I think its possible, in the sense that
a. the hex can accommodate multiple wan 5 ports (3 wans 2 port for lan)
b. the hex can identify traffic and route it to a specific lan
c. beyond my scope is your bandwidth allocation cap and resulting change to routing but I would guess its possible.
I wil see what I can dream up here for my fellow git, I mean Brit LOL (me–>colonial Canadian)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Context: Ensure those using Youtube. netflix etc are sent do a secondary WAN connection (ADSL) where 4G is the primary.
In order to properly identify traffic heading for youtube etc. probably requires manglink/marking of some sort. Its a two step process in general.
One is to mark connections to youtube, then two, you attach a route marking rule to that traffic (marking connections is more efficient in that one marks the connection and all packets are then
Thankfully MT now has a tls-host option to help with the fact that most traffic is now https!
I dont think we need to separate out the route rule for different stream, so all marked connections will be using same route rule.
First step will be to identify find users who are attempting to access youtube etc… and add the destination addresses to a firewall address list.
/ip firewall mangle
{youtube}
add action=add-dst-to-address-list address-list=Streaming_users address-list-timeout=
12h chain=prerouting dst-port=443 in-interface-list=lan
connection-mark=no-mark protocol=tcp tls-host=*.googlevideo.com passthrough=yes
add action=add-dst-to-address-list address-list=Streaming_users address-list-timeout=
12h chain=prerouting dst-port=443 interface-list=lan
connection-mark=no-mark protocol=tcp tls-host=*.youtube.com passthrough=yes
{netflix}
add action=add-dst-to-address-list address-list=Streaming_users address-list-timeout=
12h chain=prerouting dst-port=443 in-interface-list=lan
connection-mark=no-mark protocol=tcp tls-host=*.netflix.com passthrough=yes
{primevideo} Note that prime music may be harder and in that case would have to force all amazon.com or amazon.uk traffic to asdl)
add action=add-dst-to-address-list address-list=Streaminge_users address-list-timeout=
12h chain=prerouting dst-port=443 in-interface-list=lan
connection-mark=no-mark protocol=tcp tls-host=*.primevideo.com.com passthrough=yes
{spotify}
add action=add-dst-to-address-list address-list=Streaming_users address-list-timeout=
12h chain=prerouting dst-port=443 in-interface-list=lan
connection-mark=no-mark protocol=tcp tls-host=*.spotify.com passthrough=yes
Second step, for all identified traffic apply a connection mark and a routing mark to any traffic with said list.
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=Streaming_users in-interface-list=lan
connection-mark=no-mark new-connection-mark=markStreamers passthrough=yes
add action=mark-routing chain=prerouting connection-mark=markStreamers
new-routing-mark=routeStreamers passthrough=no
In plain english, the router will look at packets without any markings, ie this is done before sending traffic anywhere (not routed or going anywhere direct) but just showing up at any interface covered by the “in-interface-list”. If the packets have no markings and has a destination port of 443 (and has a domain identification of youtube.com for example) the associated destination address of the connection is added to the applicable address list. The we say step to the next rule…
The next rule states, if the packets has no markings and has a destination port of 443 (and has a domain identification of googlevideo.com for example) the associated destination address of the connection is added to the applicable address list. The we say step to the next rule… and so on…
After identifying all possible addresses, the router will then look for any connections intended for the destination address from our created list (identified by our now populated firewall address rule). We set it up such that that the packet being inspected is the first in a new connection without any connection markings because we want the router to only look at new connections (and ignore already marked traffic).
The router will mark the connection with the mark (markStreamer) and any of its associated packets will not be inspected and will automatically receive the temporary mark.
Then you tell the router look at the next prerouting rule for this connection
The router then sees that for any connection (and associated packets) with the connection mark of markStreamer attach another kind of mark, a routing mark routeStreamer to that connection (and its associated packets). Then you tell the router basically there are no more marking rules that apply.
So how do we use this special routing mark in IP Route rules.
We make use of the Routing mark option available (see winbox).
++++++++++++++++++++++++++++++++++++++++++++
Simple example failover:
/ip route
add check-gateway=ping distance=2 gateway=Gateway IP of WAN2 (4G connection)
add distance=3 gateway=Gateway IP of WAN1 (ADSL)
add distance=5 gateway=Gateway IP of WAN3 (not sure what other WANs you have or how they will get used so just a place marker for now)
add distance=1 gateway=Gateway IP of WAN1 routing-mark=routeStreamer
Complex example recursive failover
/ip route
add check-gateway=ping distance=2 gateway=8.8.4.4
add distance=2 dst-address=8.8.4.4/32 gateway=GatewayIP of WAN2 (Your 4G connection)
add distance=3 gateway=Gateway IP of WAN1 (Your ADSL connection)
add distance=1 gateway=Gateway IP of WAN1 routing-mark=routeStreamer
A number of things not sure of in this approach.
- Do I Need to state distance=1 to ensure users that connect to youtube etc. go out the secondary WAN or is the mark rule enough??
- Should I use no-mark packets for the first mangle rule or is sticking with no-mark connections more efficient/optimal/accurate??
- Should I be using jump chain rules here? I’m not sure if I have used pass through correctly??
