Another issue I havn’t found a solution for yet…

A small network, consisting of a couple of servers and a couple of clients. The clients are to be masqueraded, the servers have real IPs.

The network of real IPs isn’t a proper subnet, since it’s shared with others. The uplink connection is switched, the old setup was to have all the servers directly on the switched network.

The new setup we have is one firewall, a DMZ network and an internal network. The firewall is connected to all three of them, and has arp_proxy enabled for the DMZ and external networks. That way, no configuration changes were necessary when moving the machines into the DMZ (except for a host route on the firewall). Note that the firewall box also is responsible for both the access of the internal network to the external and the DMZ network. Oh, and I’m talking of a stateful firewall.

Everything is working as expected and reliable. Level completed.

Next level: make it high available - add another gateway. And now it gets really nasty… I guess I’ll skip the idea of load balancing… That becomes really messy, won’t it? HA fail-over should be okay, when the other gateway is down, the new gateway enables proxy-arp. For the internal network, I have to take over the gateway IP.

Maybe I should switch to static NAT… I could then split the hosts onto both firewalls, and migrate rules to one if the other one goes down…

Does anyone have experience with similar setups? Which solution did you choose, which did you try that did not work? Please send me an email at erich AT debian (.) org