wan + 2 fire + 1 mdz
On Wed, 2005-10-19 at 10:25 +0100, ns007532 wrote:
> ns007532 wrote:
> > Rodolfo Alcazar wrote:
> >> On Tue, 2005-10-18 at 13:07 +0100, ns007532 wrote:
> >>> Hi
> >>> I recently upgrade my system with one more wan connection, connect to
> >>> a new firewall(Debian + iptables + snort + portsentry and bind9,
> >>> etc.). I only have one dmz box.
> >> Sorry, what is a DMZ box? As far as I know, DMZ stands for
> >> "DeMilitarized Zone", and that is not a box, it is a LAN area delimited
> >> with a firewall with certain security policies.
> >>> I have 2 nics (eth0 and eth1)on dmz 10.196.3.2 and 10.196.4.2, in the
> >>> firewall1 10.196.3.1 and in firewall2 10.196.4.1.
> >>> The problem is the default gateway on eth0 on dmz 10.196.3.2 who is
> >>> 10.196.3.1, so a connection from wan2 62.123.x.x in firewall2 gets
> >>> to dmz, but the response is from the gateway and go back as martian
> >>> source to firewall1!
> >> Well, Ive drawn your configuration, and I suppose you have this config:
> >> internet(isp1) --- fw1 --- |eth1 |
> >> &#-1;&#-1; |so-called-DMZ-box| --- eth2 to lan
> >> internet(isp2) --- fw2 --- |eth0 |
> >>
> >> You could have done this with just one box:
> >>
> >> internet(isp1) --- |eth1 |
> >> | FIREWALL | --- eth2 to lan
> >> internet(isp2) --- |eth0 |
> >> | | --- eth3 to DMZ
> >>
> >>> How can i resolve this?
> >> If I did understood ok, your problem is obvious. You have only one
> >> gateway definition. You must add this iproute definitions and delete
> >> the former:
> >>
> >> root # ip route 62.123.x.x/16 via 10.196.4.1 dev eth1
> >> root # ip route your.other.wan.gateway via 10.196.3.1 dev eth0
> >>
> >> Now, go to google and read "Load Balancing with Linux", to get the most
> >> from your both connections.
> >>
> >> Why do you have this expensive configuration? I have a 2-ISP
> >> load-balancing setup, with a DMZ in just one box: eth0 to ISP1, eth1 to
> >> ISP2, eth2 to DMZ and eth3 to lan. This box manages firewalling,
> >> balancing, routing and DNS, kinda your config. Dont you think this is
> >> simpler and cheaper? Why all that expensive stuff? Cant understand!
> >> Could you explain a little more?
> > What i have is this:
> >
> > wan1--------fire1-------- lan0
> > |------------lan1
> > |------------dmz
> >
> > wan2--------fire2---------lan0
> > |------------dmz
> >
> > Fire1 is a firewall and a primary dns server
> > Fire2 is a firewall and a secoundary dns server
> > Fire1 and fire2 is connect to the same lan0 and dmz area. Dmz area only
> > have 1 box(for now).
> >
> > Since your solution is for 2 wan on 1 box, don' t aplly to this.
> >
> > Many thanks.
> >> Why do you have this expensive configuration? I have a 2-ISP
> >> load-balancing setup, with a DMZ in just one box: eth0 to ISP1, eth1 to
> >> ISP2, eth2 to DMZ and eth3 to lan. This box manages firewalling,
> >> balancing, routing and DNS, kinda your config. Dont you think this is
> >> simpler and cheaper? Why all that expensive stuff? Cant understand!
> >> Could you explain a little more?
Allright! Now I got a crystal understanding!
I think you have to do this:
TCP/IP packages had two fields, among o, Source-IP and Destination-IP.
Example,
Source=ANY.EXTERNAL.IP.NUMBER, Dest=10.196.3.2.
If you get one of this packages on your DMZone, the package will return
always by the same gateway. If you masq the package, meaning you make
your server on DMZ believe that the source IP is FIRE2:
Source=10.196.3.1, Dest=10.196.3.2)
the package will cameback to that server. So (I didnt tried this, but
suppose it works), you got to masq your petitions by adding this to your
iptable NAT rules on FW1:
-A POSTROUTING -d 10.196.3.2 -j MASQUERADE
You must be aware your DNS points requests to your
FW1.EXTERNAL.IP.NUMBER. Do the same on FW2.
As I said, I didnt tried an internal masquerading. If that doesnt work,
you should try a similar approach with iptables SNAT and DNAT
> Sorry I don't explain this part!
> Why? Because my company needs 100% uptime. 2 internets connection in 1
> box is good, but 2 x 1 internet + box is better. I want machine and
> internet backup.
> In your configuration if the hardware of your firewall get crazy
> everything is down!
Now I got your point on your configuration. You have a great concern of
your network availability. But, I still think this is a very complex
solution (I have a backup firewall, i286 ready to replace the main, in
case of failure). This are the reasons:
- Administration tasks gets doubled. Two backups. Two different
configurations. Probably two different hardwares, if you add one
recently. Two sets of supplies, probably.
- Two firewalls=probabilities of one gets broken doubles. Then, half of
the network, as I explain on next point:
- You cant balance the traffic (just setup half of the users with one
firewall and the other half with the other, or some services on one FW
and other services on the other). This leads to a new problem: If any FW
gets broken, half of the services (or users) goes down. How did you
approach this problem on each user?
--
Rodolfo Alcazar - rodolfo.alcazar@padep.org.bo
Netzmanager Padep, GTZ
591-70656800, -22417628, LA PAZ, BOLIVIA
http://otbits.blogspot.com
--
Murphy's Law of Research
Enough research will tend to support your theory.
Reply to: