It's actually pretty easy, but there are a few gotchas. Firstly, I don't think you can get away with doing this without downtime. You need to change the IPs of the interface, and the clustering subsystem won't react too well to the change of IPs until both are done.
In previous environments, this is how I set it up: 1. Change the IPs of the external interfaces to the private IP range. 2. Using sysconfig, add a new network route for the "real" external subnet and when asked for the gateway, leave it empty and hit enter. It should then ask you for the outgoing interface name. Type the device name of the external interface (e.g. Ext, eth0, etc). This allows the host to see that external range (including the all-important default gateway via the correct interface. 3. Add your default gateway or static routes again to point to your external router(s). 4. On the cluster topology of your cluster object, edit the relevant external interfaces (get the topology to populate the interface names with the private IPs), and on the "Cluster IP" interface, set the Cluster IP and subnet mask to the real public IP address that you want to use on the Internet. In the "member network" tab, enter the network id of the private subnet and the relevant mask that you're using for the physical interfaces. The subnet masks for your private range and the public range should be the same. That should instruct ClusterXL to use the physical IPs only for the clustering CCP packets, but to consider the public IP as the virtual IP used for outgoing / incoming traffic. I'm not sure exactly how well this works with proxy arp though. I haven't done this recently, but in older versions, I had to use a local.arp file to get the cluster to proxy-arp for any NATs that need to exist on the public range (or you could just add static routes for them from the Internet router if you control the router). Good luck Matt -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Sergio Alvarez Sent: 09 May 2012 03:55 PM To: [email protected] Subject: [FW-1] cluster consuming only one public IP Hello. This customer has a cluster made up of two 4000 appliances, as usual, it was configured consuming 3 public IPs (one for each cluster member and one as virtual IP for the cluster), now he ran out of public IPs and asks if something can be done to use a single public IP (virtual one) and use private IPs on the external interfaces of the cluster members. I found documentation stating it CAN be done, but it does not provide any details so I would like to know if anyone here has done it before and can give me the whole picture. Besides changing the IPs on each cluster member from public to private, is there something else that needs to be configured differently? Is there some sort of downtime when this change is done? Besides the obvious fact that, from the Internet, it will only be possible to access via SSH or WebGUI the active cluster member, is there any other implication of doing this change? Any extra piece of info regarding this scenario anyone can provide, will be very appreciated. Regards -- Sergio Alvarez CISSP | CCSE+ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
