Force local networks to talk over the uplink [SOLVED]

Mangustelis · March 21, 2020, 7:05pm

hello,

I spent a week trying to configure a route-map that would force local networks to talk over the uplink.
I did it very simply on cisco:

hostname Cisco
!
interface GigabitEthernet 0/2/0
ip address 172.30.176.1 255.255.255.0
!
interface Tunnel0
description From_Cisco_LoopBack_to_FG_LoopBacl
ip address 10.20.30.2 255.255.255.252
tunnel source 172.30.176.1
tunnel destination 172.30.254.254
!
interface GigabitEthernet0/1/0
description LAN
switchport access vlan 1
!
interface GigabitEthernet0/1/3
description LAN_2
switchport access vlan 2
!
interface Vlan1
description LAN_1
ip address 172.30.178.1 255.255.255.0
ip policy route-map By_178_ACL
!
interface Vlan2
description LAN_2
ip address 172.30.179.1 255.255.255.0
ip policy route-map By_179_ACL
!
ip route 0.0.0.0 0.0.0.0 10.20.30.1
ip route 172.30.254.254 255.255.255.255 GigabitEthernet 0/2/0
ip ssh version 2
!
access-list 178 permit ip 172.30.178.0 0.0.0.255 172.30.179.0 0.0.0.255
access-list 179 permit ip 172.30.179.0 0.0.0.255 172.30.178.0 0.0.0.255
!
route-map By_178_ACL permit 10
match ip address 178
set interface Tunnel0
!
route-map Byl_179_ACL permit 10
match ip address 179
set interface Tunnel0
!
I didn’t work much with MikroTik, but the GRE tunnel was easy to create. However, I got stuck with police-routing.

Please, help !!!

Sob · March 22, 2020, 12:31am

Not a complete config, but it should get you started:

/ip route
add gateway=10.20.30.1 routing-mark=to-gre
/ip route rule
add action=lookup dst-address=172.30.179.0/24 src-address=172.30.178.0/24 table=to-gre
add action=lookup dst-address=172.30.178.0/24 src-address=172.30.179.0/24 table=to-gre

Mangustelis · March 22, 2020, 12:32pm

Thanks!

Your config is almost good. This config gave me some insight and a couple ideas.

The provided config have a mistake and create a LOOP. So, i bit corrected it:

/ip route rule
add dst-address=172.29.200.0/24 interface=ether1 src-address=172.28.200.0/24 table=to-gre_29
add dst-address=172.28.200.0/24 interface=ether2 src-address=172.29.200.0/24 table=to-gre_28

/ip route
add distance=1 dst-address=172.28.200.0/24 gateway=10.123.200.1 routing-mark=to-gre_28
add distance=1 dst-address=172.29.200.0/24 gateway=10.123.200.1 routing-mark=to-gre_29

I also found how to do it with “Mangle prerouting”

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=172.29.200.0/24 in-interface=ether1 new-routing-mark=Rote_to-29_Mark passthrough=yes src-address=172.28.200.0/24
add action=mark-routing chain=prerouting dst-address=172.28.200.0/24 in-interface=ether2 new-routing-mark=Rote_to-28_Mark passthrough=yes src-address=172.29.200.0/24

/ip route
add distance=1 dst-address=172.29.200.0/24 gateway=10.123.200.1 routing-mark=Rote_to-29_Mark
add distance=1 dst-address=172.28.200.0/24 gateway=10.123.200.1 routing-mark=Rote_to-28_Mark

In both cases, I would recommend adding additional rules to avoid LOOP, which occurs when a host is not found on another network.

/ip firewall filter
add action=drop chain=forward dst-address=172.29.200.0/24 in-interface=GRE-to-FortiGate out-interface=GRE-to-FortiGate src-address=172.28.200.0/24
add action=drop chain=forward dst-address=172.28.200.0/24 in-interface=GRE-to-FortiGate out-interface=GRE-to-FortiGate src-address=172.29.200.0/24

Thanks again