Hi
From: Philipp Rusch [mailto:Philipp.Rusch@rusch-edv.de] Hi Peter, When you say "failsafe", did you intend to be redundant through that setup with multiple servers behind that router ? Then I would add to the setup that Stefan recommended (which is the same I would prefer over yours ...;-) ) as follows:
(|ISP-Router|) |
---------(|1st SWITCH|)------------ ... | | (|1st Firewall|) (|2nd Firewall|) | | ---------(|2nd SWITCH|)------------ ... | | | (|Server 1|)(|Server 2|)(|Server 3|) ...
what you have here is a redundant Setup of your firewall, if one goes down, the other is taking over the whole traffic. You don't need a complicated setup for this, in the simplest way you could do this by adding alternative routes and duplicate the DNS entries of your firewall (internal and external). The rest is done by the DNS and its "round robin" should give you a simple kind of load balancing, if both systems are up.
Be carefull with DNS doing the round robin - not every dns resolver can handle more than one ip-address for one name. E.g. Windows 9x/ME strips off all additional ip-addresses. It only uses the first ip-address it gets. Then there is such a thing called name cache. All resolved hosts are stored within this cache for performance reasons. If such a "bad" net-member (using just the first ip of an answer-section and storing this ip into the local resolver-cache) tries to access the "server-in-service", it will get an error like that: "timeout. could not access resource due to connection timeout."
I do this at two sites with very good success and I am able to do maintenance on that systems, while everybody keeps on working, without them even noticing my reboots ;-)
Same with heartbeat - and you don't have to wait for your ISP to enter another address for the same name ;o)
Regards, Philipp Rusch
regards, Stefan