I have a networking question I could not find an answer for with google.

We have currently at work two ISP boxes(routers), i want to setup a firewall to protect an intranet on a local host. The problem is that not every one is using the same router.

Here is my question: how can i do to make all traffic be sent to one location (firewall-loadbalancer) then the loadbalancer switchs automatically between the two routers .

I am not an expert in networking just basic knowledge of subnets ip addressing and firewalling (iptable), I am an advanced linux user however.


  • Are these real ISP routers, i.e. you have a routed subnet(s) and these routers are your next hop gateway or are you talking about a modem/router combination?
    – gravyface
    Commented May 17, 2011 at 11:26
  • It's a modem/router combination, not big real routers !
    – blob42
    Commented May 17, 2011 at 12:08
  • Do you have two physically-separate LANs behind each Internet connection? i.e. is the ISP router/modems doing DHCP? Providing a simple diagram or description of subnets, default gateways, and labelling them "network A" and "network B" would be really helpful.
    – gravyface
    Commented May 17, 2011 at 12:17
  • here is the current diagram goo.gl/RBRvS
    – blob42
    Commented May 17, 2011 at 12:24
  • Do you require that both networks remain separated?
    – gravyface
    Commented May 17, 2011 at 12:51

5 Answers 5


I've posted a comment for further clarification, but normally when two ISPs are used for load-balancing outbound traffic, a single firewall (or firewall pair for failover) that's multi-WAN capable (i.e. has at least three discrete interfaces; home/consumer routers usually have a LAN and/or LAN switch and 1 WAN port).

This firewall is (generally speaking) the default gateway on the network and is used to NAT and route Internet traffic based on your load balancing and routing policies such as round robin, weighted round robin, src/dest IP, etc.

An excellent open source firewall called pfSense can do this and can be installed on commodity x86 hardware (or on an ALIX embedded device). There's also Vyatta, which has a similar command line interface (CLI) as Cisco's IOS.


It looks like you have two physically-separate networks behind each ISP router/modem. You have some options:

  • merge both networks behind one firewall/router that has ISP1 and ISP2 connected and load-balanced. This is what I'd recommend if you're not required to isolate the two networks and assuming that they're small subnets (/24s), this would be much easier to manage.

  • Setup a intra-LAN routing: you'd need to have at least 4 interfaces on your core router, two WAN interfaces and two LAN interfaces with routing/filtering (if required) between. This is mildly more complicated, and would require a more expensive router/firewall or a box with additional NICs if you go the open source/x86 route, but it does keep the two networks isolated.

  • Setup intra-VLAN routing: You could get away with 3 interfaces, with two WAN and one as a trunk port for virtual LANs (VLANs) in a "router-on-a-stick" configuration. pfSense can do this but you'd need a VLAN-capable (Layer 2) managed switch to do this. I wouldn't recommend this as this can get complex/expensive and gauging by your level of network expertise, this is likely overkill.

  • Ok i will go for option one using a bond interface on my router to do the load-balancing. The last option seems interesting as i have parcticed a bit of VLAN setup once, and i already get a HP managed switch but we don't have enough space so i will start with the load-balancing one. Thanx for the reply
    – blob42
    Commented May 17, 2011 at 15:47

Right, first I mis-read this question and wrote a general (non refined) guide that you can read a bit lower, just in case I mis understood and that is what you are trying to achieve. After re-reading, I wrote:

If this is a pure internal intranet and there will be no connections from outside the network, there is no way to really control access at the router, unless you put in another router between the intranet machine and it's connection, which I really wouldn't recommend.

Routers typically only firewall connections going from one interface to another (Internet <> Lan) and they do not filter internal connections (Lan <> Lan), I would recommend using a basic software firewall (such as the one built in to Windows) and setting it to strict - only allowing port 80 from selected connections, you can also use Apache/IIS to only allow connections from certain IP ranges.



This depends on your network topology and without knowing more, it is hard to help.

Typically, you will need a router that supports two connections such as a Draytek Vigor 2820 (Many others - Google 2nd Wan/redundant wan etc.).

However, unless you have some sort of bound connection (when from the same ISP), these two connections will have different IPs and anyone connecting in to your intranet will only be via one of the connections so you need to set the rules there.

(I was going to write more before I realised I was on the wrong track... If I was going correct, let me know and I will continue).

  • For the intranet software firewall i am already using apache to restrict ip incoming connections. I want it to be reachable from outside only for certain ips this is why it must be a host firewall in between.
    – blob42
    Commented May 17, 2011 at 12:01
  • @Chakib - in that case, unless the connection is bound together, they will only be connecting in through one of the routers at any one time - so simply use the one that they will be connecting from and set it up normally. very few routers allow you to specify incoming IPs though - however, I don't think you are going to get much better without network topology changes. Commented May 17, 2011 at 12:43

What is your current setup (hardware etc.?), how many computers connect to this network, does everyone need internet access?

The basic gist would be: connect both internet routers to the firewall, disable bridging in the routers. Loadbalance between the two connections by using a bond interface, then connect the rest of your network to another ethernet port on your firewall. Set up a dhcpd server on the firewall, configure iptables to route your traffic and be your firewall.

If you want the setup to be perfect you configure the above on two different machines, and make them run in heartbeat. That way, when one of the machines drops out (for some reason) the other one will take over.

  • Your solution seems the one that best fits my needs, actually it's just a small office, the routers are the ones given by the ISP . To summerize it would be: my 2 routers ---> firewall - nat (bond) --> my lan . Is that ok ?
    – blob42
    Commented May 17, 2011 at 12:03
  • Exactly. Try to find out if the routers support bridging, that way your firewall is the only place you have to configure the forwarding of specific ports. Also: to clarify, your firewall needs three ethernet interfaces for this approach to work.
    – pberlijn
    Commented May 17, 2011 at 13:22

Have a look at the F5 Big-IP Link Controller: http://www.f5.com/products/big-ip/link-controller.html.

It may provide the options you need.

  • sounds like overkill for these guys. If they don't have a dedicated network admin, then they're likely not going to drop megabucks on something like this.
    – gravyface
    Commented May 17, 2011 at 13:03

Maybe you could use Shorewall with MultiISP.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .