[solved] - Route internet traffic from one VLAN to exit via specific IP

RouterOS General
1

I have a single ISP connection, with 5 available static IPs. These are assigned to a single interface (eth1) and use the same gateway.

I need to have internet traffic from one specific vlan/IP subnet to exit using a specific public IP.

I thought this would be some simple routing (without the need for connection marks, etc.) but so far have not been able to get it to work as expected.

(Goal is to have all external-bound traffic from vlan23 (10.10.23.0/24) to be sourced with public IP 76.xxx.xxx.10 (default route uses 76.xxx.xxx.9)

Config snippets:

#  RouterOS 7.11.2
#
# model = RB5009UG+S+

/ip address
add address=10.10.10.1/24 interface=vlan10-Domain network=10.10.10.0
add address=10.10.20.1/24 interface=vlan20-DMZ network=10.10.20.0
add address=10.10.23.1/24 interface=vlan23-HostedPhoneServer network=10.10.23.0
add address=10.10.30.1/24 interface=vlan30-Cameras network=10.10.30.0
add address=192.168.254.1/24 interface=vlan254-Guest network=192.168.254.0
add address=172.16.10.1/24 interface=wireguard network=172.16.10.0
add address=76.xxx.xxx.9/29 interface=ether1 network=76.xxx.xxx.8
add address=76.xxx.xxx.10/29 interface=ether1 network=76.xxx.xxx.8
add address=76.xxx.xxx.11/29 interface=ether1 network=76.xxx.xxx.8

/routing table
add disabled=no fib name=HP.10

/routing rule
add action=lookup-only-in-table disabled=no dst-address=0.0.0.0/0 src-address=10.10.23.0/24 table=HP.10

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=76.xxx.xxx.14 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=76.xxx.xxx.14 pref-src=76.xxx.xxx.10 routing-table=HP.10 \
    suppress-hw-offload=no

Do I need to go a different route (ba-dum-tiss) and use connection marks, etc. or am I just missing something?

2

Just got a hap ax3 and I am trying something similar but I have different networks and not VLANs at the moment. What worked for me is the same as your config except that I have no routing rules. Try to delete the routing rule and add something like this to your firewall mangle rules:

/ip/firewall/mangle
add chain=prerouting action=mark-routing new-routing-mark=HP.10 passthrough=yes in-interface=vlan23-HostedPhoneServer

Set passthrough or not as you need it. I will follow the topic to see if I can improve my config :wink:

Edit: Or maybe just change 0.0.0.0/24 to 0.0.0.0/0 in your routing rule ?

3

?

4

0.0.0.0/24

Do’Oh! - Corrected, but no change, all traffic still appears to be coming from the .9 external IP… :-/

5

I think for this to work, you need to keep the distance=1

I have a working setup by using explicit scope and same distance as the default route in the main table (i.e. just changing the routing table) and leaving the dst-address in the routing rule blank. This would translate to your config as:

/routing table
add disabled=no fib name=HP.10

/routing rule
add action=lookup-only-in-table disabled=no src-address=10.10.23.0/24 table=HP.10

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=76.xxx.xxx.14 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=76.xxx.xxx.14 pref-src=76.xxx.xxx.10 routing-table=HP.10 \
    scope=30 suppress-hw-offload=no target-scope=10

Note that, AFAIK, the pref-src doesn’t affect forwarded traffic but only traffic on connected interfaces. As I’m using it on p2p links, I have omitted it.

6

Yeah - I think you are missing something, either that or I am misunderstanding your setup.

Everything is going out the one connection, to the one gateway, so it is not a routing decision it is a NAT rule you need.
Presumably you are NATting on this router (can’t be 100% sure as you have not posted a full config which means assumptions have to be made)

/ip address
add address=76.xxx.xxx.9/29 interface=ether1 network=76.xxx.xxx.8
add address=76.xxx.xxx.10/29 interface=ether1 network=76.xxx.xxx.8

/ip route
add distance=1 gateway=76.xxx.xxx.14 (or whatever the GW is)

/ip firewall nat
add action=src-nat chain=srcnat comment="Default Outbound NAT vlan23" out-interface=ether1 src-address=10.10.23.0/24 to-addresses=76.xxx.xxx.10
add action=src-nat chain=srcnat comment="Default Masquerade" out-interface=ether1 to-addresses=76.xxx.xxx.9

Andy

7

I was just writing an afterthought on this. Checking the wiki confirmed behaviour in my note, so given that the gateway is the same for main table as for the HP.10 table, there is indeed nothing to base the routing decision on.
NAT above by Andy should work.
For a pure routing based option, I think you need an intermediate (recursive) routing hop that is just connected to the .10. Perhaps the local-address option can do something but I can’t find it quickly in the documentation.

8 



/ip firewall nat
add action=src-nat chain=srcnat comment=" vlan23 Outgoing NAT" src-address=10.10.23.0/24 to-addresses=76.xxx.xxx.10

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=76.xxx.xxx.14

No mangle rules, no routing rules, simply that NAT rule and the 0.0.0.0/0 route.

9

Hi Kev,
The sourcenat rule makes sense
The ip route makes sense,

BUT
how do you ensure the specific vlan traffic goes out that route
OR CONVERSELY
how do you ensure all other vlan traffic does NOT go out that route.

Suggesting a routing rule…
/routing table add fib name=useISPX
/routing rule add src-address=vlansubnet action=lookup-only-in-table table=useISPX
/ip route
add dst-address=0.0.0.0/0 gateway=76.xxx.xxx.14 routing-table=useISPX

Still need the sourcenat rule…and not sure about the ip route you made but if required then at least put a distance of 10 on it…

10 



src-address=10.10.23.0/24

I have multiple VLANs and public IPs on mine.

There is only one route, but multiple IPs. All IPs use the same route.

You must have a next-hop/gateway set otherwise traffic can’t leave the router. It doesn’t matter what the distance is. 1, 10, 100, all the same when it is the only one.

11

The source address you noted has no bearing on routing, it has bearing for what is sourcenatted out that WAN, it does not move traffic :slight_smile:

Let me rephrase… based on OPs comments:
(Goal is to have all external-bound traffic from vlan23 (10.10.23.0/24) to be sourced with public IP 76.xxx.xxx.10 (default route uses 76.xxx.xxx.9)

How do you ensure that the right wanip is used by the subnet… sourcenat address doesnt do it.
your route doesnt do it, unless its lower distance than the default route, in which case all traffic will go out NOT the default route.

12

sourcenat does do it.

It grabs the 10.10.23.0/24 subnet traffic and sets the external IP.

A copy of the rule with a different RFC1918 subnet and external IP, will grab traffic from other VLANs.

The route, there should only be one route leaving the router, all the external IPs use the one route.

13

Perhaps its something I dont understand about multiple WANIPs via the same gateway, or perhaps the OP really means a netmap is needed from the IP to the subnet… in any case,
source nat does not grab or do anything in terms of routing.
It states, when the traffic is routed ( by some other function aka routing) through this interface it will be given a source address of this interface.

14

No. The selection (in my solution, the listed subnet) will be given the source address specified in the ‘Action’

15

My head hurts LOL, so the gateway is the same for all the public IPs…

16

Do’Oh!!

As usual, I feel pretty silly! SrcNat is indeed the answer. As soon as aoakley posted it my palm and forehead were reacquainted with each other!