i have following situatuion:
Hardware: RB2011UiAS-RM
Port 1: Uplink www fast, but not stable, getting IP via DHCP
Port 2: My Subnet (192.168.88.0/24) → www traffic goes through Port 1
Port 3: My Subnet (192.168.88.0/24) → www traffic goes through Port 1
Port 4: Neighboor’s Subnet (192.168.20.0/24) → www traffic goes through Port 1
Port 5: Neighboor’s Subnet (192.168.20.0/24) → www traffic goes through Port 1
Port 6: Uplink www slow, but very stable, static IP
Port 7-10: My 2nd Subnet (192.168.178.0/24) → www traffic goes through Port 6, internal switch-chip is used
DHCP is running for each subnet.
The neighboor should be isolated, so i made firewall rules.
Automatic default gateway for both uplinks are disabled, because i want that port 6-10 goes through slow uplink and port 2-5 goes through fast uplink.
I managed this with mangle firewall rule “ToFast” and “ToSlow”.
I added manual two default gateways for the fast interface and the slow one.
The problem:
I can’t ping my gateway. When i disable the handmade default gateway rule and switch to automatic, i can reach my gateway via ping.
Both rules are looking exactly the same, the handmade and the automatic one.
The only different is the routing-mark, but they look good to me.
The secound problem is, that i can’t reach my secound subnet.
All subnets should be automatic routed by default, because they are all direct attached.
I only made four firewall rule to block the traffic from neighbor.
Attached is the backup of the configuration. I hope you understand my problem (i’m not a native english)
I would be very happy about a solution and am grateful for every tip.
What I suspect is happening is that you are currently telling all traffic coming from the specific IP ranges to head out specific routes regardless of the destination.
192.168.20.0/24 & 192.168.88.0/24 - Should be able to ping 192.168.101.254 but not 192.168.180.1.
192.168.178.0/24 - Should be able to ping 192.168.180.1 but not 192.168.101.254.
Secondly your mangle rules will also force traffic coming from your LAN networks heading to your second LAN network to also be routed out the default gateway, and will prevent your subnets from talking to one another.
I would suggest doing the following to prevent your gateways & local traffic from being mangled.
Create address-lists with all your LAN / Router’s IP Ranges.
Add an accept local to local rule before your mangle rules
# Create Address Lists
/ip firewall address-list
add address="192.168.20.0/24" list=Local
add address="192.168.88.0/24" list=Local
add address="192.168.178.0/24" list=Local
add address="192.168.180.0/24" list=Local
add address="192.168.101.0/24" list=Local
# Ensures traffic bound for LAN networks / devices bypass all ‘line balancing / mangle’ rules.
# Allow access to routers to work correctly.
/ip firewall mangle
add chain=prerouting src-address-list=Local dst-address-list=Local connection-mark=no-mark action=accept comment="Accept LAN -> LAN & Router"
add action=mark-routing chain=prerouting new-routing-mark=ToSlow passthrough=yes src-address=192.168.178.0/24
add action=mark-routing chain=prerouting new-routing-mark=ToFast passthrough=yes src-address=192.168.88.0/24
add action=mark-routing chain=prerouting new-routing-mark=ToFast passthrough=yes src-address=192.168.20.0/24
To fix your cross subnet communication in addition to above you need to add masquerade rules between your LAN interfaces:
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade out LAN" out-interface=bridge
add action=masquerade chain=srcnat comment="Masquerade out Slow LAN" out-interface=bridgeSlow
