High Availability with Private Ethernet Link and Drop-In Mode?


#1

Hello,

There are 2 sites A and B. Both sites have its own firewall. Sites A and B are connected via a 100Mbps wireless Radio Link.
If the radio link is down, there is no redundancy at the current setup.

Proposed 2x 710 on each site and on HA config as well.

2x new ADSL links on each site will be used.

Speedfusion will be used between site A and B.

The 2x new ADSL links will only be used when the primary Radio link fails.

They also want to use their existing firewalls at each site.

I am thinking of including all 3x links (2x new adsl and existing radio link) but assign WAN Connection Priority as 1 on radio link and 2 on both 2x new adsl.

Now I am not sure which is best to do, drop-in mode HA or NAT HA in this scenario?
If I used drop-in mode, can I use the WAN interface where private radio link is connnected? The reason I am thinking like this because I know when I use one of the ADSL links, we would require additional public addresses from the ISP to accomplish this drop-in mode???

Is HA NAT mode ok in this case as there is firewall behind the 710s???

thanks, RT


#2

If the firewalls can have their default gateways on the radio link, you can use drop-in mode. Additional IP addresses will be needed to run HA. 6.1 firmware does allow you to configure drop-in mode without consuming an IP address if that is helpful.

NAT mode is also OK with HA. Either way, if there are inbound services from the internet to these firewalls – inbound services will need to be configured in the Peplinks.


#3

Thanks Ron.

And the one below will do the job right? so that private radio link will be used as primary and use the other 2x adls links when primary fails.???

“I am thinking of including all 3x links (2x new adsl and existing radio link) but assign WAN Connection Priority as 1 on radio link and 2 on both 2x new adsl.”


#4


above is the diagram can you please advise what’s the best config to move forward.

Requirements:

HA on both sites.
Existing Firewalls to be used on both sites.
ISP1 and ISP2 on both sites would be added new along with the proposed 2x 710 on each site @ HA config.
Existing private radio wireless link will be primarily be used and the other 2x new ADSL links as back up.
All communications from/to site A and B must traverse via secured VPN tunnel.

Is Drop-in mode best option here? or the NAT?

witty and comprehensive advise please…


#5

This would be a good design - setting the radio link to priority 1, and having the ADSL connections set to priority 2 in SpeedFusion.

I would use drop-in mode if the radio switches have IP addresses that can be used for the default gateways. The Balance will intercept traffic and route it according to its configuration.


#6

Thanks Ron. Currently I am waiting for my customer whether the existing setup of the firewall’s gateway is pointing to the IP address of the radio.

Of course if clients from site A and B would like to browse internet, they will be able to via the two ADSLs???


#7

Sure, web traffic could out directly via the ADSL connections no problem.


#8

Thanks Tim for double confirming.
OK I got information now from Matthew.
So the radio link (refer to above diagram) is a point to point bridge.
This will look like just connecting a cable to WAN1 between site A and B. while WAN2 & WAN3 is going to usual ISPs.

Quote from Ron below:

This would be a good design - setting the radio link to priority 1, and having the ADSL connections set to priority 2 in SpeedFusion.
I would use drop-in mode if the radio switches have IP addresses that can be used for the default gateways. The Balance will intercept traffic and route it according to its configuration.

Would this still work drop-in mode? maybe use the opposite’s WAN1 private address as gateway of local WAN1 and vice versa???

Also, the priority 2 in Speedfusion is only meaningful for traffic going to the other sites?? and as such if the destination is internet, ADSL links 1 & 2 would still kick in as normal load balance router would do.

By the way, below is their current setup:
1x private radio p2p wireless link
1x ADSL link <— this is the firewall’s default gateway.
Radio link is an interface on the existing firewall and a static route is set so anything destined for the SITE B will be sent across the link.

thanks


#9

The additional information helps. Since there is already a firewall in place at site A, I would use drop-in mode with the current ISP. You could also use drop-in mode at site B with either ADSL link.

For the wireless bridge, configure the WAN connection on each Balance to be on the same network. A fake default gateway and fake DNS can be used and a tunnel can still be built for SpeedFusion.

By default, internet traffic will be sent out the local internet connections at each site but you will want to avoid sending this traffic out the radio link with outbound policy rules.