Route traffic to one IP through specific gateway

Jacka · November 21, 2012, 9:53am

Hi all,

My situation:

interface1: LAN1 (192.168.0.0)
interface2: LAN2 (71.40.116.0)
interface3: WAN1 (77.45.45.120)
interface4: WAN2 (88.30.30.0)

In order to make IPSec connection to a another device I need to ping this IP 92.11.11.200, this IP is reachable only from LAN2 network and has to go out through WAN1 interface.
Now when running tracert 92.11.11.200 I see that is goes through the wrong gateway in this case WAN2.

So, if you could help me with a rule that will get me to this IP 92.11.11.200 through gateway WAN1.

*I’m using PCC load balancing.

Thank you.

fxx · November 21, 2012, 11:35am

Just add entry to the routing table:

ip route add dst-address=92.11.11.200/32 gateway=x.x.x.x

where x.x.x.x is the default gateway of the WAN connection, you want to route to.
If you want to block connection from LAN1, I suppose to use the firewall rule.

Jacka · November 21, 2012, 12:25pm

fxx:

Just add entry to the routing table:
ip route add dst-address=92.11.11.200/32 gateway=x.x.x.x
where x.x.x.x is the default gateway of the WAN connection, you want to route to.
If you want to block connection from LAN1, I suppose to use the firewall rule.

Already tried this, it doesn’t work, it goes through the other gateway (WAN2)

C:\Users\admin>tracert 172.30.255.11

Tracing route to 172.30.255.11 over a maximum of 30 hops

  1     *        *        *     Request timed out.
  2    <1 ms    <1 ms    <1 ms  88.30.30.1
  3     1 ms    <1 ms    <1 ms  *.*.*.*

nickshore · November 21, 2012, 3:06pm

You need to make sure your PCC rules don’t get triggered for that destination.

or you need to route mark specifically for that destination and uncheck passthrough in the mangle rules.

then use a route with the route mark set on it.

It would help if you showed your mangle rules and routing table.

Nick.

Jacka · November 22, 2012, 7:18am

My config:

/ip firewall mangle add action=accept chain=prerouting disabled=no dst-port=80 protocol=tcp
add action=accept chain=prerouting disabled=no dst-address=192.168.0.0/24
add action=accept chain=prerouting disabled=no dst-address=77.45.45.120/30 in-interface=LAN1
add action=accept chain=prerouting disabled=no dst-address=88.30.30.0/24 in-interface=LAN1
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no in-interface=WAN1 new-connection-mark=WAN1 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no in-interface=WAN2 new-connection-mark=WAN2 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no dst-address-type=!local in-interface=LAN1 new-connection-mark=WAN1 passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no dst-address-type=!local in-interface=LAN1 new-connection-mark=WAN2 passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1 disabled=no in-interface=LAN1 new-routing-mark=WAN1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2 disabled=no in-interface=LAN1 new-routing-mark=WAN2 passthrough=no
add action=mark-routing chain=output connection-mark=WAN1 disabled=no new-routing-mark=WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2 disabled=no new-routing-mark=WAN2 passthrough=no
add action=accept chain=output disabled=no dst-address=192.168.0.0/24
add action=mark-connection chain=output connection-mark=no-mark disabled=no dst-address-type=!local new-connection-mark=WAN1 passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=output connection-mark=no-mark disabled=no dst-address-type=!local new-connection-mark=WAN2 passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=output connection-mark=WAN1 disabled=no new-routing-mark=WAN1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2 disabled=no new-routing-mark=WAN2 passthrough=no

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=77.45.45.121 routing-mark=WAN1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=88.30.30.1 routing-mark=WAN2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=77.45.45.121 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=88.30.30.1 scope=30 target-scope=10

Thank you.

Jacka · November 22, 2012, 1:46pm

Anyone ?

mixig · November 24, 2012, 11:24am

in your mangle put at the top this:

add action=accept chain=prerouting disabled=no dst-address=92.11.11.200

With the command above you will exclude traffic designated for that address from the PCC, it will just pass through the mangle without adding and mark…

and then put static route for that ip to go through WAN1:

ip route add dst-address=92.11.11.200/32 gateway=x.x.x.x WAN1