We have the typical to ISP setup. ISP1 is our default and ISP2 is the backup. What I am attempting to do is move certain traffic to ISP2 so I have set the following.
Firewall - Allowed access to the port for the internal ip
NAT - Set two dst-nat statements for each ip block depending on which ISP the connection uses.
Mangle - Mark connection coming in the ISP2 interface. Then mark routing with that connection mark. (I realize rule 10 isn’t in play at the moment and has only been in there for testing back and forth)
Routes - Route marked traffic out ISP2 gateway
Mangle
9 ;;; Mark ISP2 traffic
chain=prerouting action=mark-connection new-connection-mark=CM-ISP2
passthrough=yes in-interface=ether7 log=no log-prefix=“”
10 ;;; Mark ISP2 traffic
chain=prerouting action=mark-packet new-packet-mark=PM-ISP2
passthrough=yes connection-mark=CM-ISP2 log=no log-prefix=“”
11 ;;; Mark Routing ISP2
chain=prerouting action=mark-routing new-routing-mark=RM-ISP2
passthrough=no connection-mark=CM-ISP2 log=no log-prefix=“”
Routing
0 A S dst-address=0.0.0.0/0 gateway-x.x.x.x gateway-status=x.x.x.x reachable via ether7 distance=1 scope=30 target-scope=10 routing-mark=RM-ISP2
1 A S dst-address=0.0.0.0/0 gateway=x.x.x.x gateway-status=x.x.x.x reachable via ether8check-gateway=ping distance=2 scope=30 target-scope=10
So the result…I can route outbound traffic from our LAN without issue. However, since we host serveral servers and that traffic is inbound, when I attempt to view a web server through ISP2 it marks the SYN packets but doesn’t seem to establish a connection. My assumption is that the SYN-ACK packets or (return) traffic isn’t marked and therefore goes out the general default of ISP1. So it won’t build the full tcp connection and function.
Hitting the ip on ISP1 works just fine, just not through ISP2.
Any ideas on how to mark the return outbound traffic?