Networks·41,398 discussions

Multiple Gateways For VPNs

Locked

Hi There

I have a network WAN setup as follows

Head Office Subnet of 192.168.0.0
Firewall acting as the gateway to the internet with an internal IP of 192.168.0.25. Connected to the firewall are 4 ADSL lines all with fixed IPs 1 on each external interface.
I then have 14 remote sites connected via VPN across the 4 ADSL lines which as you can guess can run rather slow. Each remote site is on it’s own subnet of 192.168.1-14.0.
In order to span the remote sites across further ADSL lines I am wanting to drop in a second firewall with 4 external interfaces connected to extra ADSL lines. I would then configure the second firewall internal interface with an IP of 192.168.0.26.
My main issue is how can I configure my Head Office servers and network to utilise the 2 gateways?
For example remote site 1 connects via VPN through firewall 1 to the mail server and the return traffic goes out through gateway 192.168.0.25.
Remote site 5 connects via VPN through firewall 2 to the mail server and the return traffic goes out through gateway 192.168.0.26.
I am guessing this will be something to do with multiple default gateways on the servers in head office but I am at a bit of a loss on how to do this, even if it can be done.

Topic

Multiple Routes

In reply to Multiple Gateways For VPNs

I don’t think it’s possible to configure multiple “default” gateways on your servers, but it is possible to configure multiple gateways. Take a look at the “route add” command on both Windows and Unix/Linux.

frame relay

In reply to Multiple Gateways For VPNs

If you have that many DSL lines with that many remote sites, I’d dump what you have and go the frame relay route.

The VPN connections all require overhead to maintain the tunnel[data sent back and forth between endpoints] so as you load up the lines with VPN connections, you decrease the available bandwidth. your setup has got to cost a bundle on DSL line costs per site, let alone the 4 lines at the central location.

I May Have Sorted It

In reply to frame relay

Firstly, thanks for the replies.
The cost of the DSL lines bizarly is cheaper than FR and FR isn’t really an option as the remote sites are temporary construction sites and are only in place from 3 to 18 months at a time. In the UK it would cost thousands ?s to implement FR.
What I am trying to achieve is only aimed at being an interim solution until the board of directors realise that the leased line into head office I have suggested is a good idea. At that point the routing device at the leased line end will cater for the number of remote sites.
Anyhow, I may have sorted it by daisy chaining the two firewalls together and adding static routes in the primary firewall to the subnets connected on the secondary firewall.
I will be rolling my sleves up tommorow and attacking it so fingers crossed my plan will work.

It Worked

In reply to I May Have Sorted It

Just thought I would close this thread by letting you all know that my plan worked.
Simple really when you think about it.
2 Watchguard firewalls, an x550e and an x750e.
x750e as the primary add a route to this device to the subnets on thge x550e with a gateway to the trusted interface of the x550e and bingo, traffic moving both ways solid as a rock.

[Author]

Replies