Two gateways same subnet

[Mikensan]

Short and skinny version is, I want to have 2 gateways: 10.0.30.1 and 10.0.30.2 - each with a unique set of subnets behind them. However I want all clients on 10.0.30.0/24 to use 10.0.30.1 as their gateway, and then create static routes to 10.0.30.2 for specific networks.

 

So 10.0.30.1 would have the ability to reach 10.0.20.0/24 and 10.0.21/24, while 10.0.30.2 can reach 10.0.50.0/24 and 10.0.31.0/24.

 

Why I want to do this, is simply because I don't want an additional interface on 10.0.30.1, and have a separate firewall/gateway for my virtual lab. I'd like this 10.0.30.0/24 network to be a "management" network which I can use even if my external firewall takes a shit.

 

Part of me doesn't want to do it, as it is needlessly pushing traffic through the external firewall (30.1), so a little bit torn on how I want to set this network up.

[jde3]

So what is the question?

 

This can all be done on one system if you want or you can use CARP or HSRP to have two upstream.

 

 

gw1 <-----> lan1

    |

gw2 <----> lan2

 

Or

 

           / <--------> lan1

gw1 <

          \ <---------> lan2

 

If I'm understanding your IP addressing right it looks like you have them in tandem. That's poor design.

 

[Mikensan]

Guess I didn't really purpose any questions lol, but curious if it creates any issues or makes sense? 

I thought CARP was used for failover? GW1 will not be able to access the networks behind GW2 as there would be no path without GW2 being online.

[jde3]

4 minutes ago, Mikensan said:

Guess I didn't really purpose any questions lol, but curious if it creates any issues or makes sense? 

I thought CARP was used for failover? GW1 will not be able to access the networks behind GW2 as there would be no path without GW2 being online.

Ya it is. It depends what you want.

 

If you only have one upstream internet connection, and that's all you want. I'd recommend using a Y fork, the reason why is you only have one set of firewall rules to manage and that device plays traffic cop for who can talk to who with a minimum of complexity and latency. You could also vlan it.

[Denned]

Not really sure what you're trying to accomplish and what equipment you're using. Drawings makes everything easier to wrap your head around, also for your own sake.

You would need a subnet between your two routers, and then make static routes via them.

Then for it to work, you would need to create vlans for each of your subnets on whatever router they're connected to. The router needs to be part of the subnet that it's supposed to route for..

[jde3]

so in other words you have 3 interfaces in the router.

 

em0 - wan

em1 - 10.0.20.0/24 and 10.0.21/24 (vlan20 vlan21?)

em2 - 10.0.31.0/24 and 10.0.50.0/24 (vlan31 vlan50?)

 

(simplified rules)

pass in on em1 to em0

pass in on em2 to em0

block in on em1 to em2

 

? something like that? This starts to depend on your physical layout and stuff, capacity. If you wanted vlan or you could do actual subnetting and break those block assignments up. It all kinda depends.. I'd avoid adding another node though unless you think its necessary because.. that can lead to situations where maybe someone will want to add another when they want client vpn on x network etc but that vpn can only talk to y so more routers and you start to end up with a whole lot of routers that don't really need to be there.

[Mikensan]

Here's a rough drawing.. the virtual lab will be 3 hypervisors full of virtual machines, but for networking sake I kept it simple.

[Lurick]

I think that would work and the switch should just send traffic out the right ports since it will know that traffic needs to go to the port connected to 10.0.30.2 and just switch the traffic that way. The only thing you'll need to do is put a static route or two on the local PCs to point to the subnets behind 10.0.30.2. That way it won't have to hit the firewall.

[Mikensan]

1 minute ago, Lurick said:

I think that would work and the switch should just send traffic out the right ports since it will know that traffic needs to go to the port connected to 10.0.30.2 and just switch the traffic that way. The only thing you'll need to do is put a static route or two on the local PCs to point to the subnets behind 10.0.30.2. That way it won't have to hit the firewall.

Yea I was thinking of pushing static routes to the clients with a need to access networks behind gw2, running a windows shop and I'm sure I could do this via GPOs. The less I rely on GW1 the happier I am.

[Lurick]

1 minute ago, Mikensan said:

Yea I was thinking of pushing static routes to the clients with a need to access networks behind gw2, running a windows shop and I'm sure I could do this via GPOs. The less I rely on GW1 the happier I am.

Yah, I'm pretty sure you can do that with a GPO but I can't say for sure