Peter, Routing is not a black art, it's all very logical when you break it down. That said, it's common for firewalls (in particular) to have only one "routable" interface, and a number of other interfaces using RFC1918 or "unroutable" interfaces. In this instance, the notion of routable and unroutable is relative to the Internet itself, not the process of routing.
Unroutable addresses are blackholed on the Internet because they are reserved for private use within local networks, they are still routable, and routed within the private networks they are used to build. Basically, all this means is that IF an address within the RFC1918 reserved ranges gets leaked into the Internet, the packet will simply fail to reach its target and/or return to you. So, equally, it's completely possible to have several interfaces on a firewall that have "routable" address subnets on them. In fact, using this approach for DMZ networks can reduce the impact in performance that NAT creates on busy firewalls. Some will argue that it reduces security, but at the end of the day it's really a case of "makes little or no difference" since the firewalls job is to filter the traffic, regardless of the "routability" of the final physical IP address of the device. Accordingly, as long as YOU own (or rent) the routable addresses you are using on these DMZ subnets, and they are properly routed to your firewall cluster by your upstream ISP, then yes, of course it's possible and dare I say normal. The key here is how your ISP routes the addresses to your firewall, since many ISPs have a product menu and that may not include routed secondary address blocks. In such a case, you would have to use Proxy-ARP on the external interface of your firewalls and use NAT to deliver the traffic to the DMZ, which would almost certainly then use RFC1918 reserved addresses. If some of these concepts are causing confusion, then maybe the best way forward is to engage with a professional consultant to help you nail down a design, liaise with your ISP about the addressing and route delivery and then help you implement it if necessary. Best regards Steve -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Peter Addy Sent: 10 February 2010 09:18 To: [email protected] Subject: [FW-1] help please on Checkpoint routing/traffic flow Hi Routing has never been aa strong point of mine, hence a question on Checkpoint routing Is it possible to have connections coming into our firewall that will normally leave the external interface default route, but leave through a different interface that has a external ip address that is a routable IP such as a 62.x.x. So the default route is not taken for certain incoming host connections which are routed through a separate tagged interface that has a routable address, can we do this with static routing and Nat? Do connections have to leave the same interface they come in on? We are running vrrp not load balancing Thanks ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
