GateWays

[xscorpion]

I have 2 gateways and i have added them to Gateways but I can't enable one of them either if the other is enabled or not, i want to load balance between the 2 gateways but I can't unless i could enable both of the (I think).

And should each Gateway and the LAN IP be in separate subnet of each other? Can't all they be in the same subnet?

For example:
My PCs is in the range of 10.5.5.0/8 with interface IP 10.5.5.2/8
My 1st Router IP is 10.3.3.1/8 with interface IP 10.5.5.12/8
My 2nd Router IP is 10.5.5.1/8 with interface IP 10.5.5.13/8

It only work when I make the following configuration:
My PCs is in the range of 192.168.1.0/24 with interface IP 192.168.1.0/24
My 1st Router IP is 10.3.3.1/8 with interface IP 10.5.5.12/8 (Can't enable this one)
My 2nd Router IP is 10.5.5.1/8 with interface IP 10.5.5.13/8

[christian]

ouch!

/8 means class A, meaning here 10.0.0.0/8 (not 10.5.x.x/8 or 10.3.x.x/8  )

Am I correct understanding that all devices are on 10.0.0.0/8 subnet with:
- one router at 10.5.5.12
- one router at 10.5.5.13
- Zentyal external NIC at 10.5.5.2
- what is your internal IP or do you have only one NIC on Zentyal server ?

Then definitely, yes, internal and external networks from Zentyal's standpoint (if you have 2 NICs and want to deploy Zentyal between internet and LAN) MUST be different.

[christian]

To elaborate a bit on my previous post (because I don't understand very well what you try to achieve):
- one may deploy Zentyal server with on interface only. However, in such case, depending on services you want to run, it might be quite complex.
- e.g. this is highly suitable (not to say mandatory) to have Zentyal defined as default gateway for other devices on the LAN if you want to run HTTP proxy in transparent mode.
- with only one interface, firewall rules will be tricky because there is no "inside/outside"
- on will not control communication between devices on your LAN and router(s), except by adding ACL at router level to prevent communication except from Zentyal server.
- it also means NAT for a lot of services: at router level, without NAT, communication will fly back directly to device on same LAN 

So, except if you really master this, I would not advise to run Zentyal with only one NIC if you need to enable services requiring FW.
With one interface only, running mail, proxy (explicit), VPN is fully feasible.

[xscorpion]

No

First yes all in the same class and they all can ping each other

1st Router is 10.5.5.1 working on 1st NIC on Zentyal with interface IP of the Zentyal 10.5.5.12
2st Router is 10.3.3.1 working on 2nd NIC on Zentyal with interface IP of the Zentyal 10.5.5.13
LAN PCs range is 192.168.1.x working on 3rd NIC on Zentyal with interface IP of the Zentyal 192.168.1.70

Anyway i have solved the enabled issue it was because i have created a WAN failover rule and didn't know if it didn't success the router would be disabled.

But regarding the network matter can routers and users PCs be in the same subnet???

[christian]

But regarding the network matter can routers and users PCs be in the same subnet???

Obviously NO  well, read again my previous post but if you have more than 1 interface on Zentyal server and want to distinguish between internal and external sides, then definitely no.
Just curious, why do you want all these devices on same network? what does it bring 

[christian]

And based on what you explained, either you have different network segments between routers and Zentyal external NICs (and in such cases, you must use different IP ranges) or you have only one segment here and it doesn't make sense to "associate" routers and Zentyal NICs as you do:

1st Router is 10.5.5.1 working on 1st NIC on Zentyal with interface IP of the Zentyal 10.5.5.12
2st Router is 10.3.3.1 working on 2nd NIC on Zentyal with interface IP of the Zentyal 10.5.5.13

because router 1 can be reached from either Zentyal NIC1 or NIC2.

[xscorpion]

My need for this, Is to creat load balance for the 2 routers, but in the same time some clients on the network will connect to the routers directly, And I want them to connect to the rest of the PCs, can't the Routers and the PCs be in the same IP range???

And thanks for the help by the way. 

[christian]

Again, definitively, if Zentyal is between clients and routers, then IP range must be different.
So what is your conclusion? 

Mine is that if you do need some clients to access directly routers, you have to either move them on the other side of Zentyal server (but this is risky and complex for what concerns fw rules) or you have to deploy Zentyal with only one single interface, like any client on the LAN.
All devices, including Zentyal, will share same address range and it will work.
Then this works depending on services you want to deploy.
With such design, you can deploy:
- mail, HTTP proxy, VPN (with NAT)
but firewalling has very little sense

Pay attention that HTTP proxy can't use transparent proxy mode if only one interface is deployed, except if Zentyal is the default gateway for devices but then reaching directly routers will not work 

BTW, why do you need to have direct access between devices and routers and why can't this be done through Zentyal?

[xscorpion]

Because higher management won't go for changing the Gateway for them "As simple as that".

All I need is to work Zentyal as a gateway to support all of our Gateways and to load balance between them all, And all of this in one IP range.

As i understand from you I can't make such configuration, If I am wrong and can do the "One IP range" please tell me.

[christian]

For what I understand,there is not technical rational to go for "one single IP range" but management willingness.
For this, I can't help  mainly because I don't understand.

Your "load balancing" concept is also very strange to me: how are you going to apply load balancing with direct access to routers from client? I don't think it works. Thus your management cannot ask for anything plus the opposite at the same time 

As a matter of conclusion: I don't know how to express it. Maybe we just have cultural difference or issues with wording  Anyway, let me write it again:
with Zentyal server deployed with 2 or more interfaces, the external NIC can NOT share same IP range than the internal one.

[xscorpion]

Thank you very much about that, But the managerial level here don't get the concept of load balancing and don't like that someone controling their internet.

And they won't work with the load balance gateway, they and they only will work directly with the routers.

Anyway thank you very much for ur help.

[christian]

So if your management disagrees, what do you try to achieve?
Something they don't want without telling them  

Rather than trying to invent such invisible design, you should rather spend time try to convince your boss about the added value of fw, proxy and other services Zentyal can bring to them.
Deploying proxy doesn't mean "controlling internet". You can enable cache only with no filtering and, more important, not profiling nor log 
then if you don't succeed, Zentyal with 2 NICs (one internal, one external) is not for you (well, not for management)