How to perform automatic failover between two sites.
We've got an interesting setup that is working fine for us, but has no failover currently so looking for suggestions.
At one of our sites, we have 150/150 fiber from our ISP. We also have a COLO rack at this ISP where we moved some of our servers (due to construction, never moved them back), and our Watchguard. As the ISP controls the fiber, they were able to setup a transparent bridge between our office and the colo. So basically there is a ethernet cable coming off our core switch at our site, it goes to their cisco box, then to a media converter, and into fiber.
So there is no routing needed for devices on either side to talk to eachother, it's totally transparent to users/devices.
At our site, we have a backup 50/10 DSL connection. This used to be setup for auto-failover before we moved the WG to the colo. While I could technically get this DSL connection hooked into that WG at the colo to act as a backup, it would only help in the event that the ISP's connection to the internet went down, but our fiber connection remained online. So not much good as a backup.
I'd like to get us setup so users will generally goto the WG at the colo, but if there is a problem, automatically switch over to another WG we'll setup at the actual site. I can manually do this now by either changing people's gateway, or by having an identical config on the 2nd box, and just keep it unplugged.
Does what I'm hoping to do make sense? Is this doable? If so, would the WG on site need to be the same model (M370)? or could we have a smaller T55 or similar?
Thanks for any input.
Comments
"but if there is a problem" - what kind of problem are you trying to address?
If the fiber link goes down, then having a firewall with Internet access at your main site would not help as your servers would not be accessible.
Having a clear understanding of the failure point(s) to be addressed will more likely result in the appropriate recommendations.
If the fiber link goes down, we'd like to still have internet access. We have a local DC at the site, so users could still get dhcp/dns/internet. Our BOVPN to head office would also failover, so we'd still be able to get at the file servers, phone system, and the like at that office. So yes we'd lose access to the servers at the colo, but having most of our systems working is better than none
Here is a possible solution:
Configure a Branch Office VPN for Failover from a Leased Line
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/vpn_failover_from_leased_line_overview_c.html
Dynamic Routing is the key here. Your ISP should be able to help with this, so contact them to see what they can do for you.
You would not need an identical firewall model.