I have a 10 node network with all nodes wirelessly bridged via WDS links. Each node has address 192.168.9.x.
There is one gateway, lets call it GW1, to the public Internet and the 192.168.9.0/24 network is src-nat’d with masquerade.
The above works just fine and I have used this in dozens of networks.
I would now like to establish a second subnet, 192.168.8.0/24, on this same bridged network. I would like to src-nat
this network to a different Internet gateway on a different node, lets call it GW2.
I tried putting both addresses (192.168.9.x and 192.168.8.x) on each bridge. This works fine inside the bridged network, for node to node internal traffic.
Here is my problem: If I dst-nat external traffic to an inside node from GW2, I can’t figure out how to get the return packets
to leave via GW2. My default route is GW1. I usually solve this with mangle rules to route traffic out over the same interface it came in.
However, since I’m sharing the bridge with both addresses, I can’t figure out a mangle rule to mark my connections.
I can mark the connection on the gateway node where the connection comes in, but that mark won’t traverse the various bridges
to the interior node. The interior node doesn’t know that packet came from GW2, so it uses the default route of GW1 and the packets
don’t get matched up with the dst-nat function at GW2.
I thought of creating a second bridge at each node for the second subnet, but how do I bridge the bridges for the second network? If I could do this, then I could create the mangle rules based on which bridge the packet came from and sent it back the way it came.
Any suggestions would be welcome!