WAN Failover

[ashrobbo]

Hi All,

Doing my nut in. Im not primarily a network engineer, im ok with the basics but this is just frying my brain.

We have opted for a Watchguard 510 for our security needs. Ditching a couple of pix 506's we have in place currently.

We plan on having 3 WAN lines into the watchguard for failover/balancing.
Unit doesnt arrive until tomorrow/Thursday but im trying to do a bit more planning.

However..

We have 2 buildings (head office and branch office) each on a seperate Subnet (or will be).

They are currently joined by a fibre cable with a simple fibre>cat5e converter on each end. (building is only 50 meters down the road)

2 of our WAN lines will plug into our watchguard straight off (in head offic, X1 and X2).

But the 3rd line (X3) we would like to connect is physically located in the branch office down the road, if the 2 wan lines were down (Virgin Media) we could failover to the branch office internet line (BT).

Is it possible? X1 and X2 would be the primary, if they were down i could just route all HTTP traffic to 10.0.3.3?

and for incoming just add a Static NAT 217.XX.XXX.XX -> 10.0.0.0 and 10.0.3.0?

Diagram Attached



Cheers,

Ash

 

[ashrobbo]

Just had a cuppa,

Aslong as i set the gateway on 10.0.3.1 to 10.0.3.3 (the modem/router) there should be no reason why i cant send traffic through that wan interface.

Is it as simple as that? and use a NAT statement to ensure traffic coming in on one of the IP's hits my mail server on the 10.0.0.0 network?

 

[kerrgreg]

Wow thats a headache.

Ideally if you can try not to use static routing unless you have to.

I am not familiar with the Watchguard devices, would it be possible to use some metrics in the load balance profile to say:

if line 1(and or 2) has a delay to ping (enter known wan IP address of provider name-server etc) then use int3*

 

[DustyMiller]

Having done exactly what you are doing with a 510, you need to purchase the plus pack software upgrade, this allows you to do multi wan routing, with either a priority loading, or on a round robin basis. You then set in the multi wan setup how it monitors each link.

however your branch office would then be on the external side of you Watchguard firewall.

 

[Kona*]

Having done exactly what you are doing with a 510, you need to purchase the plus pack software upgrade, this allows you to do multi wan routing, with either a priority loading, or on a round robin basis. You then set in the multi wan setup how it monitors each link.

however your branch office would then be on the external side of you Watchguard firewall.

You are (almost ) right (source: I work for a WatchGuard Partner and install a lot of these appliances)

Fireware XTM (the basic OS) comes with the ability to do WAN Failover already (see the datasheet here: http://www.watchguard.com/docs/datasheet/wg_xtm5_ds.pdf) but if you want to do load balancing (interface overload, round robin, priority weighted) then you will need Fireware XTM Pro - the SKU you need for this is WG017698.

If I was you I'd have a read of the XTM documentation (here for XTM 11.5: http://www.watchguard.com/help/docs/wsm/11_5-XTM/en-US/index.html) - WatchGuard have some of the best, if not the best documentation of any vendor IMHO.

I'm suspecting a few WatchGuard haters to chime in with "Should have bought a Juniper SRX/FortiGate" but I personally love these devices (It took a while to love WSM though...) and we get very little hassle from them.

Edit: DustyMiller is right though, your 10.0.3.0/24 subnet will be marked as an External interface - this is less than ideal...

 

[ashrobbo]

Thanks for all the posts, we have purchased fireware XTM so we can do weight based and failover routing.

I cant really see any other way around it, because we have the fibre link between the offices I have to run everything through that

currently the remote office is also on the same subnet as our head office (10.0.0.0), if i was to simply change the modem/router ip to 172.16.0.2 and the watchguard to 172.16.0.1 would this solve the issue?

I could plug the fibre converters into a switch both ends and have a cable from X3 into the same switch?

edit: updated diagram

how would this work? so essentially I do have 2 interfaces (LAN and interface X3) in the same switch. But only X3 can speak to the router.



thats way my internal network remains so, and the 172.16.x.x is treated as external?

is this going to cause me any security issues?

 

[DustyMiller]

If I was you I'd have a read of the XTM documentation (here for XTM 11.5: http://www.watchguard.com/help/docs/wsm/11_5-XTM/en-US/index.html) - WatchGuard have some of the best, if not the best documentation of any vendor IMHO.

I would have to disagree with you there, and their support is shockingly slow, so is the support website with salesforce. However for their price point they are very very good Firewalls.

I used to have an old X700 at my old employers, and have got a nice 510 with my current one, with the Pro upgrade. And have installed it myself, as the consultant that was sent was useless.

 

[DustyMiller]

Doing what you want, will cause you loads of routing issues, you will have horrendous nating issues as the traffic travseres your internal network to show up on the external network to be routed back to the intenal side, if you have to route via the branch office.

And yes the default gateway of the x3 link would have to be the router at the branch office.

But god help you.

Better option would be a second fibre run between the buildings, or even VLAN the traffic across the switch to seperate it, and give it its own address space, and thus its own input to the router at the branch office

 

[Kona*]

But god help you.

