Community discussions

 
wilburt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Tue Aug 24, 2010 3:07 am

Forcing out interface based on internal IP address

Mon Dec 07, 2015 2:18 am

Hi experts,

I have two out interfaces to the WWW. What is the best way to push out bound traffic from a particular network out a specific gateway?

For example

Out Eth1 10.20.20.2
Out Eth2 172.15.12.2

Internal DHCP server

192.168.88.0/24
192.168.99.0/24

Looking to have 88 network out Eth1 and 99 network out Eth2

Thanks
 
User avatar
ConnectivityEngineer
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Sat Dec 19, 2015 10:57 pm
Location: Ohio, USA
Contact:

Re: Forcing out interface based on internal IP address

Tue Dec 22, 2015 9:18 am

This is done via Policy Based Routing

Butch Evans has an excellent blog posting on this - http://blog.butchevans.com/2008/09/mikr ... n-example/rather than me retyping all this stuff over.

If your US Based - I suggest checking out Butch's Training Sessions as well.
Glenn Kelley | MCTNA, MTCWE, MTCTCE, RHCE, RHCSS
http://Connectivity.Engineer
USA Based 24x7x365 Mikrotik, Juniper, Ubiquiti TAC & WISP / ISP Blind Label Support Call Center
 
wilburt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Tue Aug 24, 2010 3:07 am

Re: Forcing out interface based on internal IP address

Sat Jan 23, 2016 9:23 am

Thanks heaps! i will read through
 
wilburt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Tue Aug 24, 2010 3:07 am

Re: Forcing out interface based on internal IP address

Wed Jan 27, 2016 4:23 am

So far so good. I am able to ping, and get DNS but for some reason i can't browse the internet.

THere are no firewall rules that are dropping packets.

I have static routes that point back and also NAT on that network and port.

any ideas where else could go wrong?
 
wilburt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Tue Aug 24, 2010 3:07 am

Re: Forcing out interface based on internal IP address

Fri Jan 29, 2016 9:58 am

Thanks for the pointer. It works.

There is one flaw. How do we ensure that a specific network can only go out 1 ISP and not the other? The good, 192.168.88.0/24 and 10.11.0.0/20 can't go out 172.16.1.0/24. However, Problem is 192.168.99.0/24 network can go out 10.10.10.0/24 ISP if 172.16.1.0/24 network is unreachable. This is what i have

/ip route
add gateway=172.16.1.1 routing-mark=RTF
add gateway=10.10.10.1 routing-mark=WEFI

/ip route rule
add dst-address=192.168.88.0/24 action=lookup table=main
add dst-address=192.168.99.0/24 action=lookup table=main
add dst-address=10.11.0.0/20 action=lookup table=main

add dst-address=10.10.10.0/24 action=lookup table=main
add dst-address=172.16.1.0/24 action=lookup table=main

add src-address=10.10.10.0/24 action=lookup table=WEFI
add src-address=172.16.1.0/24 action=lookup table=RTF

add routing-mark=RTF action=lookup table=RTF
add routing-mark=WEFI action=lookup table=WEFI

/ip firewall mangle
add chain=prerouting src-address=192.168.99.0/24 action=mark-routing \
new-routing-mark=RTF passthrough=no

add chain=prerouting src-address=192.168.88.0/24 action=mark-routing \
new-routing-mark=WEFI passthrough=no

add chain=prerouting src-address=10.11.0.0/20 action=mark-routing \
new-routing-mark=WEFI passthrough=no

This is done via Policy Based Routing

Butch Evans has an excellent blog posting on this - http://blog.butchevans.com/2008/09/mikr ... n-example/rather than me retyping all this stuff over.

If your US Based - I suggest checking out Butch's Training Sessions as well.

Who is online

Users browsing this forum: No registered users and 74 guests