Hey All,

I've got a Local trusted network, that we will call PRODUCTION. Its network info is x.x.10.0/24. I have a backup device on that network, with an IP of x.x.10.251. It's gateway is x.x.10.5 (firewall) which has a P2P interface (trusted) that is configured for x.x.100.3. This firewall is directly connected to another firewall with a P2P address of x.x.100.2. This second firewall also has a local trusted network (that we will call DR) with the same network info (x.x.10.0/24) and on this network is a second backup device with an IP of x.x.10.252.

I am trying to make persistent static routes that would allow hosts on the PRODUCTION network to talk to eachother locally, except for the other backup device's address. I'd like that data forwarded through the firewalls to the DR network.

Am I explaining this clearly enough? Basically I've split a network without subnetting it and I want direct routes to specific hosts to go through the firewall. I'm having some trouble since most network requests in the same subnet will not reach the default gateway (since they are local).

What I have tried:
PRODUCTION-BCKP:
IP: x.x.10.251
Gateway: x.x.10.5
#ip route add x.x.10.252/24 via x.x.10.5
(x.x.10.5 has a static route in its table directing traffic designated for x.x.10.252 to be forwarded to the DR firewall, x.x.100.2)

DR-BCKP:
IP: x.x.10.252
Gateway: x.x.10.2
#ip route add x.x.10.251/24 via x.x.10.2
(x.x.10.2 has a static route in its table directing traffic designated for x.x.10.251 to be forwarded to the PRODUCTION firewall, x.x.100.3)

at one point, I had them pinging, but I am unsure as to how to force the change to be persistent.

Thanks!

You can't have the same IP network (x.x.10.0/24) in two different places. A router/firewall cannot be directly connected to a network (by having an interface address in that network) and at the same time have a route saying the same network is somewhere else. It makes no sense.

The proper solution is to renumber one of the networks. If that really isn't possible, you could set up both source and destination NAT on both firewalls, but trust me, you don't want to go there unless you absolutely, positively have to. For one thing, the DNS setup will be a nightmare.

Unfortunately, I do need to split the network this way. We have a virtual machine that manages all other virtual machines, and it needs to keep it's IP information when spun up in the DR site.

You may have specific requirements with regards to functionality, but there are probably several ways to meet those requirements. I must say I doubt they mandate an invalid network configuration.

Duplicate Ip networks should be avoided if at all possible, as communication between such networks can only be realized with combined source and destination NAT at both ends. If you could provide some details regarding your setup and the needed functionality, perhaps an alternate solution could be found.

It actually seems to be passing the data properly... the only problem is my Watchguard firewall is blocking the address as spoofed (probably because the network exists on both sides of the firewall) So it looks like I've got to allow it to pass and I may be all set.

There is another way to set this all up, but it requires a RHEL HA Cluster running RHEV as HA. I don't have enough experience with that to go in that direction, so we decided to create a "warm" DR site that we would manually spin up. There is only one duplicated address, the rest are singular.