Nail. Head.

I personally wouldn't do what you are suggesting, it's a bodge and will big a pig to set up and troubleshoot!

But if it's absolutely your only option then what else can you do, bar running another pair of fibres.

I would have to disagree with you there, and their support is shockingly slow, so is the support website with salesforce. However for their price point they are very very good Firewalls.

I used to have an old X700 at my old employers, and have got a nice 510 with my current one, with the Pro upgrade. And have installed it myself, as the consultant that was sent was useless.

I've found their support to be the complete opposite! Before we were a Partner we had access to the "normal" support and it was pretty damn good. You usually got an answer within two hours and if it couldn't be fixed over the phone they would dial in and fix it for you, along with documenting everything that they done so you have some form of paper trail. We now have access to the Partner support which gets us access to 3rd line straight away, it's a huge bonus for us.

On the price point, your spot on. The Security Bundle's are great VFM and all of the features are fairly straight forward to set up and work very well. The new XTM 330 is an absolute steal for a small business with <100 users.

The problem I have found with WatchGuard resellers/consultants/VAR's is that they have a load of inexperienced technicians/engineers who can talk the talk but when they actually get down to doing something are absolutely useless. I don't know if this is down to their certification program (it's open book and very easy to pass...) or their very pretty (but ultimately pretty poor) web interface, but the majority of installers think they are gods gift to networking because they can chuck in a big flashy red box.

That's just my 2p anyway

 

[DustyMiller]

so far ive been waiting for over three weeks to a query over the latest clientless sso and multiple DC in a single domain.

the firewall is exellent vaule though. Maybe I have been unlucky with my supprt calls. But just my opinion on service recevied so far.

 

[dave-lew99]

Better option would be a second fibre run between the buildings, or even VLAN the traffic across the switch to seperate it, and give it its own address space, and thus its own input to the router at the branch office

+1 for this. Does your fibre run not have any spare pairs? could you not just light up another pair and do it that way?

It would seem odd for a permanant run of that length not to have used 8 core+ fibre.

 

[ashrobbo]

+1 for this. Does your fibre run not have any spare pairs? could you not just light up another pair and do it that way?

It would seem odd for a permanant run of that length not to have used 8 core+ fibre.

Its actually a leased 100mb line from Virgin, so running another is a no go. We did want BT into the building but unfortunately they want 12k for the privilege......

Interested in the Vlanning option though.. hadn't given it much thought.

Fibre converters go into port 48 in each switch at either end, so i guess these ports would exist in both the default and new vlan? We don't use Vlans atm as its only a 'small' network so I have never had to set it up i'd have to do a bit more research...

Hoping the support will be pretty good!

 

[dave-lew99]

Ah i thought it was your own run.

VLANs then, thats a good method, make the traffic down the fibre tagged and trunk 2 vlans - one is your normal/default and the other a WAN, then expose a port on the switch on the WAN VLAN.

I'm not sure of the security implications of putting public WAN on a VLAN though, no doubt someone else will.

 

[ashrobbo]

Ok,

Just knocked this up.

2 switches, both with VLAN100 AND VLAN200.

Branch office will remain on the 10.0.0.0 Network.

Port 1-46 untagged VLAN100
Port 47 untagged VLAN200
Port 48 Tagged VLAN100 + VLAN200

this config on both switches.

XTM X3 interface will be 172.16.1.1, Connected to head office port 47.
My Branch office router will be 172.16.1.2, connected to branch office port 47.

This should allow all the traffic to travel over the single fiber link and still be segregated.



Thoughts?

 

[DustyMiller]

The theory is sound, lets try it out in our lab (or as you call it "your network")

 

[ashrobbo]

The theory is sound, lets try it out in our lab (or as you call it "your network")

we do have a little test network, ill fire it up tomorrow and give it a go

Thanks for the help.

 

[ashrobbo]

Right guys,

an update. Been playing in my lab and I think it will work, the VLAN does what I need it to, I know there are probably some physical security issues but everything is locked away anyway so that shouldnt be an issue.

Thanks!

 

[dave-lew99]

You will be routing all internet traffic from the branch office via head office, if you link goes down they will lose internet access.

I wouldn't be so happy with that but it depends on what you want.

I'd also be looking at using the cisco without NAT but that depends if you're happy with public WAN traffic only VLAN seperated from office traffic.

 

[ashrobbo]

You will be routing all internet traffic from the branch office via head office, if you link goes down they will lose internet access.

I wouldn't be so happy with that but it depends on what you want.

I'd also be looking at using the cisco without NAT but that depends if you're happy with public WAN traffic only VLAN seperated from office traffic.

That doesnt matter, they all work via Terminal services, and our servers are located here, so if the link is down they cant access anything anyway!.

Wasnt sure about NAT and Double Natting potentially but that something i'll look at and try and figure out. Would rather have it performing NAT.

I think it may be an email only lineas this is what it does currently. (pix 506e on this line, default gateway of mail server set to this, horrendous messy setup)

We've had no issues with Virgin, most they ahve been down was an hour about a month or so, cant remember the time before!