I'm having trouble figuring out how to support 2 Internet connections and still retain control over the way different hosts route to the Internet.
Of the 2 Internet connections, connection A is more suited to handling traffic for our web servers and connection B is more suited to failover and web browsing by users.
We have 2 firewalls already.
Without a DMZ, I could try one firewall per Internet connection:
Internet Connection A Firewall A LAN Internet Connection B Firewall B LAN
The web servers are on the LAN with firewall A as their default gateway and the PCs on the LAN use Firewall B as their default gateway. Both firewalls can port forward to the web servers. The problem is, if one of the connections goes down, I can't see how I can dynamically change the routing for the web servers or PCs.
Adding a DMZ to this topology further complicates things:
Internet Connection A Firewall A LAN | |-- DMZ | Internet Connection B Firewall B LAN
It's a routing issue once more. How can hosts on the DMZ have their default gateway changed from Firewall A to Firewall B? Same routing problem as per the first scenario with hosts on the LAN.
If I use a dual wan router (or firewall that supports failover Internet connections) I could do something like this:
Internet Connection A | | |-- Router Firewall LAN | | | |-- DMZ Internet Connection B
All hosts have the same default gateway. The drawback is that I lose the ability to route LAN traffic via Connection B and web server traffic via Connection A. In this scenario, Connection B as the lower bandwidth connection becomes the failover connection.
Can anyone see how this trade off between automatic failover and routing can be resolved?