Hi,
this is actually kinda duplicate question on the same subject, but I’ve got one step forward.
I have RB1200 and multiple WAN connections, where:
WAN1 is for my browsing, so clients are behind NAT on local 192.168.x.x IP subnet
WAN2 is routing segment, which is used for couple of servers here I have. This is NOT NAT-ed!
So to get most use of PORTS, i combined ports in groups using BRIDGING:
bridgeLAN should be routed out via WAN1 port
bridge WAN2 should be routed out via WAN2 port
But the problem is that all OUTGOING traffic goes via WAN1 adapter.
QUESTION:
which method should I use to say, hey router, if you are talking about BridgeWAN2, use only WAN2 outgoing segment,
but if I use LAN ports, then go via WAN1 adapter.
Is it HORIZON principle?
Any idea, hint?
thanx!
It’s called policy based routing that you want, the Horizon option only prevents traffic coming in on one bridge port from leaving another bridge port with the same value.
You need some way to distinguish between bridgeLAN and Bridget WAN from each other, I’m guessing you are using two different bridges for that? If so then it’s very simple to do since they are on separate interfaces. You can either do this in the routing table or in the mangle portion of the firewall.
In IP firewall mangle
Mark for routing all packets that are incoming on a specific interface with a routing mark of your choosing.
Do the same thing for the other bridge port.
In IP route, set up another route that uses those routing marks to specify what links connections go out of.
thank you for your answer.
My apologee, but I was kinda confused when writing my question.
I read about packet marking, but It scares me - a lot of processing, and I am on fully utilized double 100/100 Mbps WAN lines, and have whole C-class of public IP addresses to route, so will CPU digest all these additional processing?
Or would it be better for me to just keep my old good home router for my private BridgeLAN surfing purposes, and configure only SERVERS on Mikrotik?
Just to be sure, here is a picture of my full config:
A 1200 should be able to handle 100/100 Mbps fine with the extra rules, but only you can answer that. What is your current CPU load at? You can slowly add in rules and see what it does to the CPU load and if it gets up to near 100% then back off. You’ll probably be fine adding in rules if the CPU is less than %70 or so in it’s current configuration, but it all depends on the number of rules and how you have them ordered and what other services you have running on top of them.
If you are just doing a simple policy based routing setup you won’t need that many rules for it to have a major impact on CPU usage. And blocking access between routed interfaces is very easy to do in the firewall and won’t take many resources either. It’s when you start doing things with Queues, and monitoring, user manager, etc. that things start to get more complex.
