ether6-master 172.16.0.0/16 is my DMZ and ether2-master 192.168.1.0/24 is my local network. I can not access anything on my DMZ from my local network.
Looking at the connections tab, it looks like it is marking the packets as "WAN2_conn". I have had not had any luck making it exclude this network from the WAN routing.
Any help is appreciated.
Code: Select all
/ip address
add address=172.16.1.2/16 interface=ether6-master network=172.16.0.0
add address=192.168.1.20/24 interface=ether2-master network=192.168.1.0
add address=172.31.1.10/24 interface=WAN1 network=172.31.1.0
add address=172.31.2.10/24 interface=WAN2 network=172.31.2.0
/ip firewall mangle
add chain=prerouting dst-address=172.16.0.0/16
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=WAN1_conn
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=WAN2_conn
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2
add chain=prerouting dst-address=172.31.1.0/24 in-interface=ether2-master
add chain=prerouting dst-address=172.31.2.0/24 in-interface=ether2-master
add chain=prerouting dst-address=172.31.1.0/24 in-interface=ether6-master
add chain=prerouting dst-address=172.31.2.0/24 in-interface=ether6-master
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=ether2-master new-connection-mark=WAN1_conn per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=ether2-master new-connection-mark=WAN2_conn per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=ether6-master new-connection-mark=WAN2_conn per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=ether6-master new-connection-mark=WAN2_conn per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=ether2-master new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=ether2-master new-routing-mark=to_WAN2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=ether6-master new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=ether6-master new-routing-mark=to_WAN2
/ip route
add distance=1 gateway=172.31.1.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=208.67.222.123 routing-mark=to_WAN1
add check-gateway=ping distance=2 gateway=208.67.220.123 routing-mark=to_WAN1
add distance=1 gateway=172.31.2.1 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=208.67.220.123 routing-mark=to_WAN2
add check-gateway=ping distance=2 gateway=208.67.222.123 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=172.31.1.1
add check-gateway=ping distance=2 gateway=172.31.2.1
add distance=1 dst-address=208.67.220.123/32 gateway=172.31.2.1 scope=10
add distance=1 dst-address=208.67.222.123/32 gateway=172.31.1.1 scope=10