Two routers on one network

[Henry]

Hello,

We are using two routers (LC 1621 and 1721) on one network, each with their own ADSL-line an public ip-address. The 1721 is the default gateway but we want to use the 1621 for specific services e.g. ftp and vpn.
The problem is that when I make a connection to the 1621 all the traffic is routed back from the local network through the 1721 so the outside never gets a response. Is it possible to use different gateways depending on which router accepts the connection?

--
Henry

[LittleAdmin]

Hope I've understood your problem right.

1. idea) If possible, use one router with both links. (one with the internal modem, the other with an external on any LAN-port) Then use policy based routing to separate the ftp and vpn traffic.

2. idea) Configure a DMZ-port on both router and link it together, leave just the 1721 connected to the LAN. Configure an second (plain IP) internet-link through the 1621 on the 1721 main router. Use policy based routing to separate the ftp and vpn traffic and send it through the 1721.

[AndreasMarx]

Hello Henry,

I understand that your 1721 ist the default gateway for all LAN-equipment. So all stations will direct outbound packets to 1721, regardless of the way the inbound packets came into your LAN. (Correct me if I'm wrong).

First we need to know your exact specification.

CASE1: Can You make sure, that inbound traffic for vpn and ftp comes in via the 1621 ? Then the routing of outbound traffic can be decided depending on service (ports).

You can

• seperate the traffic on your LAN-station/-server, if you can have virtual LAN-interfaces on this server (possible with Linux). The different interfaces can have different default-gateway and different local IP-adresses.
  
  tie both WAN-Connections to one gateway and route depending on service using routing tags (the separation is still necessary because LAN-adresses get masqueraded different depeding on the WAN-connection). This is LittleAdmin's 1.idea
  
  use a PPPOE-connection between your gateways as a tunnel. Separate the traffic on your 1721 and feed the vpn/ftp-Packets to the 1621 through this connection.

CASE2: If the back-route can not be decided based on service, things will get more difficult. Your server will not care about the MAC-adress of inbound packets and send outbound traffic to the 1721.

You can

• still use virtual interfaces on your LAN-station/-server, as above. The local IP-Adress will preserve the information about the inbound route.
  
  try to use the 1721's stateful firewall to decide about the backroute. If the connection came in via the 1721, then 1721 will have an entry in its connection-list (if "preserve state" in inbound FW-rule is checked). It will then route the packet itself. If the 1721 does not know the connection and "session recovery" is on on the firewall (this is needed since SYN will not be set on this packet), then I think it will scan its FW-rules. I do not know how LCOS decides which FW-rule to apply, but it might be possible to tweak the priorities and let the 1721 apply a routing tag to these packets. They could then be routed through PPPOE to 1621 as above. This will be a hard way to go. Choose another option if possible.

Using cable to connect 1721 and 1621 via DMZ-Ports is of course an alternative to PPPOE as suggested by LittleAdmin.

Andreas