Network design question.

Network design question.

Post by Bawb Bitche » Mon, 22 Jul 2002 08:21:59



I am looking on some thoughts from you all on a network design question.

Lets say I have 3 sites all connected together like a triangle via fiber
(figure Cisco routers). At each site there is also an internet
connection on another Cisco router. I am running BGP to the net at each
site under the same AS. Everything is great because if one internet
connection goes down it routes to the other. Yah BGP!

Now the issue.

I need to bring the 3 site internal, ie 10.1.x.x, 10.2.x.x, 10.3.x.x.
Great. Put in an OpenBSD firewall between the internet and the LAN.
However I now loose my BGP failover for outbound and inbound traffic if
one of the sites goes down. What I mean is this..

(site1): internet---router---firewall---lan---router to site2 and site3

(site2): internet---router---firewall---lan---router to site1 and site3

(site3): internet---router---firewall---lan---router to site1 and site2

Draw it out as a triangle if it helps to see it.

On each site the default gateway is the firewall. If the router goes
down to the internet at that site there is no way to get the traffic to
go back throught the firewall (and NAT) then out to the next site and
out that firewall.

So thoughts?

Here is what I have so far.

1. Run iBGP between the external and internal routers through the
OpenBSD firewall. I have NAT issues then with in bound packets. The
biggest issues is how do I tell OpenBSD that the internet router is down
. GateD?

2. Write a script that pings the serial interface on the internet router
from the OpenBSD box. If the ping fails then change the default gw on
the box to the internal ethernet on the OpenBSD box at the next site
(would have to hard code the route to the next site on the OpenBSD box).
My question on this is where does the NAT fall into place. Will the
packet head back off the OpenBSD box to the internal router before it
gets NAT'ed if I change the default route?

 
 
 

Network design question.

Post by erik » Mon, 22 Jul 2002 12:11:31



> I am looking on some thoughts from you all on a network design question.

> Lets say I have 3 sites all connected together like a triangle via fiber
> (figure Cisco routers). At each site there is also an internet
> connection on another Cisco router. I am running BGP to the net at each
> site under the same AS. Everything is great because if one internet
> connection goes down it routes to the other. Yah BGP!

> Now the issue.

> I need to bring the 3 site internal, ie 10.1.x.x, 10.2.x.x, 10.3.x.x.
> Great. Put in an OpenBSD firewall between the internet and the LAN.
> However I now loose my BGP failover for outbound and inbound traffic if
> one of the sites goes down. What I mean is this..

> (site1): internet---router---firewall---lan---router to site2 and site3

> (site2): internet---router---firewall---lan---router to site1 and site3

> (site3): internet---router---firewall---lan---router to site1 and site2

> Draw it out as a triangle if it helps to see it.

> On each site the default gateway is the firewall. If the router goes
> down to the internet at that site there is no way to get the traffic to
> go back throught the firewall (and NAT) then out to the next site and
> out that firewall.

> So thoughts?

> Here is what I have so far.

> 1. Run iBGP between the external and internal routers through the
> OpenBSD firewall. I have NAT issues then with in bound packets. The
> biggest issues is how do I tell OpenBSD that the internet router is down
> . GateD?

Zebra. AFAIK zebra understands BGP.

Quote:

> 2. Write a script that pings the serial interface on the internet router
> from the OpenBSD box. If the ping fails then change the default gw on
> the box to the internal ethernet on the OpenBSD box at the next site
> (would have to hard code the route to the next site on the OpenBSD box).
> My question on this is where does the NAT fall into place. Will the
> packet head back off the OpenBSD box to the internal router before it
> gets NAT'ed if I change the default route?

You might have to ping the first upstream router instead of the serial
interface.

EJ
--
For OpenBSD pf en nat rule examples: http://www.vanwesten.net
Remove the obvious part (including the dot) for my email address

 
 
 

1. DNS, firewall/network design question

I'm at an impasse, and I could use some help. I'm not sure if this is the
proper place to post this question, so if there's a more appropriate place,
please let me know.

I'm trying to set up a server that provides web and mail services for
multiple domains. This server sits in a colo facility at my ISP. The box I'm
using is running FreeBSD 4.7, and Apache 1.3.27. I don't seem to have any
problem providing web services with this machine. However, I am having DNS
issues. The web server machine is behind a firewall running OpenBSD 3.2.

The firewall has three interfaces, and was originally configured to only
protect a web server that is part of one of my companies' domain (abcde.com,
for reference purposes). That has worked great for years. Public DNS for
abcde.com has been served from a firewall appliance at the corporate
headquarters, and I have tried to keep the services provided by the firewall
machine limited to network address translation and packet filtering.

The fun starts when I add the second web server (www.uvwxyz.com, et al., for
reference), which is on a different interface, and different internal
network from the original (www.abcde.com for reference). I have the outside
interface of the firewall dual-homed, so it is receiving packets for both IP
blocks (a.b.c.d/25 and w.x.y.z/29 respectively. I believe I have the IP
network addresses translated correctly, with appropriate ports re-directed,
and packets filtered.

The question I have is, what's the appropriate way to do DNS for uvwxyz.com,
and whatever other domains I may end up providing web and mail services for?

My first thought is to run named on the web server box (www.uvwxyz.com), but
I am having trouble getting the outside world to see that box as a DNS
server.
Then, I thought I might serve DNS from the firewall box, but I'm reluctant
to have that box perform any other services for both security and
performance reasons, though I don't have any specific knowledge to support
my concerns. I need to maintain a high level of security, and I hope to have
lots of traffic (don't we all), so I want to maintain a high level of
performance.

Let me know if I've left out any important information, or need to clarify
anything. I've been working on this for a few days now, learning as I go,
and I've reached a point where I'm quite confused. I appreciate any help
anyone may offer.

2. net-pf-4 + 5

3. Network design question.

4. Win98 internet sharing over a Solaris 2.7 box/DSL line

5. Network Design questions

6. Really basic newbie question

7. A Network design question...

8. FreeBSD progress for mac/ppc?

9. Network application design question

10. hardware design or digital design

11. Chip Design on Linux with the OCEAN IC design system

12. Network application design