Shorewall users - Dec 2010 - Design question: Shorewall behind existing managed firewall plus new broadband connection.

Hello --

Our existing firewall is provided and managed by a telco company that also
provides a T1 circuit and MPLS.  The firewall has a small subnet on the
public side and a 10.0.0.0/24 address on the private side.  All clients on
the LAN use the firewall as their default gateway.  Additionally, some of
the public addresses are static NATed back to a few servers within the LAN.

Since 1.54mb/s is getting pretty tight for Internet access, we''d like
to
supplement our connectivity with an inexpensive broadband connection.  A
cable modem won''t come with the SLA of bringing in an additional
circuit,
but considering the difference in cost, it''s something we can live
with.
The problem is that (obviously) the telco won''t allow us to connect
another
provider into their managed firewall.  What I''d like to do is put a
secondary firewall (a Linux box with Shorewall) behind the existing
firewall.  Using three interfaces, I could interconnect the LAN, broadband,
and existing firewall.  I''ve read through the multi-ISP docs, but I
don''t
know if the additional layer of NATing (performed by the existing firewall)
is going to cause me problems.

What would be the best way to make a "drop in" solution that would not
require changes to the existing firewall?  Would it make sense to bridge the
LAN and existing firewall interfaces?


------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

On Thu, 2010-12-23 at 13:06 -0500, Jamie Begin wrote: 
> Hello --
Hi,
> Our existing firewall is provided and managed by a telco company that also
> provides a T1 circuit and MPLS.  The firewall has a small subnet on the
> public side and a 10.0.0.0/24 address on the private side.  All clients on
> the LAN use the firewall as their default gateway.  Additionally, some of
> the public addresses are static NATed back to a few servers within the LAN.
OK.
> Since 1.54mb/s is getting pretty tight for Internet access, we''d
like to
> supplement our connectivity with an inexpensive broadband connection.  A
> cable modem won''t come with the SLA of bringing in an additional
circuit,
> but considering the difference in cost, it''s something we can live
with.
Fair enough, and you have the T1 in case the cable connection goes down.
> The problem is that (obviously) the telco won''t allow us to
connect another
> provider into their managed firewall.  What I''d like to do is put
a
> secondary firewall (a Linux box with Shorewall) behind the existing
> firewall.  Using three interfaces, I could interconnect the LAN, broadband,
> and existing firewall.
Right.  Treat the existing connection as just a regular ISP.
> I''ve read through the multi-ISP docs, but I don''t
> know if the additional layer of NATing (performed by the existing firewall)
> is going to cause me problems.
Hrm.  I wouldn''t think you will have any more problems than you already
have.  That is, if the NAT on your existing firewall works 100% for you,
then a second NAT should not introduce any more issues than you would
have had without the existing NAT you have.
> What would be the best way to make a "drop in" solution that
would not
> require changes to the existing firewall?
You should not need to change the existing firewall if you just drop
your shorewall in behind it and treat the existing firewall/connection
as just another Internet provider.
> Would it make sense to bridge the
> LAN and existing firewall interfaces?
I wouldn''t.  The only thing I might try to do is to get a real
IP/subnet
on the LAN side of your existing connection rather than an unroutable
address -- so that your existing connection is fully routed and not
NATted.  Now, if you wanted a LAN''s worth of addresses from your
provider I could imagine they''d squawk at that but you really only need
1, although a few more (so 3-4) might end up coming in handy for you if
you can get them.  For a managed service such as you have, it should not
be a problem for your provider to put a small routed network on the LAN
side of their router.  I think I''d also ask them to turn off the
filtering on their router, since you are going to do that with Shorewall
anyway.

b.



------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

On 12/23/10 10:06 AM, Jamie Begin wrote:
> Hello --
> 
> Our existing firewall is provided and managed by a telco company that
> also provides a T1 circuit and MPLS.  The firewall has a small subnet on
> the public side and a 10.0.0.0/24 <http://10.0.0.0/24> address on the
> private side.  All clients on the LAN use the firewall as their default
> gateway.  Additionally, some of the public addresses are static NATed
> back to a few servers within the LAN.
> 
> Since 1.54mb/s is getting pretty tight for Internet access, we''d
like to
> supplement our connectivity with an inexpensive broadband connection.  A
> cable modem won''t come with the SLA of bringing in an additional
> circuit, but considering the difference in cost, it''s something we
can
> live with.  The problem is that (obviously) the telco won''t allow
us to
> connect another provider into their managed firewall.  What I''d
like to
> do is put a secondary firewall (a Linux box with Shorewall) behind the
> existing firewall.  Using three interfaces, I could interconnect the
> LAN, broadband, and existing firewall.  I''ve read through the
multi-ISP
> docs, but I don''t know if the additional layer of NATing
(performed by
> the existing firewall) is going to cause me problems.
> 
> What would be the best way to make a "drop in" solution that
would not
> require changes to the existing firewall?  Would it make sense to bridge
> the LAN and existing firewall interfaces?
Don''t know if your physical network will allow this solution, but what
I
would consider is to:

a) Leave the NATed servers in the 10.0.0.0/24 network and in the same
LAN connected to your existing firewall.

b) Add a Shorewall box to that lan and place all of the rest of your
systems in a LAN behind the Shorewall box.

c) Connect your broadband to a second NIC on the Shorewall box.

d) Connect the rest of your local systems to a third NIC on the
Shorewall box.

You will now have a setup that is quite similar to what is described at
http://www.shorewall.net/MultiISP.html#Complete. You can then configure
Shorewall to use the broadband connection for outgoing connections from
your LAN and to only do double NAT if the broadband connection is down.

Hope that helps.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl