Thanks a lot Matthew and Crist for your quick replies, both have given me very usefull information
Regards On Wed, May 9, 2012 at 8:49 AM, Matthew Odendaal <[email protected]> wrote: > It's actually pretty easy, but there are a few gotchas. > > Firstly, I don't think you can get away with doing this without downtime. > You need to change the IPs of the interface, and the clustering subsystem > won't react too well to the change of IPs until both are done. > > In previous environments, this is how I set it up: > > 1. Change the IPs of the external interfaces to the private IP range. > 2. Using sysconfig, add a new network route for the "real" external subnet > and when asked for the gateway, leave it empty and hit enter. It should > then ask you for the outgoing interface name. Type the device name of the > external interface (e.g. Ext, eth0, etc). This allows the host to see that > external range (including the all-important default gateway via the correct > interface. > 3. Add your default gateway or static routes again to point to your > external router(s). > 4. On the cluster topology of your cluster object, edit the relevant > external interfaces (get the topology to populate the interface names with > the private IPs), and on the "Cluster IP" interface, set the Cluster IP and > subnet mask to the real public IP address that you want to use on the > Internet. In the "member network" tab, enter the network id of the private > subnet and the relevant mask that you're using for the physical interfaces. > The subnet masks for your private range and the public range should be the > same. > > That should instruct ClusterXL to use the physical IPs only for the > clustering CCP packets, but to consider the public IP as the virtual IP > used for outgoing / incoming traffic. > > I'm not sure exactly how well this works with proxy arp though. I haven't > done this recently, but in older versions, I had to use a local.arp file to > get the cluster to proxy-arp for any NATs that need to exist on the public > range (or you could just add static routes for them from the Internet > router if you control the router). > > Good luck > > Matt > > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 [mailto: > [email protected]] On Behalf Of Sergio Alvarez > Sent: 09 May 2012 03:55 PM > To: [email protected] > Subject: [FW-1] cluster consuming only one public IP > > Hello. > > This customer has a cluster made up of two 4000 appliances, as usual, it > was configured consuming 3 public IPs (one for each cluster member and one > as virtual IP for the cluster), now he ran out of public IPs and asks if > something can be done to use a single public IP (virtual one) and use > private IPs on the external interfaces of the cluster members. > > I found documentation stating it CAN be done, but it does not provide any > details so I would like to know if anyone here has done it before and can > give me the whole picture. > > Besides changing the IPs on each cluster member from public to private, is > there something else that needs to be configured differently? Is there some > sort of downtime when this change is done? Besides the obvious fact that, > from the Internet, it will only be possible to access via SSH or WebGUI the > active cluster member, is there any other implication of doing this change? > > Any extra piece of info regarding this scenario anyone can provide, will be > very appreciated. > > Regards > > -- > Sergio Alvarez > CISSP | CCSE+ > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > -- Sergio Alvarez CISSP | CCSE+ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
