I have five different private subnets on my LAN. Each of this five networks end up on their respective port on my CCR router). I also have two WAN links; in nature this is one WAN link but there is also VPN (PPTP client) interface over WAN link as well.
Now, each subnet should be isolated from one another (subnets should be unreachable from one another, except for two LAN subnets which should be routable)
Four LAN subnets go out to the internet directly to WAN link. One of LAN subnets should be routed to VPN link.
I have created two NAT masquerade rules (one for all subnets to direct traffic to WAN link; second for subnet which needs to be redirected to VPN). I have created single mangle rule (for route marking VPN traffic based on source IP address), and I have two IP route rules (one 0.0.0.0/0 to WAN link; second 0.0.0.0/0 for marked traffic to VPN interface).
It appears that my subnets which need to contact WAN link work correctly, but my VPN link does not.
My questions are:
1. When I create masquerade NAT; should I make different NAT for each LAN subnet?
I have created one masquerade without selecting subnet IP ranges and selecting outgoing WAN link and this seems to work ok (limiting which subnet sees which subnet is done with filtering)..I also have second masquerade NAT for directing traffic to my VPN link.
I ask this because somewhere in documentation I have read that each subnet should have its own masquerade NAT.
2. When creating masquerade, should I select traffic source based on IP addresses or based on ethernet port?
Somewhere in documentation I read that port based source selection works only with UDP and TCP traffic.
3. If I have five subnets and two WAN links; should I create five mangle mark routing rules and five IP routes for marked traffic or can I get away with only one?
One of the subnets have to go to my VPN connection. I have created sngle mangle mark route rule for VPN traffic and created appropriate IP route (with distance less then my "general" 0.0.0.0/0 rule).
This is the source of my problems because it only appear to work partialy. I have access to the internet, it works (but slowly) and some services simply break down or do not work at all (I noticed that some web sites simply do not load and I could not figure reason why).
What am I doing wrong and what are best practices for setup like mine?