I am trying to get a High availability setup working and I cannot figure out how to work around asymmetric routing when connecting to the backup router itself.
Since both routers need to have an IP in each VLAN in the network, how can a client connect to the backup's management interface - if it is different from the client's VLAN - without it causing issues?
Client -> Primary router (default gateway for client) -> Backup
But
Client <- Backup (without going through the primary router)
Because the backup has a direct route to the client.
Right now, I get dropped SSH connections and all the other symptoms of asymmetric routing when trying to manage the backup router.
Quote from: GrapplingHero on October 24, 2025, 03:37:00 PMSince both routers need to have an IP in each VLAN in the network, how can a client connect to the backup's management interface - if it is different from the client's VLAN - without it causing issues?
I'd just connect to the seconderies IP in the actual clients subnet.
However, if you need to go over the primary anyway for some reasons (from VPN for instance), you need to hairpin the traffic with an outbound NAT rule.
Best practice: Create an alias for both management IPs.
Add an outbound NAT rule on the primary with source = any, destination = <alias>, dest. port = <mgmt. port>, translation = interface address.
This rule will be synced to the secondary. By using the alias it is also applied, if the secondary own the master role.