2

TL;DR I have two routers and a switch, and have forwarded port 80 on both routers to the switch, but depending on which router gives the switch its IP, it'll have that as its default gateway, and I can't reach it through the other router.

I feel like I need a NAT or Mangle or routing rule?

I tried adding the other router as a default gateway, and suddenly the port-forwarding works through that, but now it doesn't work on the first one.

I've looked at Port forwarding with two routers but is the solution really to create a VRRP on e.g. 10.0.19.3/24 and manually visit all the servers, and set this as their default gateway?

More info

I can see the firewall rules increase the packet numbers, so I know I'm hitting them, and I can snoop the packets on the switch and see that it's receiving traffic, but it's not sending anything back. Probably because of a missing route, it doesn't know where to send it?

Detailed setup

network diagram

The router A has a public IP 1.2.3.4 on eth1 (WAN) and a bridge network with the remaining 8 ports (7 Ge, 1 SFP), and 10.0.19.1/24 on the bridge. It runs a DHCP server for 10.0.19.32/27.

The router B has a public IP 5.6.7.8 on eth1 (WAN) and a bridge network with the remaining 8 ports (7 Ge, 1 SFP), and 10.0.19.2/24 on the bridge. It runs a DHCP server for 10.0.19.64/27.

The routers are connected on ether9 with an SFP+ cable.

The switch is connected to ether2 on both routers, and has static IP 10.0.19.20/24 from router A. It also has a dynamic IP 10.0.19.90/24. (This should go away after bonding the interfaces on the routers and the switch, and adding the static IP on router B.)

When I check the routes on the switch, it has

DST-Address   Gateway
0.0.0.0/0     10.0.19.2
10.0.19.0/24  bridge

I've added dstnat rules, on incoming port 80, with an action dstnat, to 10.0.19.20 and port 80 on both routers.

When I access http://1.2.3.4 I get nothing. When I access http://5.6.7.8 I get the switch UI.

Now, when I manually add a route on the switch.

DST-Address   Gateway
0.0.0.0/0     10.0.19.1

The behaviour changes and when I access http://1.2.3.4 I get the switch UI. When I access http://5.6.7.8 I get nothing.

Obviously this isn't what I want either. But now I know that I can influence "who the switch knows to respond to."

Ideally it'll respond to where the request came from, regardless of default gateway.

I've tried creating srcnat rules using the routers DHCP-ranges, or the entire 10.0.19.0/24 network as the src-address and action masquerade, but it doesn't change anything.

The arp table on the switch shows both routers with their respective IPs and MACs.

Other things

The hardware is two RB5009UG+S+IN routers and a CRS354-48P-4S+2Q+RM switch.

I've configured a VRRP vIP 9.10.11.12. That I'll be using for some servers, which will sit behind both routers, so I'll need both to be able to forward traffic back and forth properly.

I've tried googling a bunch, but all the "two routers/gateways on one network" and "port-forwarding" threads I can find are about having them daisy chained on different subnets, but I literally have two routers and dhcp servers on one network.

Also, this is not a duplicate of Can I have multiple DHCP servers on one network?

I'm not questioning whether I can have two DHCP servers on the same network. I have that. I'm questioning how I configure the routes downstream from both.

Thank you.

Improve this question
3
  • 2
    Rather than only using Destination NAT for your port forwarding rule (which doesn't change the source IP in the packets and implies that there is only one return path reply packets can take and/or it doesn't matter which route is used and routing will sort things out automatically) also do Source NAT (with an explicit SNAT mapping to the routers internal IP or automatically with a MASQUERADE rule). That will change the source IP in the packets and ensures that the reply will always be sent to the correct router, which will then forward the reply packet back to the client.
    – HBruijn
    Sep 28 at 9:32
  • @HBruijn Thank you for the reply. Could you be a bit more specific with your examples? I've already tried adding a couple of different srcnat rules with both srcnat as the action, or masquerade as the action. But it hasn't changed anything. So I'd really appreciate it if you could be really clear with what you're suggesting.
    – DrLime2k10
    Sep 28 at 13:37
  • 1
    @HBruijn Thank you! I got it working by adding a srcnat rule with Destination 10.0.19.0/24 and action "src-nat" to the routers IP. I also got it working with just action masquerade. It seems I was confusing at which point in the chain the rule triggers and thus the source/destination addresses.
    – DrLime2k10
    Sep 28 at 14:16

1 Answer 1

Reset to default
2

As suggested by @HBruijn, I was missing a..

Source NAT (with an explicit SNAT mapping to the routers internal IP or automatically with a MASQUERADE rule).

My issue was that I wasn't properly configuring the destination address.

On Mikrotiks RouterOS the rules look like (you can use either..):

chain=srcnat action=masquerade to-addresses=10.0.19.0/24 protocol=tcp dst-address=10.0.19.0/24

chain=srcnat action=src-nat to-addresses=10.0.19.1 protocol=tcp dst-address=10.0.19.0/24

Where 10.0.19.1 should be updated for the second router, if you go for the src-nat-action.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .