-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 01/09/2017 09:55 AM, Phil Stracchino wrote: > ... I have a problem which I'm sure is actually quite > straightforward to solve, I just don't know how to do it. > > I have two Ubiquiti EdgeRouter devices, an ER-POE5 and an ER-X. > The ER-X is a backup device. They both have five Ethernet ports, > and I have Shorewall (4.5.5) on both. Each device has eth3 > permanently plugged as a management interface. On the device > that's carrying traffic, eth0 is my wired backbone, eth1 and eth2 > are wireless subnets each on its own router, and eth4 is my uplink. > The goal was to be able to update one device without interrupting > the other, and then just replug and switch traffic to the other > router. > > The problem is that I can't download any updates on the *backup* > router without changing its default route to the internal gateway > address, on the *active* router (10.24.32.1). But of course when > that device *is* the active router, I can't use 10.24.32.1 as its > default route because that's now one of its own internal addresses; > I have to change the default route to the uplink. (And reboot the > cable modem because the modem never refreshes ARP.) > > Now one of the users on the Ubiquiti forums suggested solving this > problem by an iptables SNAT rule for the management traffic. But > honestly, I don't understand what he was trying to explain. I'm > not convinced he entirely understood my configuration, and I > certainly don't understand what he was trying to convey as a > solution (I don't speak iptables; I find it arcane and opaque). > > > What I'm looking for is a way to make each router use the direct > uplink to fetch updates if eth4 is connected, but route through the > internal network to the other router if it's not. But I can't > think of any straightforward way to do it without some kind of > custom piece of code that detects whether eth4 is connected and > changes the default route as needed. > > Does anyone have any suggestions for accomplishing this via NAT > rules? Is there some clever trick that I don't know? I'm guessing > I'm just going to have to settle for switching the default route by > hand, but if there's something I don't know that would enable me to > automate it, I'm all ears. > >
You can do this with Shorewall and LSM - see http://www.shorewall.org/MultiISP.html. Make the direct internet connection the primary provider and the local LAN the fallback provider. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYc+oSAAoJEJbms/JCOk0QiJsQALlflEYdwvms7C100lf15XbW jI02S9Y6wqe1q9/Vb6uyaSz8aZxJw3O50dOJscmbEDRjNPKege0+Y8EvTuKuVfYk UkWDOXbslqiDACkJTqvC6owFx83sZQzZMnBXM1QLXSl0QBBxLIfl7Gx/a+D5hAUo RjXz+KDbg6Sq8Ny2UvMJokuZVTs+dGVLh42X/E9NcrRaOwSFy03SvdWhK/VzCZCW 97Egp/dvRMXo4Poj41w/gjcgHM0yBlVgj9xwjzqGIejmbLxwrGbw60qF65TXx/FQ k5rJ8B6U3GS6FLe1nPA83PnxlF9iS+KvpY24ynkEEBzCpTDuWIH4ujBuFTTX0ep1 VfEGGYMUxH+FcZVMf0akyEd2Zm3jkm8UlbKjIEOZWSBibbv83xt7KnrDnbv6uZnR KZ0HTGFcQ4QUf//dfKLRxSAfCiRx+mpEniQ2BWod/XF0wYE8IcxWxcnI8Yx0FAxq bbOm8V5caVlobiOH6YDuOyA+Y40CtTtM2GgwMS4K7S8FgD3usrgfbi4rw5u7DnC+ 7RvWQgMiiVj8iB5MHl3dWxw9X9mAZfOBIjqg1jMHwbRmjXq8EvIwqQbcvmgU5Jbg 7wJVINWuNeu9oZw4tEP8uuE84UqdliBgHX1mFlGJ77vSpTzn+uSRbe6VgTcmbF7L sEx4c16YgN43e6p27Xud =/0OZ -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
