I came across a network setup in this way:
- Cisco device provided by the ISP serving as a bridge between the fibre line and the LAN.
- Cable coming out from port eth0 of the Cisco above going to a layer2 switch.
- 2 firewalls connected to this switch both with WAN interface setup using the same public IP range/subnet 255.255.255.240.
Although I can't see any overlapping NAT rules on the two firewalls, meaning that each individual public IP is used in one firewall or the other, my fear is that all the packets will reach the two firewall causing delays? packet loss? They don't seem to have major problems, but I feel like this is not best practise and it should be changed.
Unfortunately they don't won't to leave just a firewall and use VLANs as I suggested but, would it not be better to setup the WAN interfaces on each firewall with a subnet containing only the IP addresses used on that firewall? (hope it makes sense…)
Or, do you have any other recommendation?
Many thanks.
Best Answer
This is OK. The ISP has issued a /28 subnet and two of those IPs are going to routers. Normally two routers on that subnet would be used for failover, but they could also simply be used as egress points for two or more separate networks. Assuming it's just the ISP's provider edge device and those two routers, the only traffic both routers will see that might not be explicitly destined for them is conventional multicast / broadcast traffic on that segment.