Re: [fw-wiz] Firewall routing thought...
From: Ng Pheng Siong (ngps_at_netmemetic.com)
To: Gwendolynn ferch Elydyr <email@example.com> Date: Thu, 8 Jul 2004 23:38:15 +0800
On Tue, Jul 06, 2004 at 01:50:18PM -0400, Gwendolynn ferch Elydyr wrote:
> On Fri, 2 Jul 2004, Eric Appelboom wrote:
> > If one has firewall A with external ip on the same subnet as firewall B.
> > How common is the practice of adding static routes on firewall A for The
> > networks protected by firewall B and the other way round.
> Your network layout isn't really clear from your email, but as soon as
> you make a change in broadcast domains, the router is going to be involved.
I believe this is OP's network layout:
+ R +
--------------------- NML (No Man's LAN)
+ A + + B +
OP says traffic between A-net and B-net, thru firewalls A and B, u-turn at
router R at present. He wonders if adding static routing to B-net at A (and
vice versa) will improve things.
Years ago, I was involved in a http caching proxy farm thingy that turned
out to have such a setup: Think of traffic coming out of A in that case as
Internet-bound surfing requests and B as the proxy farm. Traffic was
u-turning at R, the router that connected upstream. R was facing meltdown.
Did a stupid trick: upgraded NML from 10Mbps to 100Mbps, which held it up
for a while more. (Like I said, this was years ago). Eventually had to fix
the u-turn anyway.
Will fixing u-turn help OP's case? As usual, the answer is, "it depends."
Depends on what the traffic characteristic, A/B/R's juice, etc. are.
> First of all, it's not likely to improve your latency or overhead. The
> packets are still going to be seen by the router.
On modern LANs, non-bcast packets between A and B won't be seen by R.
> Ranting briefly,
Ahem, your rant is somewhat vacuous, I am sorry to say.
-- Ng Pheng Siong <firstname.lastname@example.org> http://firewall.rulemaker.net -+- Cisco PIX & Netscreen Config Version Control http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL/Zope, Blog _______________________________________________ firewall-wizards mailing list email@example.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards