In other words, route http and https traffic via wan1 and all other via wan2.
This works but I don't understand why I need a default route. Please bear with me as I share my set-up.
Two WAN connections via ADSL with dynamic addresses. Clients are on the LAN and are NATted.
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat comment=\
"masquerade allowed local addresses via wan1" disabled=no
out-interface=wan1 src-address-list=local-allowed
add action=masquerade chain=srcnat comment=\
"masquerade allowed local addresses via wan2" disabled=no \
out-interface=wan2 src-address-list=local-allowed
Firstly I mark my connections
Code: Select all
/ip firewall mangle
add action=jump chain=prerouting comment="" connection-state=new disabled=no \
jump-target=tcp-services protocol=tcp
add action=jump chain=prerouting comment="" connection-state=new disabled=no \
jump-target=udp-services protocol=udp
add action=jump chain=prerouting comment="" connection-state=new disabled=no \
jump-target=other-services
add action=mark-connection chain=tcp-services comment=http disabled=no \
dst-port=80 new-connection-mark=http passthrough=no protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services comment=https disabled=no \
dst-port=443 new-connection-mark=https passthrough=no protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services comment=http disabled=no \
dst-port=8080 new-connection-mark=http passthrough=no protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="other tcp" disabled=no \
new-connection-mark=other-tcp passthrough=no protocol=tcp
add action=mark-connection chain=udp-services comment="other udp" \
connection-state=new disabled=no new-connection-mark=other-udp \
passthrough=no protocol=udp
add action=mark-connection chain=other-services comment=other disabled=no \
new-connection-mark=other passthrough=no
Code: Select all
add action=mark-packet chain=prerouting comment="" connection-mark=http \
disabled=no new-packet-mark=http passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=https \
disabled=no new-packet-mark=https passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=other \
disabled=no new-packet-mark=other passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=other-tcp \
disabled=no new-packet-mark=other-tcp passthrough=no
add action=mark-packet chain=prerouting comment="" connection-mark=other-udp \
disabled=no new-packet-mark=other-udp passthrough=no
Code: Select all
add action=mark-routing chain=prerouting comment=http disabled=no \
new-routing-mark=http packet-mark=http passthrough=no
add action=mark-routing chain=prerouting comment=https disabled=no \
new-routing-mark=https packet-mark=https passthrough=no
add action=mark-routing chain=prerouting comment=other-tcp disabled=no \
new-routing-mark=other-tcp packet-mark=other-tcp passthrough=no
add action=mark-routing chain=prerouting comment=other-udp disabled=no \
new-routing-mark=other-udp packet-mark=other-udp passthrough=no
add action=mark-routing chain=prerouting comment=other disabled=no \
new-routing-mark=other packet-mark=other passthrough=no
Code: Select all
/ip route
add comment="default route" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1
add comment=http disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan2 \
routing-mark=http
add comment=https disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan2 \
routing-mark=https
add comment=other disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1 \
routing-mark=other
add comment=other-tcp disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
wan1 routing-mark=other-tcp
add comment=other-udp disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
wan1 routing-mark=other-udp
Why do I need this routing rule?
Code: Select all
add comment="default route" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1
This all 'sort-of' works but only if I enable the default rule. I just don't see why if I've marked all other traffic and then routed it, do I need this default rule.
For some other reason, I seem to have load balanced everything rather than policy routing based on marked connections.
My guess is that I'm not catching all the packets somehow.
Thanks for staying with me.