What is the architecture between the rest of the world and your firewall? Is it possible to use BGP and only one of the public subnets? This would in effect move the redundancy of the public side to the router(s) allowing you to use standard method's at the firewall.
All of the internal stuff is on a 192.168.x.x net. So that a packet comes in NIC1 and gets DNAT'd to the internat address, then the reply comes back to the firewall with the correct destination address, and the source address gets reset correctly. That's where the problem comes in, since now the packet can go back our through the NIC to either ISP. But if it goes out the *wrong* NIC, the ISP thinks I'm spoofing and drops the packet.
We run a similar situation with one of our subnets, we have two circuits from separate provider's who were both gracious enough to add the routes in they're tables, if we lose one connection the rest of the world just uses the other route in and we of course use the other route out. The downside is getting both upstream providers to cooperate in routing, the upside is that you can utilize both links and keep things simple from an addressing perspective.
I actually left out a bit of the complexity, some of the outgoing connections *must* go through one NIC or the other, because the destination will only accept from a given source IP (and that IP will only go out through the appropriate ISP).
There are two ways to patch this, one by addint the IP to the ARP table with the MAC of the correct router, one by some code to ignore any NIC which doesn't have an alias for the source address. Both are patches I don't want to maintain.
-- bill davidsen <davidsen@xxxxxxx> CTO TMR Associates, Inc Doing interesting things with small computers since 1979
