Hello, I have an idea in my local LAN…

I have to ISP providers one LTE and one ADSL.
I have a 5 port RB, and a different subnets in each port.

ether1 and ether 2 are the gateways.

ether1 = XXX.XXX.XXX.XXX / XX public IP for incoming connections to my data server
ether2 = 192.168.20.254/24
ether3 = 192.168.160.1/24 (this for one rental offices in the building, they have surveillance cameras to acces from outside)
ether4 = 192.168.50.1/24 (this is the ethernet tha has the data servers, need to be accessed from the oustide)
ether5 = 192.168.170.1/24 (this is for home users, smartphones, tablets, pc’s, etc)

I want to manage all the traffic for the ether3 and ether5 need to go out to the internet trought the ether 2 port and LTE connection.

And I need to have the ether4 go to ether1 to the internet, and all the incoming connections from the internet trought the public IP, to ether4.

For now, all the traffic is trought the ether 1 as a primary gateway, incoming and outgoing connections. I tried different methods, but cannot manage to do this.

Also, all the local subnets, need to acces the data server in ether 4.

If someone could give me an idea on how to do this…

Thanks in advance.

You need to implement policy routing.

In the mangle table, make some rules that do connection marking based on the in-interface. Set passthrough=yes on these rules.
Afterwards, add some rules that do route-mark based on the connection marks that you want to have policy routes (routing other than the main table)

Then in the routing table, create routes with the route-mark on them. You’ll need to add your LANs to the policy routes as well so that lan<>lan connectivity works.

First thanks for your answer.

Here is what I did, and does not work, i cannot navigate from any LAN, and cannot access from outside

add action=mark-routing chain=prerouting dst-address=192.168.50.0/24 in-interface=ether1 new-routing-mark=ADSL src-address=190.129.11.112/29
add action=mark-routing chain=prerouting dst-address=!190.129.11.112/29 in-interface=ether2 new-routing-mark=LTE src-address=192.168.20.0/24
add action=mark-routing chain=prerouting in-interface=ether4 new-routing-mark=ADSL src-address=192.168.50.0/24
add action=mark-routing chain=prerouting in-interface=ether3 new-routing-mark=LTE src-address=192.168.160.0/24
add action=mark-routing chain=prerouting in-interface=ether5 new-routing-mark=LTE src-address=192.168.170.0/24


ether1 is ADSL gateway
ether2 is LTE gateway

ether3 is LAN1
ether4 is LAN with data server (this one is needed to be accessed from outside trough ether1
ether5 is LAN2


also I add this routes to the route list

add dst-address=0.0.0.0/0 gateway=190.129.11.113 routing-mark=ADSL
add dst-address=0.0.0.0/0 gateway=192.168.20.254 routing-mark=LTE

This ones in NAT to masquerade the connections.

add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2

Both not marked with blue, so it supposed to be working.

the mangle rules supposed to be catching all the traffic right? what is goin wrong, why i cannot navigate over the internet with this rules?

Can you help me with this configuration?

Thanks in advance

okay - it looks kind of jumbled up, so let’s tackle things piece by piece.

I recommended putting no routing mark on any packets except those you wish to force through the ADSL.
Let the standard routing table’s default gw be the LTE interface.

okay - the first thing you need to do in mangle is switch to using connection marks, then do routing marks based on the connection marks:
prerouting:

1. connection-mark=no-mark action=jump jump-target=classify
2. connection-mark=dsl action=mark-routing new-routing-mark=dsl

(you’ll have to type the name “classify” into the jump target because you’re creating a new chain called “classify”

Now add rules to the classify chain:

1. in-interface=ether1 action=mark-connection new-connection-mark=dsl
2. in-interface=ether4 action=mark-connection new-connection-mark=dsl
3. connection-mark=no-mark action=mark-connection new-connection-mark=lte
4. return
   (make sure passthrough = yes for rules 1-3)

Now add rules to output chain of mangle table:
connection-mark=dsl action=mark-routing new-routing-mark=dsl

— ok so that means your LTE interface should be the standard routing table and the DSL should be its own routing table.

Now remove the LTE routing mark from any routes (and remove any duplicates this creates)
In the DSL routing table, add connected routes for 192.168.160/24 gateway=ether3 and 192.168.170.0/24 gateway=ether5
The dsl default GW you set should be fine. Also add xxx.xxx.xxx.xxx/xxx gateway=ether1 to the DSL routing table.

So the idea is: use connection marking to glue each connection to a particular routing table, based on the interface it starts on. Replies will automatically be properly routed as well - this last detail was the downfall of the rules you posted, at least I think that’s the case.

Hope this helps.

Thnaks for the help....

But with no luck..

here are the rules I made it, I hope I wrote them well enough, but they does not work at all..... still no connection from the outside wile I need to have everything else trough LTE...

the rules you mentioned to add in mangle table...


add action=jump chain=prerouting jump-target=classify
add action=mark-routing chain=prerouting connection-mark=DSL new-routing-mark=DSL
add action=mark-connection chain=classify in-interface=ether1 new-connection-mark=DSL
add action=mark-connection chain=classify in-interface=ether4 new-connection-mark=DSL
add action=mark-connection chain=classify new-connection-mark=LTE
add action=mark-routing chain=output connection-mark=DSL new-routing-mark=DSL


This part is all IP ---> routes table that I have in that part.

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 190.129.11.113 1
1 A S 0.0.0.0/0 192.168.20.254 1
2 ADC 190.129.11.112/29 190.129.11.114 ether1 0
3 ADC 192.168.20.0/24 192.168.20.2 ether2 0
4 ADC 192.168.50.0/24 192.168.50.1 ether4 0
5 ADC 192.168.160.0/24 192.168.160.1 ether3 0
6 ADC 192.168.170.0/24 192.168.170.1 ether5 0

Rules for the default gateways

add comment="ENTEL ADSL Modem" distance=1 gateway=190.129.11.113 routing-mark=DSL
add comment="ENTEL LTE Modem" distance=1 gateway=192.168.20.254

NAT rules to masquerade the connections..... In this part I also tried, to add routing mark first, and connection mark too, no luck....

add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2


Can somebody see what I'm doing wrong, I tried a numerous things, and nothing seems to work,.....


Thanks....

This rule should also have the condition connection-mark=no-mark

As you wrote the rule, it will overwrite the DSL connection mark with LTE, no matter whether the connection already has the DSL mark.
When you add the criteria connection-mark=no-mark, then it will only mark connections as LTE if they haven’t already been flagged as DSL.