I have 2x WAN connections and trying to get certain traffic to only go out on specific WAN. I understand this is done thru Policy based routing. But I have not been successful with the various instructions I found on the net. Attached is a default factory router setup with a minimal configuration that I wanted to start with, which is recursive route failover solution that is already in place. So with a policy based routing solution (or any other suggested solution) I am hoping to be able to test it by using traceroute within the router and be able see it go out the specific WAN interface. Thanks in advance. test-policy-routing.rsc (7.66 KB)
When it comes to blocking allowing controlling traffic types it gets murky for me. All I know is that its near impossible to block traffic these days…
User traffic by IP is fairly straight forward but not what you are asking. Perhaps someone else can be of assistance.
Thanks for the response @anav. While still hoping someone else has an idea for the original request, I am interested in your comment on controlling user traffic by IP. Is that something that is still straightforward to apply on top of the configuration that I have above?
Likely the destination address in the /ip/route lines should use your 8.8.8.8 and 1.1.1.1 “routes”, not the interface name WAN1 and WAN2 – this because you’re using recursive routing WITH policy routing. Otherwise directed traffic would not be protected in case the interface is up with no internet (which is what recursive routing gets you).
If you want the “policy directed traffic” (e.g. the IP or subnet your picking to send to a specific LAN) to be able to also use the LAN, not just only going to internet, you can a “safety rule” first in /routing rule that filters on destination address of your LANs (192.168.88.0/24) that explicitly go does “lookup” in “main” – since “first rule wins”, this can go first. What this does is say if it going to a local address, bypass the policy routing rules for WANs. That’s so they don’t get forced out the WAN address by the policy rule since the new routing table only have 0.0.0.0/0 to a WAN, that includes local address too. If you want the “directed traffic” in a rule only go out a WAN, then you want that BEFORE this safetly rule, as that cause it lose LAN/VLAN access since 0.0.0.0/0 matches, well, all traffic including local addresses.
If you need to do direct traffic out a specific WAN by port/protocol/etc, not IP address, you’d need to use the “Mangle” approach, as that has more advanced filters (and also more complex mechanics to setup). But for this host goes WAN1, that host goes out WAN2, the policy routing is a more “visible” way to do this (e.g. firewall rules aren’t always easy to read/see the routing rules defined within the mange section). Both approach do the same thing at the end, traffic goes out a selected WAN.
If you need your local users to reach other, LAN1 to reach LAN2,
then you need additional route rules PRIOR to the wan rules, otherwise all LAN1 and all LAN2 traffic will be forced out a WAN interface.
Thanks for the pointers and examples. I did a quick config and managed to see some traffic route manipulation. Will evaluate this solution as an alternative approach to the original request.