This might seem illogical (which it ultimately is), but I'm just looking to hear other peoples ideas on how this would be set up.
There are 2 switches and multiple firewalls. There are 2x WAN uplinks (same provider), one connected to each switch. The switches are merely there to increase the number of available WAN connections, so that each firewall can be connected to the WAN uplink.
The reason for 2 switches is merely for redundancy (ignoring the fact the firewall is a SPOF). In this instance, the customer is only willing to pay for 1 firewall, they are prepared to accept the downtime in the event of failure. If a switch was to fail, the burden would be on us - so the firewall needs to take 2x WAN feeds, 1 from each switch, but each WAN is exactly the same (in essence).
How would you go about setting up the firewall to be able to survive a switch failure, bearing in mind the IPs behind the firewall are routed to a single primary IP.
I got it worked, along the way, I tried the following, but what is the 'correct' method.
Bridging WAN1 & WAN2 (BR0), giving BR0 the primary IP. Policy routes were set up to route BR0 to LAN1 and vice versa. Although the primary IP was pingable - the routed IPs were not routed internally. Traceroute showed the firewall as the last point, then the packet failing to go any further. It looks like the firewall merged the 2 ports at the L2 level, but ignored any packets destined for its advertised IP.
This did not work.
VLAN on WAN
Unfortunately, this brand of firewall does not support spanning a VLAN over 2 interfaces.
This did not work.
Trunking and L2 switching
Putting both WAN1 & WAN2 in the same port group and allowing inter-port communication. Giving WAN1 the primary IP, WAN2 had no IP, but did have the gateway set. A trunk (TRUNK0) was set up consisting of WAN1 & WAN2 (active/passive). Policy routes were set up to route WAN1 to LAN1 inbound and over TRUNK0 outbound. Traffic destined for WAN1 was actively received over WAN2 when the switch attached to WAN1 was powered off.
This did work.
There's a few methods above and whilst I do have a seemingly apparent working solution, is it acceptable, what 'better' alternatives might there be?
Ps. I know the actual solution to this problem is to set up 2x firewalls in a VRRP group, one on each switch, 1 WAN feed to each, like this:
This seems backwards. The WAN connection should go into your firewall. The switch(es) should then plugin into your firewalls. If you are using two different switches that connection to each server, you could setup a reduandant interface on the firewall, which would take over if one of the switches went offline.