Phil Stracchino
2017-01-09 17:55:01 UTC
... I have a problem which I'm sure is actually quite straightforward to
solve, I just don't know how to do it.
I have two Ubiquiti EdgeRouter devices, an ER-POE5 and an ER-X. The
ER-X is a backup device. They both have five Ethernet ports, and I have
Shorewall (4.5.5) on both. Each device has eth3 permanently plugged as
a management interface. On the device that's carrying traffic, eth0 is
my wired backbone, eth1 and eth2 are wireless subnets each on its own
router, and eth4 is my uplink. The goal was to be able to update one
device without interrupting the other, and then just replug and switch
traffic to the other router.
The problem is that I can't download any updates on the *backup* router
without changing its default route to the internal gateway address, on
the *active* router (10.24.32.1). But of course when that device *is*
the active router, I can't use 10.24.32.1 as its default route because
that's now one of its own internal addresses; I have to change the
default route to the uplink. (And reboot the cable modem because the
modem never refreshes ARP.)
Now one of the users on the Ubiquiti forums suggested solving this
problem by an iptables SNAT rule for the management traffic. But
honestly, I don't understand what he was trying to explain. I'm not
convinced he entirely understood my configuration, and I certainly don't
understand what he was trying to convey as a solution (I don't speak
iptables; I find it arcane and opaque).
What I'm looking for is a way to make each router use the direct uplink
to fetch updates if eth4 is connected, but route through the internal
network to the other router if it's not. But I can't think of any
straightforward way to do it without some kind of custom piece of code
that detects whether eth4 is connected and changes the default route as
needed.
Does anyone have any suggestions for accomplishing this via NAT rules?
Is there some clever trick that I don't know? I'm guessing I'm just
going to have to settle for switching the default route by hand, but if
there's something I don't know that would enable me to automate it, I'm
all ears.
solve, I just don't know how to do it.
I have two Ubiquiti EdgeRouter devices, an ER-POE5 and an ER-X. The
ER-X is a backup device. They both have five Ethernet ports, and I have
Shorewall (4.5.5) on both. Each device has eth3 permanently plugged as
a management interface. On the device that's carrying traffic, eth0 is
my wired backbone, eth1 and eth2 are wireless subnets each on its own
router, and eth4 is my uplink. The goal was to be able to update one
device without interrupting the other, and then just replug and switch
traffic to the other router.
The problem is that I can't download any updates on the *backup* router
without changing its default route to the internal gateway address, on
the *active* router (10.24.32.1). But of course when that device *is*
the active router, I can't use 10.24.32.1 as its default route because
that's now one of its own internal addresses; I have to change the
default route to the uplink. (And reboot the cable modem because the
modem never refreshes ARP.)
Now one of the users on the Ubiquiti forums suggested solving this
problem by an iptables SNAT rule for the management traffic. But
honestly, I don't understand what he was trying to explain. I'm not
convinced he entirely understood my configuration, and I certainly don't
understand what he was trying to convey as a solution (I don't speak
iptables; I find it arcane and opaque).
What I'm looking for is a way to make each router use the direct uplink
to fetch updates if eth4 is connected, but route through the internal
network to the other router if it's not. But I can't think of any
straightforward way to do it without some kind of custom piece of code
that detects whether eth4 is connected and changes the default route as
needed.
Does anyone have any suggestions for accomplishing this via NAT rules?
Is there some clever trick that I don't know? I'm guessing I'm just
going to have to settle for switching the default route by hand, but if
there's something I don't know that would enable me to automate it, I'm
all ears.
--
Phil Stracchino
Babylon Communications
***@caerllewys.net
***@co.ordinate.org
Landline: 603.293.8485
Phil Stracchino
Babylon Communications
***@caerllewys.net
***@co.ordinate.org
Landline: 603.293.8485