| Re: Multiple Internet Links - Failover [message #120630 is a reply to message #120084] |
Sun, 12 April 2015 14:47   |
UnifiedTechs-Brian
Messages: 159
Registered: March 2011
Location: Vero Beach, FL
|
|
|
|
Brian Carmichael (Kerio) wrote on Tue, 17 March 2015 10:40<_at_>menace, I agree that in failover mode the firewall should not allow incoming connections to the backup interface. I have filed a bug for this behavior.
I disagree 100%, if incoming traffic is coming in the backup link IP Kerio Connect should not refuse it simply because the primary link appears active, You need to figure out why traffic is coming to that link because something is wrong. Take this example.
User runs a mail server:
MX1 is set as primary link.
MX2 is set as backup link.
Due to a net-split or routing error between ISPs MX1 is not reachable for some senders so per SMTP standards the sending mail server uses MX2, your saying Control should refuse this traffic? Or what if the primary link is overloaded or slow? The above situation is exactly how the SMTP system is designed and any firewall I have ever worked with will accept this traffic, as it should.
If steady traffic is incoming for no reason then there is some problem that is pointing normal traffic to the wrong interface. This could be an inability for some traffic to reach that port, or some DNS issue such as reversed MX records. The firewall can not possibly know the status of the entire internet and should not be making these decisions based solely on if a link appears up because it can ping its gateway.
If this is a needed feature it needs to be built in as a special behavior that is turned off by default. I can see some situations where this behavior could be beneficial involving tolled connections (Cellular Modems maybe), but it should not be the default behavior.
- Brian
Kerio Preferred Partner, Reseller & Hosting Provider
Unified Technology Solutions
[Updated on: Sun, 12 April 2015 14:54] Report message to a moderator |
|
|
|
Members
Search
Help
Register
Login
Home
