WAN Failover

ashrobbo

ashrobbo

ashrobbo

Associate
Joined
3 May 2009
Posts
805
Hi All,

Doing my nut in. Im not primarily a network engineer, im ok with the basics but this is just frying my brain.

We have opted for a Watchguard 510 for our security needs. Ditching a couple of pix 506's we have in place currently.

We plan on having 3 WAN lines into the watchguard for failover/balancing.
Unit doesnt arrive until tomorrow/Thursday but im trying to do a bit more planning.

However..

We have 2 buildings (head office and branch office) each on a seperate Subnet (or will be).

They are currently joined by a fibre cable with a simple fibre>cat5e converter on each end. (building is only 50 meters down the road)

2 of our WAN lines will plug into our watchguard straight off (in head offic, X1 and X2).

But the 3rd line (X3) we would like to connect is physically located in the branch office down the road, if the 2 wan lines were down (Virgin Media) we could failover to the branch office internet line (BT).

Is it possible? X1 and X2 would be the primary, if they were down i could just route all HTTP traffic to 10.0.3.3?

and for incoming just add a Static NAT 217.XX.XXX.XX -> 10.0.0.0 and 10.0.3.0?

Diagram Attached :)



Cheers,

Ash
 
Just had a cuppa,

Aslong as i set the gateway on 10.0.3.1 to 10.0.3.3 (the modem/router) there should be no reason why i cant send traffic through that wan interface.

Is it as simple as that? and use a NAT statement to ensure traffic coming in on one of the IP's hits my mail server on the 10.0.0.0 network?
 
Thanks for all the posts, we have purchased fireware XTM so we can do weight based and failover routing.

I cant really see any other way around it, because we have the fibre link between the offices I have to run everything through that

currently the remote office is also on the same subnet as our head office (10.0.0.0), if i was to simply change the modem/router ip to 172.16.0.2 and the watchguard to 172.16.0.1 would this solve the issue?

I could plug the fibre converters into a switch both ends and have a cable from X3 into the same switch?

edit: updated diagram

how would this work? so essentially I do have 2 interfaces (LAN and interface X3) in the same switch. But only X3 can speak to the router.



thats way my internal network remains so, and the 172.16.x.x is treated as external?

is this going to cause me any security issues?
 
Last edited:
dave-lew99 said:
+1 for this. Does your fibre run not have any spare pairs? could you not just light up another pair and do it that way?

It would seem odd for a permanant run of that length not to have used 8 core+ fibre.
Click to expand...

Its actually a leased 100mb line from Virgin, so running another is a no go. We did want BT into the building but unfortunately they want 12k for the privilege......

Interested in the Vlanning option though.. hadn't given it much thought.

Fibre converters go into port 48 in each switch at either end, so i guess these ports would exist in both the default and new vlan? We don't use Vlans atm as its only a 'small' network so I have never had to set it up i'd have to do a bit more research...

Hoping the support will be pretty good!
 
Ok,

Just knocked this up.

2 switches, both with VLAN100 AND VLAN200.

Branch office will remain on the 10.0.0.0 Network.

Port 1-46 untagged VLAN100
Port 47 untagged VLAN200
Port 48 Tagged VLAN100 + VLAN200

this config on both switches.

XTM X3 interface will be 172.16.1.1, Connected to head office port 47.
My Branch office router will be 172.16.1.2, connected to branch office port 47.

This should allow all the traffic to travel over the single fiber link and still be segregated.



Thoughts?
 
Right guys,

an update. Been playing in my lab and I think it will work, the VLAN does what I need it to, I know there are probably some physical security issues but everything is locked away anyway so that shouldnt be an issue.

Thanks!
 
dave-lew99 said:
You will be routing all internet traffic from the branch office via head office, if you link goes down they will lose internet access.

I wouldn't be so happy with that but it depends on what you want.

I'd also be looking at using the cisco without NAT but that depends if you're happy with public WAN traffic only VLAN seperated from office traffic.
Click to expand...

That doesnt matter, they all work via Terminal services, and our servers are located here, so if the link is down they cant access anything anyway!.

Wasnt sure about NAT and Double Natting potentially but that something i'll look at and try and figure out. Would rather have it performing NAT.

I think it may be an email only lineas this is what it does currently. (pix 506e on this line, default gateway of mail server set to this, horrendous messy setup)

We've had no issues with Virgin, most they ahve been down was an hour about a month or so, cant remember the time before!
 
You must log in or register to reply here.
Back
Top Bottom