Crazy (yet inexpensive) dual router Idea???

[cameramonkey]

I have a client with a limited budget. They have a Fractional T1, and are hosting their own web/mail/dns. Currently they have no firewall *ghasp*. They have the ISP doing 1-1 NAT for the server IP addresses.

Up until now there really hasnt been much of a problem. The web/mail server is a locked down redhat box from 1998, so it was rock solid and secure. The engineer that put it together did some wonderful things to make it secure so we werent very concerned. The other servers are Macs, so more insulation and nothing really to worry about.

We installed a cobalt, and were going to put in a consumer grade NAT "firewall", but then they sprung the second web server that I wasnt aware of on me. That shot that down, for obvious reasons.

Here is the idea. They have 8 useable IP addresses. My idea was to install two of the consumer grade firewalls, each with a different real world IP on the outside. Tie them both together on the lan with internal IPs of .1 and .254 respectively. Use the first for DHCP, external web, mail, etc. Then, setup the second unit to provide services for the second set of public services. Set that other server up statically, using that second router for its gateway. That way, all users can see both servers on the same internal network, and both servers are accessible from the outside as well.

Anyone see any problems with this?

sample config (fake IPs of course)
Lan network 192.168.1.0/24
router 1 (12.3.45.67wan/192.168.1.1 lan)
12.3.45.67:80->192.168.1.10
12.3.45.67:443->192.168.1.10
12.3.45.67:21->192.168.1.10
12.3.45.67:110->192.168.1.20
etc...

Router 212.3.45.68wan/192.168.1.254 lan)
12.3.45.68:80->192.168.1.30
12.3.45.68:21->192.168.1.30

 

[StarTAC]

what router are u going to use.. cisco..?.. u can do all this with only one router..

good luck..

 

[davemiller]

Not sure if I get the scope, but here goes...
Assuming functionality of the 'firewalls' you could
configure them with HSRP (hot standby routing protocol).
HSRP is alittle different, but very reliable and flexible.
Assuming this is an option you could configure either unit to deliver all services, or you could alternate VLANs/subnets, between units, ie; load-balancing.
HSRP failover is typically 2 seconds.

 

[cameramonkey]

Notice I said limited budget.... doesnt mean thousands for a router. They are trying to keep the hardware costs below $500. The cheapest single router/firewall we found was the Sonicwall, but the model we need is $1500.

Currently, we are planning on implementing a pair of Netgear consumer grade firewall/routers with SPI. Brings our total hardware budget to just under $300. God help us if we need a 3rd public server.

 

[kb3cgj]

This seems very simple but you seemed to explain it in the most confusing way you could think of. Sounds to me like you need a Cisco 2501 and a basic NAT config. You can pick up a used 2501 for under $500 and it will work like it is brand new. Or maybe even that Cisco ISDN router, it has one serial port I think, I forget the model # maybe 1701, it is probably cheaper then a 2501.


Take it easy,
Nick Mitchell
Network Engineer
Delaware.Net

 

[wolf2x]

It may be a silly question for your situation but.....what about setting up a couple of old unused computers with linux and using them as your routers/firewalls (LinuxRouterProject)?

 

[cameramonkey]

that would blow the budget. I dont work for free .

besides, they are a graphics shop, so few PCs let alone extras laying around.

I have yet to find anyone here who has found a problem with the idea. We are going to roll out two off the shelf consumer firewalls for a hardware cost of $200, plus about an hour labor.

Should work, but I'll let you all know.