... I have a problem which I'm sure is actually quite straightforward to solve, I just don't know how to do it.
I have two Ubiquiti EdgeRouter devices, an ER-POE5 and an ER-X. The ER-X is a backup device. They both have five Ethernet ports, and I have Shorewall (4.5.5) on both. Each device has eth3 permanently plugged as a management interface. On the device that's carrying traffic, eth0 is my wired backbone, eth1 and eth2 are wireless subnets each on its own router, and eth4 is my uplink. The goal was to be able to update one device without interrupting the other, and then just replug and switch traffic to the other router. The problem is that I can't download any updates on the *backup* router without changing its default route to the internal gateway address, on the *active* router (10.24.32.1). But of course when that device *is* the active router, I can't use 10.24.32.1 as its default route because that's now one of its own internal addresses; I have to change the default route to the uplink. (And reboot the cable modem because the modem never refreshes ARP.) Now one of the users on the Ubiquiti forums suggested solving this problem by an iptables SNAT rule for the management traffic. But honestly, I don't understand what he was trying to explain. I'm not convinced he entirely understood my configuration, and I certainly don't understand what he was trying to convey as a solution (I don't speak iptables; I find it arcane and opaque). What I'm looking for is a way to make each router use the direct uplink to fetch updates if eth4 is connected, but route through the internal network to the other router if it's not. But I can't think of any straightforward way to do it without some kind of custom piece of code that detects whether eth4 is connected and changes the default route as needed. Does anyone have any suggestions for accomplishing this via NAT rules? Is there some clever trick that I don't know? I'm guessing I'm just going to have to settle for switching the default route by hand, but if there's something I don't know that would enable me to automate it, I'm all ears. -- Phil Stracchino Babylon Communications [email protected] [email protected] Landline: 603.293.8485 ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
