From: Bertrum Carroll <bc17684 @
Subject: Two ISP's to one DMZ
Date: Sun, 06 Jul 1997 08:36:23 -0500
To: "Firewalls @
COM" <Firewalls @
> I'm looking for advice from someone who has connected two or more
> different ISP's to the same DMZ.
> Are there pitfalls in doing this? Is it not possible. I need to stay
> up to aleast part of the net when a single ISP is having problems.
> Has anyone done this with success?
---------------End of Original Message-----------------
I would think you might have better luck bringing your ISPs in on multiple
interfaces. We had a client running our Firewall who brought two ISPs in. One
was through a cable modem, the other through a 128K ISDN dialup. The cable
modem was used for inbound and outbound (through NAT and Stateful Packet
Inspection) web surfing, telneting, etc. (anything that didn't require a fixed
IP). The ISDN link was used with a fixed IP for inbound services that required
a Domain name (this wasn't very high bandwidth stuff) and as a backup ISP
link. They had "real" IPs on the internal network. There were two main
"default" routes set up with one having a higher preference than the other, so
if one failed (cable) the other could take over (ISDN).
The only problem that the client ran into is that they were advertising routes
through RIP (this is not the default behavior of the firewall). Suddenly, all
traffic intended for their ISDN ISP (Netrail) started coming in over their
cable link (@Home). I guess @Home was accepting downstream route updates as
gospel. Because our client was using NAT and stateful packet inspection, none
of the Netrail ISP traffic could get through. It took Netrail and @Home about
a day to get the routing tables straight again.
Since then they have had no problems at all. You have a greater amount of
control when you bring your traffic in over multiple interfaces than if
everything is on one DMZ LAN. Separate interfaces means separate reports for
traffic, hacking, uptime, etc. You can also reduce the chances of being
brought down by a single interface failing.
The key to this working was our "Dynamic-DNS" feature (which is also available
for other OSs, see below), so that your Domains can follow you between ISPs.
As soon as you lose one route our Firewall will notify the Dynamic DNS servers
that its IP has changed and that the Domains should now point to a new IP
address. This is a lot easier to implement than BGP (which may not be
supported by all ISPs and may cause some confusion as routes are being
updated). Outbound traffic always works. Inbound traffic takes at most about
10 minutes for DNS updates to take effect.
It is much easier to reassign IPs to Domain names than to move routes. This
also works independent of your ISP.
BTW, don't flame me about BGP. In cases where I was able to implement it I
would. It just isn't always available.
You could also do this on other OSs (such as UNIX or NT) or Firewalls with
software available from http://www.ml.org and http://www.dyndns.com.
I hope this helps,
Michael W. Chalkley Tel: +1.770.823.7846
ZapNet! Inc. Fax: +1.770.475.7640
Suite 400-120 E-mail: mikech @
10945 State Bridge Road mikech @
Alpharetta, GA 30202 http://www.iproute.com