Why don't you connect the back-ends via Linux systems configured as routers (cheap solution that usually works well)? It would allow you to configure back-end security between the two networks and probably give you better performance since you would not be forced to scan everything in and out (you could do it selectively).
Danny -----Original Message----- From: Christopher A. Congdon [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 06, 2006 3:14 PM To: [email protected] Subject: RE: [gb-users] Double GnatBox issues Not trying this for redundancy outside of the fact that I don't want both T1's attached to the same physical firewall unit in case of failure. For redundancy we're looking at BGP or something a little more hardcore from the ISP end of things. However, I'd like the two firewalls to be able to talk to all servers on the PSN. Bottom line is that what I'm attempting to do is integrate the network we purchased from another web hosting company into our primary network. > -----Original Message----- > From: Cox, Danny H. [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 06, 2006 17:56 > To: Christopher A. Congdon; [email protected] > Subject: RE: [gb-users] Double GnatBox issues > > I'm not positive, but my impression is that you want to have redundancy > and are trying to use 2 firewalls to accomplish this - BAD IDEA! > > You are probably getting tons of ARP table conflicts and may even find > that systems are suddenly being firewalled. > > In addition, if my assumption is correct your best bet may be: > 1. Use totally isolated Class C ranges on each firewall 2. Implement a > vlan config (one per net) 3. Configure switch routes for the GB2 > firewall legs to properly route their respective networks. > > Eg: > NOTE: LanX=intended destination Network ip class > <GB1/PSN>10.0.0.1 > ^--------------<Vlan1><LanX> > Route 10.0.0.0/MASK - LanXIP Class > > <GB2/PSN>10.1.1.1 > ^--------------<Vlan2><LanX> > Route 10.1.1.0/MASK - LanXIP Class > > Hope this helps. > > Danny > > > -----Original Message----- > From: Christopher A. Congdon [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 06, 2006 2:40 PM > To: [email protected] > Subject: RE: [gb-users] Double GnatBox issues > > I was thinking of that originally, but then I was wondering about: > > Server on the PSN switches with IP address 10.0.1.5 starts broadcasting. > Wouldn't GB1 start complaining because this IP address isn't supposed to > be there? > > And in that case, is it possible to tunnel one of GB2's external Aliases > to a service located on one of the 10.0.0.x machines? Or do I have to > double-IP everything? (Which isn't going to happen...) > > Chris > > > -----Original Message----- > > From: Cox, Danny H. [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, September 06, 2006 17:36 > > To: Christopher A. Congdon > > Subject: RE: [gb-users] Double GnatBox issues > > > > You have 2 routes for the same IP class on the PSN and on the PRO. > They > > will complain. They know their own IP class and assume they "own > them". > > > > I suggest using different Class C ranges. > > > > Danny > > > > -----Original Message----- > > From: Christopher A. Congdon [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, September 06, 2006 2:26 PM > > To: [email protected] > > Subject: [gb-users] Double GnatBox issues > > > > OK, here's a possibly odd situation. I have two GnatBox Flash units. > > Here is the IP info I have setup on each: > > > > > > > > GB1 > > > > -EXT: 63.xx.xx.1 255.255.255.0 > > > > -PSN: 10.0.0.1 255.255.255.0 > > > > -PRO: 192.168.0.1 255.255.255.0 > > > > > > > > GB2 > > > > -EXT: 12.xx.xx.254 255.255.255.0 > > > > -PSN: 10.0.0.254 255.255.255.0 > > > > -PRO: 192.168.0.254 255.255.255.0 > > > > > > > > The PSN interfaces on both GBs are attached to the same switch which > is > > also where my servers are at. > > > > The PRO interfaces on both GBs are attached to the same switch which > is > > also where my workstations are at. > > > > The EXT interfaces are attached to different switches, which are then > > each attached to their own router. Each router has its own T1 with > > different ISPs. > > > > > > > > The biggest issue I'm getting is SPOOF warnings. These make sense > > knowing how the GB works. For instance; My workstation uses GB1 as its > > > primary gateway. If I try to ping 10.0.0.254 I get no response, and > > GB2's logs fill with spoof messages. This is understandable since the > > traffic route is workstation-->GB1 Pro-->GB1 PSN-->GB2 PSN. Of course > > then GB2 is seeing a source IP address that matches its own PRO NIC > but > > the traffic didn't come from there. > > > > > > > > Sooo...how do I make this work? Do I want to make this work? Is it > that > > big of a deal? > > > > > > > > Bonus question: What happens if GB2 directs public traffic to a server > > > that has GB1 as its default gateway? I assume the response traffic > goes > > out through GB1... Can this cause problems? > > > > > > > > > > > > Chris > > > > ------------------------------------------------------ > > To unsubscribe: [EMAIL PROTECTED] > > For additional commands: [EMAIL PROTECTED] > > Archive: http://archives.gnatbox.com/gb-users/ > > ------------------------------------------------------ > To unsubscribe: [EMAIL PROTECTED] > For additional commands: [EMAIL PROTECTED] > Archive: http://archives.gnatbox.com/gb-users/ ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/ ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/
