Page 1 of 1

Forcing out interface based on internal IP address

Posted: Mon Dec 07, 2015 2:18 am
by wilburt
Hi experts,

I have two out interfaces to the WWW. What is the best way to push out bound traffic from a particular network out a specific gateway?

For example

Out Eth1 10.20.20.2
Out Eth2 172.15.12.2

Internal DHCP server

192.168.88.0/24
192.168.99.0/24

Looking to have 88 network out Eth1 and 99 network out Eth2

Thanks

Re: Forcing out interface based on internal IP address

Posted: Tue Dec 22, 2015 9:18 am
by ConnectivityEngineer
This is done via Policy Based Routing

Butch Evans has an excellent blog posting on this - http://blog.butchevans.com/2008/09/mikr ... n-example/rather than me retyping all this stuff over.

If your US Based - I suggest checking out Butch's Training Sessions as well.

Re: Forcing out interface based on internal IP address

Posted: Sat Jan 23, 2016 9:23 am
by wilburt
Thanks heaps! i will read through

Re: Forcing out interface based on internal IP address

Posted: Wed Jan 27, 2016 4:23 am
by wilburt
So far so good. I am able to ping, and get DNS but for some reason i can't browse the internet.

THere are no firewall rules that are dropping packets.

I have static routes that point back and also NAT on that network and port.

any ideas where else could go wrong?

Re: Forcing out interface based on internal IP address

Posted: Fri Jan 29, 2016 9:58 am
by wilburt
Thanks for the pointer. It works.

There is one flaw. How do we ensure that a specific network can only go out 1 ISP and not the other? The good, 192.168.88.0/24 and 10.11.0.0/20 can't go out 172.16.1.0/24. However, Problem is 192.168.99.0/24 network can go out 10.10.10.0/24 ISP if 172.16.1.0/24 network is unreachable. This is what i have

/ip route
add gateway=172.16.1.1 routing-mark=RTF
add gateway=10.10.10.1 routing-mark=WEFI

/ip route rule
add dst-address=192.168.88.0/24 action=lookup table=main
add dst-address=192.168.99.0/24 action=lookup table=main
add dst-address=10.11.0.0/20 action=lookup table=main

add dst-address=10.10.10.0/24 action=lookup table=main
add dst-address=172.16.1.0/24 action=lookup table=main

add src-address=10.10.10.0/24 action=lookup table=WEFI
add src-address=172.16.1.0/24 action=lookup table=RTF

add routing-mark=RTF action=lookup table=RTF
add routing-mark=WEFI action=lookup table=WEFI

/ip firewall mangle
add chain=prerouting src-address=192.168.99.0/24 action=mark-routing \
new-routing-mark=RTF passthrough=no

add chain=prerouting src-address=192.168.88.0/24 action=mark-routing \
new-routing-mark=WEFI passthrough=no

add chain=prerouting src-address=10.11.0.0/20 action=mark-routing \
new-routing-mark=WEFI passthrough=no

This is done via Policy Based Routing

Butch Evans has an excellent blog posting on this - http://blog.butchevans.com/2008/09/mikr ... n-example/rather than me retyping all this stuff over.

If your US Based - I suggest checking out Butch's Training Sessions as well.