Very Computer

>I have FW-1 running on Solaris 7 with two Internet connections and two
>DMZs.  Each DMZ contains various Web, mail, etc. servers.  At the
>present time, I'm using 4 interfaces on a single firewall to route
>between the 4 networks.  All routing is static and I'm unable to
>undertake something more complex.  The configuration is not intended
>to provide redundancy or load sharing.  It is simply meant to provide
>separate services to two different groups of clients.

>My question is the following...  Is there any way to force outgoing
>traffic back down the same route that it entered?  I've discovered
>that two default routes can be defined on the firewall but they are
>used in a round robin fashion and my requirement is very strict that
>outbound traffic must take the same path it entered.  I did try rules
>on the firewall to block misdirected outbound traffic hoping the other
>route would pick up but that didn't work as I expected.

>Hello,

>I have FW-1 running on Solaris 7 with two Internet connections and two
>DMZs.  Each DMZ contains various Web, mail, etc. servers.  At the
>present time, I'm using 4 interfaces on a single firewall to route
>between the 4 networks.  All routing is static and I'm unable to
>undertake something more complex.  The configuration is not intended
>to provide redundancy or load sharing.  It is simply meant to provide
>separate services to two different groups of clients.

>My question is the following...  Is there any way to force outgoing
>traffic back down the same route that it entered?  I've discovered
>that two default routes can be defined on the firewall but they are
>used in a round robin fashion and my requirement is very strict that
>outbound traffic must take the same path it entered.  I did try rules
>on the firewall to block misdirected outbound traffic hoping the other
>route would pick up but that didn't work as I expected.

>Am I missing a way to achieve this or should I toss a few more $k at
>this and deploy a second firewall?

>Thanks!

>Thanks!

>>Hello,

>>I have FW-1 running on Solaris 7 with two Internet connections and two
>>DMZs.  Each DMZ contains various Web, mail, etc. servers.  At the
>>present time, I'm using 4 interfaces on a single firewall to route
>>between the 4 networks.  All routing is static and I'm unable to
>>undertake something more complex.  The configuration is not intended
>>to provide redundancy or load sharing.  It is simply meant to provide
>>separate services to two different groups of clients.

>>My question is the following...  Is there any way to force outgoing
>>traffic back down the same route that it entered?  I've discovered
>>that two default routes can be defined on the firewall but they are
>>used in a round robin fashion and my requirement is very strict that
>>outbound traffic must take the same path it entered.  I did try rules
>>on the firewall to block misdirected outbound traffic hoping the other
>>route would pick up but that didn't work as I expected.

>>Am I missing a way to achieve this or should I toss a few more $k at
>>this and deploy a second firewall?

>Scott, I would think that you really should be doing something with
>BGP external to your firewall.  Get a Cisco and a BGP AS from your
>providers and let your gateway router do the load balancing and
>dynamic routing.  Put your firewall with one interface set to default
>route to your BGP router.

> Hello,

> I have FW-1 running on Solaris 7 with two Internet connections and two
> DMZs.  Each DMZ contains various Web, mail, etc. servers.  At the
> present time, I'm using 4 interfaces on a single firewall to route
> between the 4 networks.  All routing is static and I'm unable to
> undertake something more complex.  The configuration is not intended
> to provide redundancy or load sharing.  It is simply meant to provide
> separate services to two different groups of clients.

> My question is the following...  Is there any way to force outgoing
> traffic back down the same route that it entered?  I've discovered
> that two default routes can be defined on the firewall but they are
> used in a round robin fashion and my requirement is very strict that
> outbound traffic must take the same path it entered.  I did try rules
> on the firewall to block misdirected outbound traffic hoping the other
> route would pick up but that didn't work as I expected.

> Am I missing a way to achieve this or should I toss a few more $k at
> this and deploy a second firewall?

> Thanks!

> Thanks!

>>>Hello,

>>>I have FW-1 running on Solaris 7 with two Internet connections and two
>>>DMZs.  Each DMZ contains various Web, mail, etc. servers.  At the
>>>present time, I'm using 4 interfaces on a single firewall to route
>>>between the 4 networks.  All routing is static and I'm unable to
>>>undertake something more complex.  The configuration is not intended
>>>to provide redundancy or load sharing.  It is simply meant to provide
>>>separate services to two different groups of clients.

>>>My question is the following...  Is there any way to force outgoing
>>>traffic back down the same route that it entered?  I've discovered
>>>that two default routes can be defined on the firewall but they are
>>>used in a round robin fashion and my requirement is very strict that
>>>outbound traffic must take the same path it entered.  I did try rules
>>>on the firewall to block misdirected outbound traffic hoping the other
>>>route would pick up but that didn't work as I expected.

