Routing certain IPs to go via 2nd Gateway

wolfie · June 3, 2025, 4:05pm

Hi

I’m trying to get RouterOS to selectively to send certain requests to another gateway
I’ve got 4 VLans (50, 100, 150, 200) running I’ve got 2 working but 1 I cannot get working

VLans 100 and 200 send all unknown traffic to the 2nd Gateway (207) and browsing works without issue
VLan 50, will eventually be no Internet access
Vlan 150 will selectively send traffic over the 2nd Gateway, this is where the issue seems to be while the traffic seems to be sent up and also being received and responded back by the remote server but nothing is received back to the client, using the VLans 100 or 200 (using the same client) and the response comes back.

I must of missed something

I’ve attached both configurations for the router doing the selection and the actual gateway

Thanks
Selector.txt (7.19 KB)
GatewayVpn.txt (5.13 KB)

anav · June 3, 2025, 4:11pm

Can you provide more detail… a network diagram would remove many questions.

LdB · June 4, 2025, 8:02am

In VLAN 150 you mangle mark the distinct subnet(s) with a new route mark and selectively route them
You did this for the other traffic it’s no different
The only trick you may need to apply is have a destination list if vlan 150 traffic has to go locally for certain ip’s

For example if vlan150 traffic has to go locally for for private ip’s but via gateway 2 for internet just make up a private ip address list of
10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 an on the mark to route use not destination private address.

This is the basic form you may need to add a not destination list to the mangle new-route mark as per above

/routing table
add disabled=no fib name=Vlan150UseGateway2

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=Vlan150UseGateway2 passthrough=no src-address=xxx.xxx.xxx.x/x 

/ip route
add comment="Marked vlan150 traffic to Gateway2" disabled=no distance=1 \
    dst-address=0.0.0.0/0 gateway=yyy.yyy.yyyy.yyy/y pref-src="" routing-table=\
   Vlan150UseGateway2 scope=30 suppress-hw-offload=no target-scope=10

wolfie · June 4, 2025, 8:47am

HI

Firstly there was a mistake in configuration for the selector (I just found out), basically, The default route in the Selector using 207 (Gateway 2) should be in the VPN routing table and not part of the main which should be just 254 (Gateway 1)
I’ve quickly corrected this (I’ll upload the config later)

Basically the routing appears to be working

All traffic for VLan 200 is always sent over the VPN (Gateway 2), and has been working flawlessly
Traffic to 100.100.100.100 (Fake placeholder) work and the client gets the response back
Default traffic for VLan 150 should be sent of the Gateway 1
This is where the mistake was and has been corrected
Traffic to 100.100.100.100 from VLan 150 Should go via Gateway 2
Traffic is being received by 100.100.100.100 (Work server, so can get the logs)
No response is getting to the client

The issue here is why there no response getting to the client, I’ve attached a quick diagram of what I’m trying to do

Thanks

wolfie · June 4, 2025, 5:16pm

Hi

Please find the updated configs

I’ve thought it was something like the other routing tables causing issues, but disabling them didnt effect the VLan 150

Currently traffic to the 100.100.100.100 on vlans 100 and 200 work perfectly, at the moment 150 only seems to have 1 way, traffic received by the remote server but the responses are lost, I believe the issue is something on the Selector, is there any logging I can do on the routers to confirm the responses from 100.100.100.100 are coming back into my network and where they are being lost.

I’ve also confirmed that the Vlan Gateway can bing the clients on VLan 150

Thanks
Selector.txt (1.97 KB)
GatewayVpn.txt (4.73 KB)