I have a client who has (for reasons beyond my ability to comprehend) decided to be pathologically cheap about one ISP link at one of their sites (running a PA-200), and are dropping their static IP in preference for more bandwidth at less cost.
Stable internet connectivity via any available ISP at this particular site is a dicey proposition, so failover is a must.
Presently, I have three virtual routers -- one for each ISP, and an internal VR (which runs OSPF on VPN tunnel interfaces linking to other sites). Each ISP VR has a default route to the ISP's next-hop, and routes to the internal subnets via the internal VR. The internal VR has a default route to next-vr ISP2-VR.
ISP2 is more reliable than ISP1, but a lot slower, so I have a PBF rule having internet-bound traffic forwarding via ISP1, next-hop being the ISP1 gateway, fail-over monitoring one of that ISP's DNS servers.
This has been working extremely well.
Now that they are pulling the static IP off of ISP1, I have to figure out a way to prefer it without always knowing what the next-hop is, as that will be pulled into ISP1-VR by the DHCP client, and will be subject to change with no notice.
The first way that crossed my mind was to have another router (something cheap and cheerful like a MikroTIK) between the PANFW and the ISP, and have it do the NATing... but I would like to be able to remotely manage the PANFW via the ISP2 static IP, and look at what IP address it is pulling from ISP1 via DHCP... I don't want to have to regularly log into another device, or teach others how to do so.
The second way I thought of was to have PBF egress via a new physical L3 interface on the internal VR, next hop out to another external physical router (MikroTIK, etc), then have that external router throw the traffic back into the PANFW on another L3 interface on the ISP1-VR which will send it out via whatever default route has been pulled from the ISP............ but that sounds pretty kooky.
Does anyone have any better ideas on how I might accomplish this?
Many thanks for your thoughts!
When you setup the interface as DHCP you can choose the metric that your default route to the gateway address will install as.
This will take care of routing for the ISP1 virtual router.
Your failure detection using the DNS servers should work the same as it does currently as those will not be changing. So when the the ISP is down this route should be withdrawn the same as the static route is currently and allow will work as it does now.
Thanks for your reply, Steven.
The problem still seems to be that I have to specify a next-hop in the PBF policy, and the next-hop is subject to change... right now I have just copied the gateway pulled via DHCP from the interface to the PBF policy.
Is there a way to do this without PBF that I'm not seeing?
Even if you will get the IP address from a DHCP server, the IP address will be different every time, but the next-hop will be remain the same ( untill, you are getting the IP from a different DHCP server). Because, the DHCP server will assign different IP address from the same pool.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!