Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AkiYa
Explorer

How to configure two separated ISP external interfaces

Jump to solution

Hi all,

sorry if this question may have been already asked but I can't find a simple answer for this specific question:

how to configure a second external interface, with a second ISP, in order to route the Internet traffic/NAT to one or the other depending on policies?

In my case I have to change the ISP and since I can't just switch it off, I have to start moving some services to the new ISP.
For example make a subnet going to the Internet with the 2nd ISP, move a published service to the new public IPs, etc.

My first attempt was to configure the secondary external cluster interfaces and add the new router's IP in the Gaia's Default route (added to the primary, with priority "none"), but it didn't work.

I know about PBR, but I see that they have critical limitations (no IPS, no URL filtering.. practically unuseful!) 

So, what is the simple solution for using a second ISP, which every other brand supports?

Thanks

 

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Mentor
Mentor

@AkiYa routes with different metrics are only for failover usage. If route with metric 1 is failing traffic will be routed via route with metric 20. This is independent of NAT.

What is your problematic feature of the limitations of PBR ?

Some limitations needs more explanations like as an example "domain based VPN" will be not supported with PBR. But this does not mean "domain based VPN" can't be used if PBR is configured. You can, but the limitations is you can't route VPN traffic through PBR. VPN traffic will be routed via the VPN domain routing.

We are using PBR with R81.10 coming from R80.40 and are really happy with this. Using it like you'res . Routing subnet A via ISP1 and subnet B via ISP2. You can start implementing a small PBR maybe for only one host, you can see what's happens and check for any problems.

 If you want to switch from one ISP to another with one subnet after another PBR is your solution. If you want to have a redundant switch over and move it one service by another one you can use ISP redundancy in LoadSharing Configuring ISP Redundancy so that certain traffic uses specific ISP Link . You can start with sharing ISP1 with 90% utilization ISP2 10% utilization and switch more over step by step.

Both PBR and ISP redundancy have limitations but you have to choose. I think I understand your need and I think you get a nice solution with PBR. But you have to upgrade to R81.10 to get the best solutions.

PS.: I know some other vendors with better solutions for your now needed specific use case but they have another limitations. That's the way it is every day in the life of an IT guy 😀

View solution in original post

12 Replies
Wolfgang
Mentor
Mentor

@AkiYa ISP redundancy is your needed feature, Start with ISP Redundancy configuration 

0 Kudos
AkiYa
Explorer

@Wolfgang Thank you for your answer, I will give it a look but I've already found lots of answers about the ISP Redundancy which is NOT what I need: I don't need redundancy, I just need to use two separated ISP configuring two Default routes.
Is this supported?

(Now I will check in the link, but it would help me to know it)

Thanks!

0 Kudos
Wolfgang
Mentor
Mentor

Yes, you can do this. You can configure more then one gateway for your default route. With priorities you can configure the using of the ISPs. How to configure static routes using different priorities with ping option

With PBR you can control the outgoing route for your source networks, but you have to be carefuully regarding of NAT. With ISP redundancy a lot of NAT stuff will be done automatically by the gateway, with PBR you have to configure manual NAT rules regarding your routing. Maybe for your use case this will be better solution.

0 Kudos
AkiYa
Explorer

As I said, what I need is not prioritize the Internet route in a redundancy scenario but decide which host/subnet will use the ISP1 and which host/subnet will use the ISP2.

For what I can see PBR have so many limitations that I can't even understand for what they could be used, so they're not an option.

I installed WatchGuard and they have the SD-WAN feature to configure multiple WANs and easily decide which ISP to use for specific hosts, subnets or services, but I can't see anything similar in CheckPoint.

0 Kudos
Wolfgang
Mentor
Mentor

@AkiYa I went over Policy-Based Routing (PBR) on Gaia OS and now I understand your statement.

Some informations in this sk are outdated, a lot of the limitations are solved with R81.xx. Have a look at Policy-Based Routing and Application-Based Routing in Gaia.

PBR will be your solution 😀

I left a note in the  sk100500 to update the limitations.

0 Kudos
_Val_
Admin
Admin

Which appliance model do you use with Check Point?

0 Kudos
AkiYa
Explorer

@_Val_ I'm using two 5600 appliance in clusterXL, R80.40.

For me it's unbelievable that a simple feature like this is still not fully implemented in CheckPoint, but what to do...

0 Kudos
_Val_
Admin
Admin

You certainly can configure more than a single external interface on Gaia. What is your challenge, to be able to move services from one ISP to another? Based on what? 

If you are looking for application based routing, then yes, this is a SD-WAN feature, which is currently in EA with R81.20. 

0 Kudos
AkiYa
Explorer

The challenge is to have 2 external interfaces and use them at the same time, depending on the policies configured: I understand that PBR would be the answer, but in fact it's NOT because of the feature limitations.

Unfortunately I'm not using R81.20 yet, but it's good to know that this SD-WAN feature will be available sooner or later.

Just another question: what if I configure two default routes on Gaia with different metric and then configure specific hide NAT for the subnet I want to move to the second ISP?
Does it make sense?

ex:

(Gaia)
Default route: 1.2.3.4 - metric 1
                          5.6.7.8- metric 20

(Dashboard): LAN_192.168.0.0/24 - hide behind the gateway
                        LAN2_192.168.1.0/24 - hide behind IP address: 5.6.7.9

0 Kudos
Wolfgang
Mentor
Mentor

@AkiYa routes with different metrics are only for failover usage. If route with metric 1 is failing traffic will be routed via route with metric 20. This is independent of NAT.

What is your problematic feature of the limitations of PBR ?

Some limitations needs more explanations like as an example "domain based VPN" will be not supported with PBR. But this does not mean "domain based VPN" can't be used if PBR is configured. You can, but the limitations is you can't route VPN traffic through PBR. VPN traffic will be routed via the VPN domain routing.

We are using PBR with R81.10 coming from R80.40 and are really happy with this. Using it like you'res . Routing subnet A via ISP1 and subnet B via ISP2. You can start implementing a small PBR maybe for only one host, you can see what's happens and check for any problems.

 If you want to switch from one ISP to another with one subnet after another PBR is your solution. If you want to have a redundant switch over and move it one service by another one you can use ISP redundancy in LoadSharing Configuring ISP Redundancy so that certain traffic uses specific ISP Link . You can start with sharing ISP1 with 90% utilization ISP2 10% utilization and switch more over step by step.

Both PBR and ISP redundancy have limitations but you have to choose. I think I understand your need and I think you get a nice solution with PBR. But you have to upgrade to R81.10 to get the best solutions.

PS.: I know some other vendors with better solutions for your now needed specific use case but they have another limitations. That's the way it is every day in the life of an IT guy 😀

AkiYa
Explorer

Thank you for the explanation Wolfgang, so if I move to R81.20 I should have it working as I need, unfortunately in this moment I don't have time to manage the update and I will do it the hard way (switch to the new line with service interruption).

Later I will update the firewalls and give it a try.

0 Kudos
Kryten
Participant

I too think you could give PBR a try. We have the same situation here (also on R80.40) and for most things it worked well, so at the moment two ISPs are used and we did not have to configure ISP redundancy.
Only Remote Access gave us some headaches, but for this we found other solutions.

0 Kudos