The idea on a network is to have traffic within the network unmonitored and unrestricted but all Internet traffic to-and fro-accounted and given priority.
Everything on the network falls within subnets of 10.0.0.0/16. User-Manager/RADIUS allocates pppoe addresses in the 10.100.0.0/16 range.
Client CPEs have the following firewall nat rule:
0 chain=srcnat out-interface=pppoe-out1 dst-address=0.0.0.0/0
1 chain=srcnat out-interface=wlan1 dst-address=10.0.0.0/16 action=masquerade
This should surely split traffic, sending 'local' data outside RADIUS and pppoe but sending all other traffic through the pppoe tunnel.
However local traffic is also being sent over the client's pppoe interface, ie a traceroute from a CPE to a server attached to the AP results in:
1 10.100.3.1 4ms 2ms 2ms
2 10.0.0.33 4ms 4ms 4ms
Can anyone spot the obvious mistake, 'cos I can't.