iptables - 2 Internetprovider - routing

Question

I got 2 Internet connections, received on 2x routers (Fritzbox), in the following fritz-n and fritz-t.

Each fritzbox has his own internetconnection from a different service provider. Both router just establish the internet connection and send all their traffic to different interfaces on my server (i.t.f. prox2)

fritz-n (192.168.36.254) ---> 192.168.36.253 on eth1
fritz-t (192.168.26.254) ---> 192.168.26.253 on eth2

We are using primarly the internetconnection on fritz-n, fritz-t is for failover and for our roomer.

I set up 2 Subdomains (office-t.abc.xyz and office-n.abc.xyz), every has set an A-Record to his router.

My problem is, when I open an ssh connection to office-n.abc.xyz -p 22 it works fine, but when I open an ssh connection to office-t.abc.xyz -p 22 I can not connect. All routers are configured as exposed host, so they definitly do not filter any connection.

Does anybody know, what I am doing wrong?

auto eth1
iface eth1 inet static
        address  192.168.36.253
        netmask  255.255.255.0
        up /sbin/route add default gw 192.168.36.254 metric 0 eth1
        down /sbin/route del default gw 192.168.36.254 metric 0 eth1

auto eth2
iface eth2 inet static
        address  192.168.26.253
        netmask  255.255.255.0
        up /sbin/route add default gw 192.168.26.254 metric 1 eth2
        down /sbin/route del default gw 192.168.26.254 metric 1 eth2

iptables:

 
# Generated by iptables-save v1.4.21 on Thu Sep 28 07:08:40 2017
*mangle
:PREROUTING ACCEPT [270255645:213936245583]
:INPUT ACCEPT [31520001:38963026250]
:FORWARD ACCEPT [238659546:174959469047]
:OUTPUT ACCEPT [17349995:1535871362]
:POSTROUTING ACCEPT [255986358:176485117432]
COMMIT
# Completed on Thu Sep 28 07:08:40 2017
# Generated by iptables-save v1.4.21 on Thu Sep 28 07:08:40 2017
*filter
:INPUT ACCEPT [31516323:38962721398]
:FORWARD ACCEPT [238471146:174935725039]
:OUTPUT ACCEPT [17322993:1524849152]
# Completed on Thu Sep 28 07:08:40 2017
# Generated by iptables-save v1.4.21 on Thu Sep 28 07:08:40 2017
*nat
:PREROUTING ACCEPT [1148316:120418773]
:INPUT ACCEPT [538183:39312329]
:OUTPUT ACCEPT [179594:13556948]
:POSTROUTING ACCEPT [448655:42796545]
-A PREROUTING ! -i vmbr0 -p tcp -m tcp --dport 1195 -j DNAT --to-destination 192.168.16.15:1195
-A PREROUTING ! -i vmbr0 -p udp -m udp --dport 1195 -j DNAT --to-destination 192.168.16.15:1195
-A PREROUTING ! -i vmbr0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.16.5:8080
-A PREROUTING ! -i vmbr0 -p tcp -m tcp --dport 10222 -j DNAT --to-destination 192.168.16.85:22
-A PREROUTING ! -i vmbr0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.16.3:22
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth2 -j MASQUERADE
COMMIT
# Completed on Thu Sep 28 07:08:40 2017

Answer 1

Aren't your outgoing packets being routed through eth1 when you connect via eth2? Then they become masqueraded, come to your ssh client from a different address and are not eligible to establish the connection.

Running tcpdump or adding logging entries to your iptables rules can help to see where which packets pass.