My CRS317 has multiple connections to the outside world. Most of the traffic should leave the router via the normal default gateway, however not so the management traffic.
The management traffic should be handled via the management vlan (MNGT-LAN). That VLAN is coming from another router via a trunk. The gateway of the MNGT-LAN (x.1) is on the other router.
On the CRS317 the MNGT-VLAN has the bridge-port and an interface for local management as members.
The intended behavior is that “queries” arriving via the MNGT-LAN are also answered via that MNGT-LAN (and not via the default gateway).
Configuration is as follows:
- The normal WAN gateway 0.0.0.0/0 towards address xyz via WAN-VLAN; “no routing mark”
- One MNGT-traffic gateway 0.0.0.0/0 via MNGT-LAN; “routing mark ^MNGTLAN^”
- Mangle rule: prerouting, interface MNGT-LAN, action “mark packet” New Packet Mark ^MNGTLAN^”
- Also added because it does not work extra Mangle rule: prerouting, Scr Address “bridge address”, action “mark packet” New Packet Mark ^MNGTLAN^”
- Mangle rule: Packet Mark ^MNGTLAN^ action “mark routing” value “MNGTLAN”
So in the FW-rules I did create a few minimal rules to see if it works:
- Input in-interface MNGT-VLAN routing Mark “MNGTLAN” accept
- Output out-interface MNGT-VLAN routing Mark “MNGTLAN” accept
- Input in-interface WAN-VLAN accept
- Output out-interface WAN-VLAN accept
And what I see from the counters is that the management traffic is incoming via the MNGT-LAN and leaving via the WAN-LAN, and that was of course not the intention.
Please explain what is wrong
and how it should be done 
Sincerely,
Louis
