Solved two gateways one wan?

byrnejb · Mar 24, 2022

Is it possible to configure two gateway hosts to connect to the same external wan and have both work?

In other words, given WAN ipv4/29 +1 as the outside address, can one configure HOST1 default route to WANipv4/29 +2 and HOST2 default route to WANipv4/29 +3 and have both work? Or is this going to cause a loop?

covacat · Mar 24, 2022

hard to tell without a diagram

byrnejb · Mar 24, 2022

Code:

 ───────────┬─────────────────────────────────────────────────────────┬─────────────
             │                                                         │
             │                                                         │
             │                                                         │
             │                                                         │
             │                                                         │
       192.168.216.1/24                                        192.168.111.1/24
             │                                                         │
             │                                                         │
             │                                                         │
             │                                                         │
           ┌─┴──────────┐                                            ┌─┴───────────┐
           │            │                                            │             │
           │            │                                            │             │
           │  LAN GW1   │                                            │   LAN GW2   │
           │            │                                            │             │
           │            │                                            │             │
           │            │                                            │             │
           └──────┬─────┘                                            └─────┬───────┘
                  │                            DMARC                       │
              123.123.123.2/29                ┌─────┐               123.123.123.3/29
                  ────────────────────────────┼─────┼───────────────────────
                                              │     │
                                              └─────┘
                                           123.123.123.1/29
                                           ┌────────────┐
                                           │            │
                                           │            │
                                           │            │
                                           │   ISP WAN  │
                                           │            │
                                           │            │
                                           └────────────┘

sko · Mar 24, 2022

If you have a BGP transfer net with 2 IPs at your disposal (usually you only have one for your peer), you can perfectly fine set up a failover by advertising different metrics from those two GWs.

If you are talking about a consumer-grade line this won't work - usually you won't get more than 1 DHCP lease on the ethernet("-like") connection your CPE provides over whatever line runs into your house. Usually the best you can get on consumer lines is failover via CARP/pfsync and spoofed (identical) mac for both GWs on the CPE side, but even this often isn't possible if the ISP is forcing you to use some toy-router in front of your gear.

I also see you are using different subnets behind each GW (although it seems to be the same flat network? don't do that - use VLANs!) - if all you want is running multiple VLANs/subnets you don't need multiple GWs...

byrnejb · Mar 24, 2022

We have a dedicated /29 address block yielding six usable addresses; two of which are in service, one at the ISP and one in our current gateway host.

The multiple subnets on one wire are an historical artifact. The second gateway host has additional i/fs so that these will be collected into one i/f for the entire 192.168.0.0/16 network. Our public address space is listened for on a separate i/f.

This is the source of my question as I am trying to run a second connection to the ISP listening on 192.168.0.1/16 and gradually reset the internal hosts to use that gateway instead of the current set of aliases on the first gateway host. When complete then I can switch off the first and route everything though the second.

I am having some difficulty in getting this to work however, and so I thought that the issue might lay with trying to connect to one WAN from two other addresses on the same sub-net. If this is not a problem, and I thought that it should not be but one never knows, then I need to check elsewhere.

The next thing to check is the DMARC switch and see if it is holding on to ARP table artifacts.

VLAN requires replacing a number of distributed switches with equipment that can handle it. That is not in the budget.

SWIFTYLIFT · Mar 25, 2022

What you’re suggesting seems doable - I’d like to try and help (IRC or some other chat). If not please keep me updated - this seems fun.

sko · Mar 25, 2022

Then this is perfectly doable. I would still *highly* recommend isolating your internal subnets/networks via VLANs - if you haven't yet, now is the perfect chance. If you want to use DHCP in the new network and also run a DHCP for the old subnet, you actually *have* to separate those networks or else the clients will pick up settings from whatever DHCP-server answers first (in short: you will have total chaos).

If you configure (a) new VLAN(s) for the new subnet(s), you can set up the new gateway (/w another public address of your /29 prefix) and the network(s) it should serve (local DNS, DHCP etc) and thoroughly test everything without interrupting the current production network. If you confirmed everything is working, just change the switchports for the rest of the clients to access ports for the new VLAN(s). (In case of windows boxes a reboot is usually the best (only?) way they properly catch on to the new network settings they receive via DHCP. Otherwise they often cling to old settings even if the lease has expired for hours/days...)

byrnejb · Mar 25, 2022

VLANs are not in the budget.

Currently I have the new router on its own physical network segment completely isolated from our internal LAN. I am having trouble reaching beyond our IPP 's endpoint.

The current network configuration of the new device is:

Code:

em5 inet 123.123.123.235 netmask 0xfffffff8 broadcast 123.123.123.239  (WAN)
em1 in192.168.215.4 netmask 0xffff0000

The routing table looks like this:

Code:

default            123.123.123.233     UGS       em5
123.123.123.232/29 link#6              U         em5
123.123.123.235    link#6              UHS       lo0
127.0.0.1          link#7              UH        lo0
192.168.0.0/16     link#2              U         em1
192.168.215.4      link#2              UHS       lo0

Forwarding is enabled.

Code:

sysctl net.inet.ip.forwarding
inet.inet.ip.forwarding: 1

I have one other host on the LAN segment with the new router. It has the address 192.168.215.41 manually configured with the default gateway set to 192.168.215.4.

I cannot ping the internal gateway address 123.123.123.235 from this host. I can ping 192.160.215.4. There is no firewall running.

Is there something else needed for forwarding to work?

byrnejb · Mar 28, 2022

This problem arose because the ISP was blocking all the addresses on the 123.123.123/29 subnet other than the two endpoints.