TL;DR I have two routers and a switch, and have forwarded port 80
on both routers to the switch, but depending on which router gives the switch its IP, it'll have that as its default gateway, and I can't reach it through the other router.
I feel like I need a NAT or Mangle or routing rule?
I tried adding the other router as a default gateway, and suddenly the port-forwarding works through that, but now it doesn't work on the first one.
I've looked at Port forwarding with two routers but is the solution really to create a VRRP on e.g. 10.0.19.3/24
and manually visit all the servers, and set this as their default gateway?
More info
I can see the firewall rules increase the packet numbers, so I know I'm hitting them, and I can snoop the packets on the switch and see that it's receiving traffic, but it's not sending anything back. Probably because of a missing route, it doesn't know where to send it?
Detailed setup
The router A has a public IP 1.2.3.4
on eth1 (WAN) and a bridge network with the remaining 8 ports (7 Ge, 1 SFP), and 10.0.19.1/24
on the bridge.
It runs a DHCP server for 10.0.19.32/27
.
The router B has a public IP 5.6.7.8
on eth1 (WAN) and a bridge network with the remaining 8 ports (7 Ge, 1 SFP), and 10.0.19.2/24
on the bridge.
It runs a DHCP server for 10.0.19.64/27
.
The routers are connected on ether9
with an SFP+ cable.
The switch is connected to ether2
on both routers, and has static IP 10.0.19.20/24
from router A.
It also has a dynamic IP 10.0.19.90/24
. (This should go away after bonding the interfaces on the routers and the switch, and adding the static IP on router B.)
When I check the routes on the switch, it has
DST-Address Gateway
0.0.0.0/0 10.0.19.2
10.0.19.0/24 bridge
I've added dstnat rules, on incoming port 80
, with an action dstnat
, to 10.0.19.20
and port 80
on both routers.
When I access http://1.2.3.4
I get nothing.
When I access http://5.6.7.8
I get the switch UI.
Now, when I manually add a route on the switch.
DST-Address Gateway
0.0.0.0/0 10.0.19.1
The behaviour changes and when I access http://1.2.3.4
I get the switch UI.
When I access http://5.6.7.8
I get nothing.
Obviously this isn't what I want either. But now I know that I can influence "who the switch knows to respond to."
Ideally it'll respond to where the request came from, regardless of default gateway.
I've tried creating srcnat
rules using the routers DHCP-ranges, or the entire 10.0.19.0/24
network as the src-address and action masquerade
, but it doesn't change anything.
The arp
table on the switch shows both routers with their respective IPs and MACs.
Other things
The hardware is two RB5009UG+S+IN
routers and a CRS354-48P-4S+2Q+RM
switch.
I've configured a VRRP vIP 9.10.11.12
. That I'll be using for some servers, which will sit behind both routers, so I'll need both to be able to forward traffic back and forth properly.
I've tried googling a bunch, but all the "two routers/gateways on one network" and "port-forwarding" threads I can find are about having them daisy chained on different subnets, but I literally have two routers and dhcp servers on one network.
Also, this is not a duplicate of Can I have multiple DHCP servers on one network?
I'm not questioning whether I can have two DHCP servers on the same network. I have that. I'm questioning how I configure the routes downstream from both.
Thank you.
10.0.19.0/24
and action "src-nat" to the routers IP. I also got it working with just actionmasquerade
. It seems I was confusing at which point in the chain the rule triggers and thus the source/destination addresses.