Mon Jun 18, 2018 3:05 pm
Solution is to use mangle rules for those two IP addresses
and a corresponding route rule for the mangle.
/ip firewall address lists
add name=WAN2_Only address=192.168.5.9
add name=WAN2_Only address=192.168.5.26
Note: Needed to identify the two IPs, for a single address list
/ip route
add destination= 0.0.0.0/0 gatewayIP {of pppoe} ping gateway distance=1
add destination= 0.0.0.0/0 gatewayIP {of dhcp} distance=2
add destination=0.0.0.0/0 gatewayIP (of dhcp) routing-mark=special_users distance=1
Note: The primary gateway will be used in all cases if up, traffic from routing mark will use dhcp ISP regardless and ISP2 will only be used for general traffic if primary is down.
/ip firewall mangle [EDIT: after reviewing Sindy's comments in another post, the concept of !local is flawed and should not be used in mangle rules. I was trying to limit markings to internet based traffic only and for the case of many other subnets would use dest address lists instead. Also any LAN to LAN traffic within the same subnet or Bridge even would not get marked anyway because thats at layer 2 and not subject to these fw rules)
add chain=prerouting in-interface={appropriate interface - could be etherX, Bridge, LAN etc} connection-mark=no-mark \
source-address-list=WAN2_Only \
action=connection-mark new-connection-mark=CMspecial_users passthrough=yes
add chain=prerouting in-interface={appropriate interface - could be etherX, Bridge, LAN etc} connection-mark=CMspecial_users \
action=routing-mark new-routing-mark=special_users passthrough=no
Note: Basically stating her that we should upon seeing the first connection from each session from the two users, mark the connection, and then give all the traffic for that session a routing mark for the Routing Rule
For discussion purposes only..
If you have another Subnet or many subnets AND not on the same bridge but on different interfaces, one should consider cutting down on marking by excluding these subnets by FW rules
{in this case the rule would look like
add chain=prerouting in-interface={appropriate interface - could be etherX, Bridge, LAN etc} connection-mark=no-mark \
source-address-list=WAN2_Only \ dst-address-list=!exclude_other_subnets
action=connection-mark new-connection-mark=CMspecial_users passthrough=yes
where for example........ (if subnet being used is 192.168.5.1/24)
/ip firewall address lists
add name=exclude_other_subnets address=192.168.0.1/24
add name=exclude_other_subnets address=192.168.2.1/24
add name=exclude_other_subnets address=192.168.3.1./24