Dual WAN (Failover with LTE LAN modem) & /28 Static Public IP DNAT/SNAT

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.


New Around Here
I have fiber WAN to AX88U and a static /28 from my ISP. I assign two IPs from this /28 to two servers providing public services.

The configuration I use is this:

in nat-start:
ip addr add xxx.xxx.xxx.xxx/28 dev ppp0
iptables -t nat -A PREROUTING -d xxx.xxx.xxx.xxx -j DNAT --to-destination
iptables -t nat -I POSTROUTING -o ppp0 -s -j SNAT --to xxx.xxx.xxx.xxx

Now my ISP also finally managed to fix their 4G "Internet Backup" service to support clients with static IP packages
so I'm trying to setup failover. I tested failover and it works great (apart from being set as Cold-Standby initially for some
reason but I added "service "restart_wan_if 1"" in services_start and that got fixed).

My problem is trying to get the 1:1 NAT to work with the failover WAN2. I saw that that the router gets WAN2 IP address
on eth1. The LTE modem is set as bridged and my ISP provides the same static ip endpoint to both the fiber connection
and the LTE one. So both ppp0 and eth1 get assigned yyy.yyy.yyy.yyy public address.

So what I did was adding this rule to nat-start:
iptables -t nat -I POSTROUTING -o eth1 -s -j SNAT --to xxx.xxx.xxx.xxx

So that internal ip is also SNATed to the public address when also going through eth1.

Then I created wan1-connected and added:
ip addr add xxx.xxx.xxx.xxx/28 dev eth1

and also wan0-connected and added:
ip addr del xxx.xxx.xxx.xxx dev eth1

When I pull the WAN1 LAN cable WAN2 gets activated and ppp0 no longer exists (although I'm not so sure if that would
be still the case on a failure that doesn't involve me pulling the cable). So I add the ip allias to eth1 and the NAT rules
should just work.. But they don't.

The first problem is that wan1-connected is never called. So the ip alias is never added (no idea why this happens --
wan0-connected gets called normally on failback) but when I manually do "ip addr add xxx.xxx.xxx.xxx/28 dev eth1"
The server loses connectivity to the internet. I can not figure out why this happens. It should work.

Doing "ping -I xxx.xxx.xxx.xxx" works just fine from the router. And the NAT tables look good.

Any ideas cause it's driving me crazy for the past 48 hours?

As a side note, in case this is related because it is also weird. The LTE modem has a web interface at I added
a static route for pointing to it's public address on eth1. I do this for all bridged routers so I can access their interface.
While I can ping from the router, I can't do the same from the server. The traceroute from the server shows
the first hop (the AX88U gateway) but it never goes beyond that.

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!