>>>Am I missing a way to achieve this or should I toss a few more $k at
>>>this and deploy a second firewall?

>>Scott, I would think that you really should be doing something with
>>BGP external to your firewall.  Get a Cisco and a BGP AS from your
>>providers and let your gateway router do the load balancing and
>>dynamic routing.  Put your firewall with one interface set to default
>>route to your BGP router.

>I don't see how BGP would solve this problem.

>What he needs is routing based on source addresses.  I don't think this can
>be done with Firewall-1, but it can be done with a Cisco router.  If you
>connect both Internet connections to the same Cisco router, you can use
>Cisco's "policy routing" feature to select the ISP interface based on the
>source address.

>--

>Genuity, Burlington, MA
>*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
>Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

>I'd love to learn about and configure BGP but neither of my ISPs do
>anything with it and my guess it that buying a second firewall would

> I'd love to learn about and configure BGP but neither of my ISPs do
> anything with it and my guess it that buying a second firewall would
> be far cheaper than getting into this.

> Again, I have an absolute requirement that packets must leave on the
> same wire they came in on.  Primarily because one of my ISPs has
> spoofing detection in place and packets that are "not supposed to be"
> on the wire are dropped.

> I'm at the point of configuring policy/source routing on one of my two
> Cisco routers.  I only have control over one of them.  Actually, I was
> first trying to configure this routing using an Extreme switch but
> that isn't working out.

> >>>Hello,

> >>>I have FW-1 running on Solaris 7 with two Internet connections and two
> >>>DMZs.  Each DMZ contains various Web, mail, etc. servers.  At the
> >>>present time, I'm using 4 interfaces on a single firewall to route
> >>>between the 4 networks.  All routing is static and I'm unable to
> >>>undertake something more complex.  The configuration is not intended
> >>>to provide redundancy or load sharing.  It is simply meant to provide
> >>>separate services to two different groups of clients.

> >>>My question is the following...  Is there any way to force outgoing
> >>>traffic back down the same route that it entered?  I've discovered
> >>>that two default routes can be defined on the firewall but they are
> >>>used in a round robin fashion and my requirement is very strict that
> >>>outbound traffic must take the same path it entered.  I did try rules
> >>>on the firewall to block misdirected outbound traffic hoping the other
> >>>route would pick up but that didn't work as I expected.

> >>>Am I missing a way to achieve this or should I toss a few more $k at
> >>>this and deploy a second firewall?

> >>Scott, I would think that you really should be doing something with
> >>BGP external to your firewall.  Get a Cisco and a BGP AS from your
> >>providers and let your gateway router do the load balancing and
> >>dynamic routing.  Put your firewall with one interface set to default
> >>route to your BGP router.

> >I don't see how BGP would solve this problem.

> >What he needs is routing based on source addresses.  I don't think this
can
> >be done with Firewall-1, but it can be done with a Cisco router.  If you
> >connect both Internet connections to the same Cisco router, you can use
> >Cisco's "policy routing" feature to select the ISP interface based on the
> >source address.

> >--

> >Genuity, Burlington, MA
> >*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to
newsgroups.
> >Please DON'T copy followups to me -- I'll assume it wasn't posted to the
group.

> Thanks!

>Scott,

>Wondered if the /etc/system tunable below helps?

>Steve

>ip_strict_dst_multihoming and ip6_strict_dst_multihoming
>Description
>Determine whether a packet arriving on a non-forwarding interface can be
>accepted for an IP address that is not explicitly configured on that
>interface.

>Hello,

>I have FW-1 running on Solaris 7 with two Internet connections and two
>DMZs.  Each DMZ contains various Web, mail, etc. servers.  At the
>present time, I'm using 4 interfaces on a single firewall to route
>between the 4 networks.  All routing is static and I'm unable to
>undertake something more complex.  The configuration is not intended
>to provide redundancy or load sharing.  It is simply meant to provide
>separate services to two different groups of clients.

>My question is the following...  Is there any way to force outgoing
>traffic back down the same route that it entered?  I've discovered
>that two default routes can be defined on the firewall but they are
>used in a round robin fashion and my requirement is very strict that
>outbound traffic must take the same path it entered.  I did try rules
>on the firewall to block misdirected outbound traffic hoping the other
>route would pick up but that didn't work as I expected.

>Am I missing a way to achieve this or should I toss a few more $k at
>this and deploy a second firewall?

>Thanks!

>Thanks!