Here is my scenario. I have two VLANs coming into the internet port of my hex lite router board. I also have 1 VLAN on port 2 set to VLAN 254.
- VLAN untagged --internet traffic
- VLAN 3302 – VOIP Traffic
- VLAN 254 – Local LAN Traffic (192.168.254.0/24)
I created an vlan interface for each on the internet interface. The untagged VLAN interface is setup for DHCP and everything Nat’s behind it to get to the internet. This works.
VLAN 3302 is setup for DHCP and it gets an IP.
My issue is this. I need nat any traffic destined for 66.44.X.X from the VLAN254 out VLAN 3302. All other traffic from VLAN 254 will go out the normal route.
I can not get the traffic destined for 66.44.X.X to go out the 3302 interface.
The easy way is to create a static route to 66.44.X.X/32 (I assume a specific host, if it’s a range, then set the appropriate mask instead of 32) via the next-hop address of vlan3302
Have a simple masquerade rule:
/ip firewall nat
chain=srcnat out-interface=vlan3302 action=masquerade
And if you want to limit who may go this way, do it with a filter rule:
chain=forward dst-address=66.44.x.x in-interface=!vlan254 action=drop
If you need the rest of your LAN to be able to reach 66.44.x.x but not via the special VLAN, then you’ll need to do it with policy routing.
/ip route add dst=0.0.0.0/0 gateway=g.g.g.g routing-mark=voip (g.g.g.g = the gateway on that vlan)
/ip route add dst=IP.OF.VLAN.254/24 gateway=vlan254 routing-mark=voip
/ip firewall mangle
chain=prerouting in-interface=vlan254 dst-address=66.44.x.x action=mark-connection new-connection-mark=voip-connection
chain=forward connection-mark=voip-connection action=mark-routing new-routing-mark=voip
masquerade traffic going out that vlan:
/ip firewall nat
chain=srcnat out-interface=vlan3302 action=masquerade
Thank you for the help. This helped resolve the issue I was having.