Same subnet for both gateways
Same subnet for both gateways
I need two gateways: 10.0.30.1 and 10.0.30.2. Each should have its own subnets. All devices in 10.0.30.0/24 should connect to 10.0.30.1, then route to 10.0.30.2 for specific networks. That way 10.0.30.1 can reach 10.0.20.0/24 and 10.0.21/24, while 10.0.30.2 handles 10.0.50.0/24 and 10.0.31.0/24. I want this setup to avoid extra interfaces on 10.0.30.1 and keep the virtual lab firewall separate. It’s a bit confusing but helps protect my network if the external firewall fails.
It seems you're checking if the setup makes logical sense. The assumption about CARP handling failover is correct, but the connection between GW1 and GW2 needs clarification—without GW2 active, GW1 can't reach the networks behind it.
It really comes down to your needs. If you only need a single internet connection, a Y fork is a good choice because it simplifies managing firewall rules and reduces complexity while keeping latency low. You might also consider VLANing for better segmentation.
It seems unclear what you're aiming for and which tools you're using. Visual aids help clarify things, so having diagrams would be beneficial. You'd need a link between your two routers, set up static routes through them, and create VLANs for each subnet on the connected router. The router must belong to the subnet it's managing.
In short, you have three interfaces in the router: em0 connects to wan via 10.0.20.0/24 and 10.0.21/24 (possibly VLAN20/VLAN21), em1 connects to 10.0.31.0/24 and 10.0.50.0/24 (VLAN31/VLAN50), and em2 connects to 10.0.31.0/24 and 10.0.50.0/24. The routing rules suggest traffic flows from em1 to em0, then from em2 to em0, with em1 forwarding to em0 and em2 forwarding to em0. This setup relies on your physical configuration and capacity. If you need VLANs or precise subnetting, you could adjust block assignments. It all depends on your needs. I’d skip adding another node unless absolutely required, since it might create unnecessary complexity later—like extra routers for client VPNs that only connect to specific networks.
The rough sketch shows a virtual lab with three hypervisors running many virtual machines. For network purposes, I kept the design straightforward.
I believe this approach would be effective. The switch should direct traffic through the appropriate ports, knowing that the destination is linked to 10.0.30.2. You'll only need to configure static routes or subnets on the local devices to connect to the relevant networks behind that IP. This way, it avoids needing to pass through the firewall.