Wed Jul 26, 2017 4:31 am
When packets go out ether2, they need to take on ether2's pubic IP.
1. IP > Firewall > NAT, add masquerade rule for packets going out ether2. Same for ether1 (it probably exists already)
At this point packets will still go out Ether1. So setup Mangle rules and routing. The mangle rule will mark packets coming in from ether3 / ether4 and apply routing marks.
2. IP > Firewall > NAT, add mangle rule. in-interface=ether3, action=new-routing-mark, routing-mark=WAN1. Do the same for ether4/WAN2
3. IP > Routes, add a route. Dest=0.0.0.0/0, Routing Mark=WAN1, Gateway=<IP of Wan1 Gateway> Do the same for WAN2
Now packets from ether3 will go out ether1, and packets from ether4 will go out ether2.
I think if WAN2 goes offline, packets may go out WAN1.. Not sure, but it's good practice to block outbound packets when the source IP is not your LAN.
4. IP > Firewall > Filters, add rule. Chain=forward, out-interface=WAN1, src-ip=!192.168.1.0/24, action=drop Do the same for WAN2/subnet2.