Wed Apr 25, 2018 9:54 pm
I prefer using address lists to identify GROUP OBJECTS, be they users, IP addresses, services etc.........
That way I am monkeying LESS with actual rules OF ANY SORT, when soley having to change objects!!
In other words, I only have to modify objects in many instances and not rules.
In reviewing this issue, I have decided to derive a better solution.................
Assumption: LAN is comprised of users or potential users from 192.168.0.2 - 192.168.0.254 (assuming 192.168.0.1 is the DHCP gateway).
Background: OP has a requirement to ensure users .50-.150 use WAN1, OP has a requirement to ensure subset of users .100-.110 use WAN2.
Solution: Identify necessary groups,
Additions for example. Admin use of WAN2 vice WAN1 to add some complication for example purposes, and identification of unused groups for later use.
Address List
LAN1_GroupA - 192.168.0.50 - 192.168.0.150 (comment: WAN1 users)
LAN1_GroupB - 192.168.0.100 - 192.168.0.110 (comment: WAN2 users).
LAN1_GroupC - 192.168.0.21 - 192.168.0.23 (comment: Admin PCs to access WAN2)
LAN1-GroupD - 192.168.0.2 - 192.168.0.49 (comment: not used)
LAN1_GroupE - 192.168.0.151 - 192.168.0.254 (comment: not used)
For clarity, the PRIMARY ISP is considered to be WAN1 and the SECONDARY ISP is considered to be WAN2.
Mangle Rules:
ip firewall Mangle/
add chain=prerouting src-address list=LAN1_GroupB action=mark-routing new-routing-mark=GroupB_WAN2
add chain=prerouting src-address list=LAN1_GroupC action=mark-routing new-routing-mark=Admin_WAN2
** I am not sure if stating src address alone, as per the above, is sufficient or do I have to identify the interface at all ?? ( such as "in-interface LAN" ? )
Standard Routing Rules for Failover ** Assumes all traffic going out of router is assumed to use WAN1 unless otherwise specified. Thus for simplicity sake I don't have to differentiate routing where not necessary. The basic routing rules state that all users will use the Primary WAN unless its unavailable and users will be pushed to the secondary WAN, in this case WAN2. When WAN1 comes back online users will then be routed through WAN1.
Ip Route/
Add Dst-Address=0.0.0.0/0 Gateway="Primary ISP Gateway IP (not WANIP), check gateway (ping), distance = 1
Add Dst-Address=0.0.0.0/0 Gateway="Secondary ISP Gateway IP, distance = 2
New routing rules for specific users (whose primary route is out WAN2)........ One should note that there are TWO rules as above per group, to deal with failover. Designed in case WAN2 becomes unavailable and users thus need access to the internet via WAN1. If WAN 2 comes back online, users will then once again be routed through WAN2
Ip Route/
Add Dst-Address=0.0.0.0/0 Gateway="Secondary ISP Gateway IP (not WANIP)" check gateway ping, distance = 1, Routing-Mark=GroupB_WAN2
Add Dst-Address=0.0.0.0/0 Gateway="Primary ISP Gateway IP" distance = 2, Routing-Mark=GroupB_WAN2
Add Dst-Address=0.0.0.0/0 Gateway="Secondary ISP Gateway IP" check gateway ping, distance = 1 Routing-Mark=Admin_WAN2
Add Dst-Address=0.0.0.0/0 Gateway="Primary ISP Gateway IP" distance = 2, Routing-Mark=Admin_WAN2
Last edited by
anavds on Thu Apr 26, 2018 3:57 pm, edited 2 times in total.